tomcat8 8.0.32-1ubuntu1.3 source package in Ubuntu
Changelog
tomcat8 (8.0.32-1ubuntu1.3) xenial-security; urgency=medium * SECURITY UPDATE: timing attack in realm implementations - debian/patches/CVE-2016-0762.patch: add time delays to java/org/apache/catalina/realm/DataSourceRealm.java, java/org/apache/catalina/realm/JDBCRealm.java, java/org/apache/catalina/realm/MemoryRealm.java, java/org/apache/catalina/realm/RealmBase.java. - CVE-2016-0762 * SECURITY UPDATE: SecurityManager bypass via a Tomcat utility method - debian/patches/CVE-2016-5018.patch: remove unnecessary code in java/org/apache/jasper/runtime/JspRuntimeLibrary.java, java/org/apache/jasper/security/SecurityClassLoad.java, java/org/apache/jasper/servlet/JasperInitializer.java. - CVE-2016-5018 * SECURITY UPDATE: mitigaton for httpoxy issue - debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization parameter to conf/web.xml, webapps/docs/cgi-howto.xml, java/org/apache/catalina/servlets/CGIServlet.java. - CVE-2016-5388 * SECURITY UPDATE: system properties read SecurityManager bypass - debian/patches/CVE-2016-6794.patch: extend SecurityManager protection to the system property replacement feature of the digester in java/org/apache/catalina/loader/WebappClassLoaderBase.java, java/org/apache/tomcat/util/digester/Digester.java, java/org/apache/tomcat/util/security/PermissionCheck.java. - CVE-2016-6794 * SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration parameters - debian/patches/CVE-2016-6796.patch: ignore some JSP options when running under a SecurityManager in conf/web.xml, java/org/apache/jasper/EmbeddedServletOptions.java, java/org/apache/jasper/resources/LocalStrings.properties, java/org/apache/jasper/servlet/JspServlet.java, webapps/docs/jasper-howto.xml. - CVE-2016-6796 * SECURITY UPDATE: web application global JNDI resource access - debian/patches/CVE-2016-6797.patch: ensure that the global resource is only visible via the ResourceLinkFactory when it is meant to be in java/org/apache/catalina/core/NamingContextListener.java, java/org/apache/naming/factory/ResourceLinkFactory.java, test/org/apache/naming/TestNamingContext.java. - CVE-2016-6797 * SECURITY UPDATE: HTTP response injection via invalid characters - debian/patches/CVE-2016-6816.patch: add additional checks for valid characters in java/org/apache/coyote/http11/AbstractInputBuffer.java, java/org/apache/coyote/http11/AbstractNioInputBuffer.java, java/org/apache/coyote/http11/InternalAprInputBuffer.java, java/org/apache/coyote/http11/InternalInputBuffer.java, java/org/apache/coyote/http11/LocalStrings.properties, java/org/apache/tomcat/util/http/parser/HttpParser.java. - CVE-2016-6816 * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener - debian/patches/CVE-2016-8735.patch: explicitly configure allowed credential types in java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java. - CVE-2016-8735 * SECURITY UPDATE: information leakage between requests - debian/patches/CVE-2016-8745.patch: properly handle cache when unable to complete sendfile request in java/org/apache/tomcat/util/net/NioEndpoint.java. - CVE-2016-8745 * SECURITY UPDATE: privilege escalation during package upgrade - debian/rules, debian/tomcat8.postinst: properly set permissions on /etc/tomcat8/Catalina/localhost. - CVE-2016-9774 * SECURITY UPDATE: privilege escalation during package removal - debian/tomcat8.postrm.in: don't reset permissions before removing user. - CVE-2016-9775 * debian/tomcat8.init: further hardening. -- Marc Deslauriers <email address hidden> Mon, 16 Jan 2017 08:18:27 -0500
Upload details
- Uploaded by:
- Marc Deslauriers
- Uploaded to:
- Xenial
- Original maintainer:
- Ubuntu Developers
- Architectures:
- all
- Section:
- java
- Urgency:
- Medium Urgency
See full publishing history Publishing
Series | Published | Component | Section |
---|
Downloads
File | Size | SHA-256 Checksum |
---|---|---|
tomcat8_8.0.32.orig.tar.xz | 3.3 MiB | d2be58fc3fcece412adcd07dabf88b755debc9aaefacbb3c8dfc0892dfa5c769 |
tomcat8_8.0.32-1ubuntu1.3.debian.tar.xz | 49.5 KiB | 14dcdfc7c13e430c86c9d48bc5a398edda915ac98235f957ccd61cda0a340041 |
tomcat8_8.0.32-1ubuntu1.3.dsc | 2.8 KiB | 1bc81dbd73362395d742d91c021e6a16f7b7159366a31153a23179a523ee5286 |
Available diffs
Binary packages built by this source
- libservlet3.1-java: Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Oracle, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains the Java Servlet and JSP library.
- libservlet3.1-java-doc: Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documentation
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Oracle, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains the documentation for the Java Servlet and JSP library.
- libtomcat8-java: Apache Tomcat 8 - Servlet and JSP engine -- core libraries
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Oracle, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains the Tomcat core classes which can be used by other
Java applications to embed Tomcat.
- tomcat8: Apache Tomcat 8 - Servlet and JSP engine
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Oracle, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains only the startup scripts for the system-wide daemon.
No documentation or web applications are included here, please install
the tomcat8-docs and tomcat8-examples packages if you want them.
Install the authbind package if you need to use Tomcat on ports 1-1023.
Install tomcat8-user instead of this package if you don't want Tomcat to
start as a service.
- tomcat8-admin: Apache Tomcat 8 - Servlet and JSP engine -- admin web applications
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Oracle, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains the administrative web interfaces.
- tomcat8-common: Apache Tomcat 8 - Servlet and JSP engine -- common files
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Oracle, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains common files needed by the tomcat8 and tomcat8-user
packages (Tomcat 8 scripts and libraries).
- tomcat8-docs: Apache Tomcat 8 - Servlet and JSP engine -- documentation
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Oracle, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains the online documentation web application.
- tomcat8-examples: Apache Tomcat 8 - Servlet and JSP engine -- example web applications
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Oracle, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains the default Tomcat example webapps.
- tomcat8-user: Apache Tomcat 8 - Servlet and JSP engine -- tools to create user instances
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Oracle, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains files needed to create a user Tomcat instance.
This user Tomcat instance can be started and stopped using the scripts
provided in the Tomcat instance directory.