tomcat7_7.0.56-3+deb8u2_amd64.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Debian FTP Masters
ftpmaster at ftp-master.debian.org
Fri Apr 22 21:52:40 UTC 2016
Accepted:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 16 Apr 2016 09:10:22 +0000
Source: tomcat7
Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs
Architecture: source all
Version: 7.0.56-3+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
Changed-By: Markus Koschany <apo at debian.org>
Description:
libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes
libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation
libtomcat7-java - Servlet and JSP engine -- core libraries
tomcat7 - Servlet and JSP engine
tomcat7-admin - Servlet and JSP engine -- admin web applications
tomcat7-common - Servlet and JSP engine -- common files
tomcat7-docs - Servlet and JSP engine -- documentation
tomcat7-examples - Servlet and JSP engine -- example web applications
tomcat7-user - Servlet and JSP engine -- tools to create user instances
Changes:
tomcat7 (7.0.56-3+deb8u2) jessie-security; urgency=high
.
* Team upload.
* Fix CVE-2015-5174:
Directory traversal vulnerability in RequestUtil.java allows remote
authenticated users to bypass intended SecurityManager restrictions and
list a parent directory via a /.. (slash dot dot) in a pathname used by a
web application in a getResource, getResourceAsStream, or getResourcePaths
call, as demonstrated by the $CATALINA_BASE/webapps directory.
* Fix CVE-2015-5345:
The Mapper component in Apache Tomcat processes redirects before
considering security constraints and Filters, which allows remote attackers
to determine the existence of a directory via a URL that lacks a trailing /
(slash) character.
* Fix CVE-2015-5346:
Session fixation vulnerability in Apache Tomcat when different session
settings are used for deployments of multiple versions of the same web
application, might allow remote attackers to hijack web sessions by
leveraging use of a requestedSessionSSL field for an unintended request,
related to CoyoteAdapter.java and Request.java.
* Fix CVE-2015-5351:
The Manager and Host Manager applications in Apache Tomcat establish
sessions and send CSRF tokens for arbitrary new requests, which allows
remote attackers to bypass a CSRF protection mechanism by using a token.
* Fix CVE-2016-0706:
Apache Tomcat does not place
org.apache.catalina.manager.StatusManagerServlet on the
org/apache/catalina/core/RestrictedServlets.properties list, which allows
remote authenticated users to bypass intended SecurityManager restrictions
and read arbitrary HTTP requests, and consequently discover session ID
values, via a crafted web application.
* Fix CVE-2016-0714:
The session-persistence implementation in Apache Tomcat mishandles session
attributes, which allows remote authenticated users to bypass intended
SecurityManager restrictions and execute arbitrary code in a privileged
context via a web application that places a crafted object in a session.
* Fix CVE-2016-0763:
The setGlobalContext method in
org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
not consider whether ResourceLinkFactory.setGlobalContext callers are
authorized, which allows remote authenticated users to bypass intended
SecurityManager restrictions and read or write to arbitrary application
data, or cause a denial of service (application disruption), via a web
application that sets a crafted global context.
Checksums-Sha1:
4b90f5b57247498c655c02ea6f3cdaba486059fb 2890 tomcat7_7.0.56-3+deb8u2.dsc
28a55fc0685420b300bcdfc95578afd9f3dd25cc 81656 tomcat7_7.0.56-3+deb8u2.debian.tar.xz
50c84c7ddbda164519e123436218d830a2c7be80 61968 tomcat7-common_7.0.56-3+deb8u2_all.deb
828c1945b21f5e029871302eebae507b99449cb3 50772 tomcat7_7.0.56-3+deb8u2_all.deb
