tomcat7 7.0.52-1ubuntu0.8 source package in Ubuntu

Changelog

tomcat7 (7.0.52-1ubuntu0.8) trusty-security; urgency=medium

  * SECURITY UPDATE: SecurityManager bypass via a utility method
    - debian/patches/CVE-2016-5018.patch: remove unnecessary code in
      java/org/apache/jasper/compiler/JspRuntimeContext.java,
      java/org/apache/jasper/runtime/JspRuntimeLibrary.java,
      java/org/apache/jasper/security/SecurityClassLoad.java.
    - CVE-2016-5018
  * SECURITY UPDATE: mitigaton for httpoxy issue
    - debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization
      parameter to conf/web.xml, webapps/docs/cgi-howto.xml,
      java/org/apache/catalina/servlets/CGIServlet.java.
    - CVE-2016-5388
  * SECURITY UPDATE: system properties read SecurityManager bypass
    - debian/patches/CVE-2016-6794.patch: extend SecurityManager protection
      to the system property replacement feature of the digester in
      java/org/apache/catalina/loader/WebappClassLoader.java,
      java/org/apache/tomcat/util/digester/Digester.java,
      java/org/apache/tomcat/util/security/PermissionCheck.java.
    - CVE-2016-6794
  * SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration
    parameters
    - debian/patches/CVE-2016-6796.patch: ignore some JSP options when
      running under a SecurityManager in conf/web.xml,
      java/org/apache/jasper/EmbeddedServletOptions.java,
      java/org/apache/jasper/resources/LocalStrings.properties,
      java/org/apache/jasper/servlet/JspServlet.java,
      webapps/docs/jasper-howto.xml.
    - CVE-2016-6796
  * SECURITY UPDATE: web application global JNDI resource access
    - debian/patches/CVE-2016-6797.patch: ensure that the global resource
      is only visible via the ResourceLinkFactory when it is meant to be in
      java/org/apache/catalina/core/NamingContextListener.java,
      java/org/apache/naming/factory/ResourceLinkFactory.java,
      test/org/apache/naming/TestNamingContext.java.
    - CVE-2016-6797
  * SECURITY UPDATE: HTTP response injection via invalid characters
    - debian/patches/CVE-2016-6816.patch: add additional checks for valid
      characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
      java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/http/parser/HttpParser.java.
    - CVE-2016-6816
  * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
    - debian/patches/CVE-2016-8735-pre.patch: remove the restriction that
      prevented the use of SSL when specifying a bind address in
      java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java,
      java/org/apache/catalina/mbeans/LocalStrings.properties,
      webapps/docs/config/listeners.xml.
    - debian/patches/CVE-2016-8735.patch: explicitly configure allowed
      credential types in
      java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
    - CVE-2016-8735
  * SECURITY UPDATE: information leakage between requests
    - debian/patches/CVE-2016-8745.patch: properly handle cache when unable
      to complete sendfile request in
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2016-8745
  * SECURITY UPDATE: privilege escalation during package upgrade
    - debian/rules, debian/tomcat7.postinst: properly set permissions on
      /etc/tomcat7/Catalina/localhost.
    - CVE-2016-9774
  * SECURITY UPDATE: privilege escalation during package removal
    - debian/tomcat7.postrm.in: don't reset permissions before removing
      user.
    - CVE-2016-9775
  * debian/tomcat7.init: further hardening.

 -- Marc Deslauriers <email address hidden>  Thu, 19 Jan 2017 12:38:29 -0500

Upload details

Uploaded by:
Marc Deslauriers on 2017-01-19
Uploaded to:
Trusty
Original maintainer:
Ubuntu Developers
Architectures:
all
Section:
java
Urgency:
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section

Builds

Trusty: [FULLYBUILT] i386

Downloads

File Size SHA-256 Checksum
tomcat7_7.0.52.orig.tar.gz 4.1 MiB feaf30f38df1cda467ce04ceec09a4e06ad8cf499cc800fa1ece74ef836cedb1
tomcat7_7.0.52-1ubuntu0.8.debian.tar.gz 121.5 KiB e6f771333b72bb131a8dbc03737f02ce1aa0c332f04c298800ed2dad95ff3005
tomcat7_7.0.52-1ubuntu0.8.dsc 2.7 KiB d9160565468a93d575b5ba897b07d9fc6f253a5828a6d5498d4aa4066ef511d6

View changes file

Binary packages built by this source

libservlet3.0-java: Servlet 3.0 and JSP 2.2 Java API classes

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains the Java Servlet and JSP library.

libservlet3.0-java-doc: Servlet 3.0 and JSP 2.2 Java API documentation

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains the documentation for the Java Servlet and JSP library.

libtomcat7-java: Servlet and JSP engine -- core libraries

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains the Tomcat core classes which can be used by other
 Java applications to embed Tomcat.

tomcat7: Servlet and JSP engine

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains only the startup scripts for the system-wide daemon.
 No documentation or web applications are included here, please install
 the tomcat7-docs and tomcat7-examples packages if you want them.
 Install the authbind package if you need to use Tomcat on ports 1-1023.
 Install tomcat7-user instead of this package if you don't want Tomcat to
 start as a service.

tomcat7-admin: Servlet and JSP engine -- admin web applications

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains the administrative web interfaces.

tomcat7-common: Servlet and JSP engine -- common files

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains common files needed by the tomcat7 and tomcat7-user
 packages (Tomcat 6 scripts and libraries).

tomcat7-docs: Servlet and JSP engine -- documentation

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains the online documentation web application.

tomcat7-examples: Servlet and JSP engine -- example web applications

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains the default Tomcat example webapps.

tomcat7-user: Servlet and JSP engine -- tools to create user instances

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains files needed to create a user Tomcat instance.
 This user Tomcat instance can be started and stopped using the scripts
 provided in the Tomcat instance directory.