Bug#845425: Tomcat security update
Markus Koschany
apo at debian.org
Wed Nov 30 22:30:47 UTC 2016
On 26.11.2016 17:00, Markus Koschany wrote:
> On 22.11.2016 11:17, Emmanuel Bourg wrote:
>> Three more CVEs have just been announced, a bit more serious this time :
>> CVE-2016-6816 Apache Tomcat Information Disclosure
>> CVE-2016-8735 Apache Tomcat Remote Code Execution
>> CVE-2016-6817 Apache Tomcat Denial of Service
>>
>> I'll prepare the stable and jessie-backports updates for tomcat7 and
>> tomcat8 today. testing/unstable already have the fixed versions.
>>
>
> Hi,
>
> I have pushed the updates for Wheezy which is only affected by
> CVE-2016-6816 and CVE-2016-8735. Could you isolate the bug in
> CVE-2016-6797.patch? What exactly was missing from ResourceLinkFactory.java?
>
Since I haven't heard anything yet I'm going to backport
ResourceLinkFactory.java as a precaution and release the security
announcement tomorrow.
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20161130/abcef04a/attachment.sig>
More information about the pkg-java-maintainers
mailing list