46280175c11b17b8c3e44b7856b493165a22f085 38346 tomcat7-user_7.0.56-3+deb8u2_all.deb
e0e14dd92a6639d94c31800544c10f8a889c0063 3623220 libtomcat7-java_7.0.56-3+deb8u2_all.deb
92314c13b38ba1c6676a9bf801461da3e1d0a468 314318 libservlet3.0-java_7.0.56-3+deb8u2_all.deb
baad166982e27155ff43da6a23b3745d7d30832f 204328 libservlet3.0-java-doc_7.0.56-3+deb8u2_all.deb
79e787e8592f485f57fa90afcb793edca6bdcc33 39350 tomcat7-admin_7.0.56-3+deb8u2_all.deb
3e9ce383fefce4fb30cc9ff0efa13940c825bb8e 197514 tomcat7-examples_7.0.56-3+deb8u2_all.deb
ccb2ae08c6099e4d11ed0e836c37edbe49396d13 603562 tomcat7-docs_7.0.56-3+deb8u2_all.deb
Checksums-Sha256:
cb928db4d42c63ea23546a10a0abfcf814b2f7915d85304b41a87412f6dc5929 2890 tomcat7_7.0.56-3+deb8u2.dsc
a18282c894ea34079c9e0d9e38ee2e5ddd3ace30bc830c5ef53736f6173cc30a 81656 tomcat7_7.0.56-3+deb8u2.debian.tar.xz
78c7145d8a0c374eb19dcff06db57b916449c6e4dbfa1889db1037b8020f72d9 61968 tomcat7-common_7.0.56-3+deb8u2_all.deb
e3996d81c7a6b00b9b149f6c7cd599cdc26641d9593f53b3ab6d03fe4693481a 50772 tomcat7_7.0.56-3+deb8u2_all.deb
5d809fc66936a348648152f73f652f34b566eab1248cf1248b93598f9505b5c7 38346 tomcat7-user_7.0.56-3+deb8u2_all.deb
70c98b2cf1458112dc9ceb59b05da3af36eaba7ddd229ba69c72b220d409fc3f 3623220 libtomcat7-java_7.0.56-3+deb8u2_all.deb
4862a5b63dfd96d2c845b25be836c27da4ce32efc676d6ec23d3e915d668e9ef 314318 libservlet3.0-java_7.0.56-3+deb8u2_all.deb
e446c3cec3e06af13f472ddff18fc75028a13cd40d95d6c85bb14c2f80ada621 204328 libservlet3.0-java-doc_7.0.56-3+deb8u2_all.deb
0c17293b6b66694b0b87023c4bfb6d6ea96b765cf67cda328e7a02d82b926a7d 39350 tomcat7-admin_7.0.56-3+deb8u2_all.deb
63d77abf2f9a354a8af1677ced87d2ae7b532f30fef6cd71dda47bf1880f710c 197514 tomcat7-examples_7.0.56-3+deb8u2_all.deb
ddaa19494ef1369ef834d80ac4e1efd45ded7f03dad80a67263031ef8d8efcd7 603562 tomcat7-docs_7.0.56-3+deb8u2_all.deb
Files:
7f766e63d347d5efa39ed7a941dfcee2 2890 java optional tomcat7_7.0.56-3+deb8u2.dsc
5030cc194efdcfa4a1b6e48b53030ba9 81656 java optional tomcat7_7.0.56-3+deb8u2.debian.tar.xz
3ed990df51eba1a3060327012ba9ad02 61968 java optional tomcat7-common_7.0.56-3+deb8u2_all.deb
fad1616be991962b3dbccd75dfdffb71 50772 java optional tomcat7_7.0.56-3+deb8u2_all.deb
2f434813906a52ce2233fc223107095a 38346 java optional tomcat7-user_7.0.56-3+deb8u2_all.deb
c873e935af96a81c6583b43e9b75bd68 3623220 java optional libtomcat7-java_7.0.56-3+deb8u2_all.deb
48159d2cb1e6c6655aa3f93991abb565 314318 java optional libservlet3.0-java_7.0.56-3+deb8u2_all.deb
1689b29ece401a12524054e7f04f06d3 204328 doc optional libservlet3.0-java-doc_7.0.56-3+deb8u2_all.deb
f86fab43fe1074fd06d70b63d5ca5afe 39350 java optional tomcat7-admin_7.0.56-3+deb8u2_all.deb
8008b42c9b4aa3f2d8583288dba73b74 197514 java optional tomcat7-examples_7.0.56-3+deb8u2_all.deb
f3052973bf91e9da6bbf266bcf1d3ff0 603562 doc optional tomcat7-docs_7.0.56-3+deb8u2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ7BAEBCgBmBQJXEkp8XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1Hksj4P+P0OMAj3RlwwDxvGLzqtFRSu
ggjq46zFQVtnlRqfq8c8SPKHsDynZAFlrvp46f58Fp/nvRWD4t3K37oSDCUfiUmr
QKVUruZWT8gGJM4a0CF0z5grWXNMLdMX6jWgcUkB+y+CmBXvbX8xo+z1wlTK2Bxo
fFt+ZsNpzhbWt4fIhOhv3u5UMfQ6+ntFOjKAoV8WZif9RiYgH6tCdOVbLZI7yQUU
pNjmfKgqVf2GntfTx+ZMiPLJrRZQMFPVqIylto4iS32sAM6A1AgWGPWpzrmeUgWO
d/hPWcvhEokpCgRNHFEe0e8AcwE9fzCsQQ+oMYfyMvJkPV0G3q5JxEtLh5z26BOh
4v0zbLUVp0Z/SuyNpCtj5UwsXuU1Xo9hCxMppFnyTqGrMmV4PZzy2c2YyjVsXnMy
93Wl9Aj/bWwYj0RYG9ZKxhrjKUwz8ToqTgRJE7BxY+exvryXTxSjSAmkoj3F5b39
3T9A3b+IeUQZBkaeanCaVFlfTQo2Y28iO1pSti57EKS1S1dHqMSM7TIGKHrCCQJf
Wq5C7X1V2frbZF56HmicwHc51EzG9c4Yrx/meXie12Nb/eOw3It5Yahlg2e7zO0u
gDYOdWr6rZeN6ZzzOXmXgzft5Uxr4x0x6hZmaNsvP9dFiCn/28Z1UTddcyYy1U6d
axijwZBRXfyUwiu/m8M=
=kTrY
-----END PGP SIGNATURE-----
Thank you for your contribution to Debian.
More information about the pkg-java-maintainers
mailing list