tomcat6 6.0.39-1ubuntu0.1 source package in Ubuntu

Changelog

tomcat6 (6.0.39-1ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2014-0075.patch: Fix integer overflow in the
      parseChunkHeader function in
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
    - CVE-2014-0075
  * SECURITY UPDATE: Bypass security-manager restrictions and read
    arbitrary files via a crafted web application that provides an XML
    external entity declaration in conjunction with an entity reference.
    - debian/patches/CVE-2014-0096.patch: Properly restrict XSLT
      stylesheets
    - CVE-2014-0096
  * SECURITY UPDATE: Fix integer overflow.
    - debian/patches/CVE-2014-0099.patch: Fix in
      java/org/apache/tomcat/util/buf/Ascii.java
    - CVE-2014-0099
  * SECURITY UPDATE: Read arbitrary files via a crafted web application
    that provides an XML external entity declaration in conjunction with
    an entity reference.
    - debian/patches/CVE-2014-0119-1.patch: fix in SecurityClassLoad.java
      and DefaultServlet.java
    - debian/patches/CVE-2014-0119-2.patch: fix in TldConfig.java
    - debian/patches/CVE-2014-0119-3.patch: fix in multiple files
    - CVE-2014-0119
  * SECURITY UPDATE: Add error flag to allow subsequent attempts at
    reading after an error to fail fast.
    - debian/patches/CVE-2014-0227.patch: fix in ChunkedInputFilter.java
    - CVE-2014-0227
  * SECURITY UPDATE: DoS (thread consumption) via a series of aborted
    upload attempts.
    - debian/patches/CVE-2014-0230.patch: add support for maxSwallowSize
    - CVE-2014-0230
  * SECURITY UPDATE: Bypass a SecurityManager protection mechanism via a
    web application that leverages use of incorrect privileges during EL
    evaluation.
    - debian/patches/CVE-2014-7810-1.patch: fix in BeanELResolver.java
    - debian/patches/CVE-2014-7810-2.patch: fix in PageContextImpl.java
      and SecurityClassLoad.java
    - CVE-2014-7810
  * SECURITY UPDATE: Directory traversal vulnerability in RequestUtil.java
    - debian/patches/CVE-2015-5174.patch: fix in RequestUtil.java
    - CVE-2015-5174
  * SECURITY UPDATE: Remote attackers can determine the existence of a
    directory via a URL that lacks a trailing slash character.
    - debian/patches/CVE-2015-5345-1.patch: fix in multiple files
    - debian/patches/CVE-2015-5345-2.patch: fix in multiple files
    - CVE-2015-5345
  * SECURITY UPDATE: Bypass CSRF protection mechanism by using a token.
    - debian/patches/CVE-2015-5351-1.patch: fix in manager application
    - debian/patches/CVE-2015-5351-2.patch: fix in host-manager
      application
    - CVE-2015-5351
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    read arbitrary HTTP requests, and consequently discover session ID
    values, via a crafted web application.
    - debian/patches/CVE-2016-0706.patch: fix in
      RestrictedServlets.properties
    - CVE-2016-0706
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    execute arbitrary code in a privileged context via a web application
    that places a crafted object in a session.
    - debian/patches/CVE-2016-0714-1.patch: fix in multiple files.
    - debian/patches/CVE-2016-0714-2.patch: fix in multiple files.
    - CVE-2016-0714
  * SECURITY UPDATE: Possible to determine valid user names.
    - debian/patches/CVE-2016-0762.patch: fix in MemoryRealm.java and
      RealmBase.java
    - CVE-2016-0762
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    read or write to arbitrary application data, or cause a denial of
    service (application disruption), via a web application that sets
    a crafted global context.
    - debian/patches/CVE-2016-0763.patch: fix in ResourceLinkFactory.java
    - CVE-2016-0763
  * SECURITY UPDATE: Access to the tomcat account to gain root privileges
    via a symlink attack on the Catalina log file.
    - debian/tomcat6.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240

 -- Eduardo Barretto <email address hidden>  Thu, 11 Oct 2018 18:55:25 -0300

Upload details

Uploaded by:
Eduardo dos Santos Barretto on 2018-10-17
Uploaded to:
Trusty
Original maintainer:
Ubuntu Developers
Architectures:
all
Section:
java
Urgency:
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section
Trusty updates on 2018-10-17 universe web
Trusty security on 2018-10-17 universe web

Builds

Trusty: [FULLYBUILT] i386

Downloads

File Size SHA-256 Checksum
tomcat6_6.0.39.orig.tar.xz 2.1 MiB a2844f2ff5b2fd3a00144c2b7500fbea9091a0d3204575731978a1285598550d
tomcat6_6.0.39-1ubuntu0.1.debian.tar.gz 81.0 KiB 3c10b0a0ac8d76211bf8640fba960260ab1d8e3664229862a9d04d87d89ae9c6
tomcat6_6.0.39-1ubuntu0.1.dsc 2.7 KiB d7f51800efb1330f100085e1d9415637a7fcd3fb30ef691774259fe9371115c8

View changes file

Binary packages built by this source

libservlet2.4-java: Transitional package for libservlet2.5-java

 This is a transitional package to facilitate upgrading from
 libservlet2.4-java to libservlet2.5-java, and can be safely
 removed after the installation is complete.

libservlet2.5-java: Servlet 2.5 and JSP 2.1 Java API classes

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains the Java Servlet and JSP library.

libservlet2.5-java-doc: Servlet 2.5 and JSP 2.1 Java API documentation

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains the documentation for the Java Servlet and JSP library.

libtomcat6-java: Servlet and JSP engine -- core libraries

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains the Tomcat core classes which can be used by other
 Java applications to embed Tomcat.

tomcat6: Servlet and JSP engine

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains only the startup scripts for the system-wide daemon.
 No documentation or web applications are included here, please install
 the tomcat6-docs and tomcat6-examples packages if you want them.
 Install the authbind package if you need to use Tomcat on ports 1-1023.
 Install tomcat6-user instead of this package if you don't want Tomcat to
 start as a service.

tomcat6-admin: Servlet and JSP engine -- admin web applications

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains the administrative web interfaces.

tomcat6-common: Servlet and JSP engine -- common files

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains common files needed by the tomcat6 and tomcat6-user
 packages (Tomcat 6 scripts and libraries).

tomcat6-docs: Servlet and JSP engine -- documentation

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains the online documentation web application.

tomcat6-examples: Servlet and JSP engine -- example web applications

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains the default Tomcat example webapps.

tomcat6-extras: Servlet and JSP engine -- additional components

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains additional ("extra") component libraries.
 (Currently only catalina-jmx-remote.jar.)

tomcat6-user: Servlet and JSP engine -- tools to create user instances

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains files needed to create a user Tomcat instance.
 This user Tomcat instance can be started and stopped using the scripts
 provided in the Tomcat instance directory.