tomcat6 6.0.45+dfsg-1 source package in Ubuntu

Changelog

tomcat6 (6.0.45+dfsg-1) unstable; urgency=medium

  * Team upload.
  * Imported Upstream version 6.0.45+dfsg.
    - Remove all prebuilt jar files.
  * Declare compliance with Debian Policy 3.9.7.
  * Vcs-fields: Use https.
  * This update fixes the following security vulnerabilities in the source
    package. Since src:tomcat6 only builds libservlet2.5-java and
    documentation, users are not directly affected.
    - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
    - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
      processes redirects before considering security constraints and Filters.
    - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
      org.apache.catalina.manager.StatusManagerServlet on the
      org/apache/catalina/core/RestrictedServlets.properties list which allows
      remote authenticated users to bypass intended SecurityManager
      restrictions.
    - CVE-2016-0714: The session-persistence implementation in Apache Tomcat
      before 6.0.45 mishandles session attributes, which allows remote
      authenticated users to bypass intended SecurityManager restrictions.
    - CVE-2016-0763: The setGlobalContext method in
      org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
      not consider whether ResourceLinkFactory.setGlobalContext callers are
      authorized, which allows remote authenticated users to bypass intended
      SecurityManager restrictions and read or write to arbitrary application
      data, or cause a denial of service (application disruption), via a web
      application that sets a crafted global context.
    - CVE-2015-5351: The Manager and Host Manager applications in
      Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
      requests, which allows remote attackers to bypass a CSRF protection
      mechanism by using a token.

 -- Markus Koschany <email address hidden>  Sat, 27 Feb 2016 19:32:00 +0100

Upload details

Uploaded by:
Debian Java Maintainers on 2016-02-27
Uploaded to:
Sid
Original maintainer:
Debian Java Maintainers
Architectures:
all
Section:
java
Urgency:
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section
Xenial release on 2016-02-28 universe web

Builds

Xenial: [FULLYBUILT] amd64

Downloads

File Size SHA-256 Checksum
tomcat6_6.0.45+dfsg-1.dsc 2.4 KiB c1bb3dd3cf299188672061398c92f55f76d1e91aa429e2b6acbbf34c87ccc46c
tomcat6_6.0.45+dfsg.orig.tar.xz 2.1 MiB d01037a18afb119656a500d3cdb37e918ae3224e21aac5682ecdaac5519d59bc
tomcat6_6.0.45+dfsg-1.debian.tar.xz 37.8 KiB f4722067e96127583ba06e490566e836ff1a118bd1a9f2e44fdfc1d6fcc87c3f

Available diffs

No changes file available.

Binary packages built by this source

libservlet2.5-java: No summary available for libservlet2.5-java in ubuntu yakkety.

No description available for libservlet2.5-java in ubuntu yakkety.

libservlet2.5-java-doc: No summary available for libservlet2.5-java-doc in ubuntu yakkety.

No description available for libservlet2.5-java-doc in ubuntu yakkety.