tomcat7 7.0.64-1ubuntu0.3 source package in Ubuntu

Changelog

tomcat7 (7.0.64-1ubuntu0.3) wily-security; urgency=medium

  * SECURITY UPDATE: directory traversal vulnerability in RequestUtil.java
    - debian/patches/CVE-2015-5174.patch: fix more normalization edge cases
      in java/org/apache/tomcat/util/http/RequestUtil.java,
      test/org/apache/tomcat/util/http/TestRequestUtil.java.
    - CVE-2015-5174
  * SECURITY UPDATE: information disclosure via redirects by mapper
    - debian/patches/CVE-2015-5345.patch: fix redirect logic in
      java/org/apache/catalina/Context.java,
      java/org/apache/catalina/authenticator/FormAuthenticator.java,
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/core/mbeans-descriptors.xml,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/WebdavServlet.java,
      java/org/apache/catalina/startup/FailedContext.java,
      java/org/apache/tomcat/util/http/mapper/Mapper.java,
      test/org/apache/catalina/startup/TomcatBaseTest.java,
      webapps/docs/config/context.xml,
      test/org/apache/catalina/core/TesterContext.java,
      test/org/apache/tomcat/util/http/mapper/TestMapperWebapps.java.
    - CVE-2015-5345
  * SECURITY UPDATE: session fixation vulnerability
    - debian/patches/CVE-2015-5346.patch: handle different session settings
      in java/org/apache/catalina/connector/CoyoteAdapter.java,
      java/org/apache/catalina/connector/Request.java.
    - CVE-2015-5346
  * SECURITY UPDATE: CSRF protection mechanism bypass
    - debian/patches/CVE-2015-5351.patch: don't create sessions
      unnecessarily in webapps/host-manager/WEB-INF/jsp/401.jsp,
      webapps/host-manager/WEB-INF/jsp/403.jsp,
      webapps/host-manager/WEB-INF/jsp/404.jsp,
      webapps/host-manager/index.jsp,
      webapps/manager/WEB-INF/web.xml,
      webapps/manager/index.jsp.
    - CVE-2015-5351
  * SECURITY UPDATE: securityManager restrictions bypass via
    StatusManagerServlet
    - debian/patches/CVE-2016-0706.patch: place servlet in restricted list
      in java/org/apache/catalina/core/RestrictedServlets.properties.
    - CVE-2016-0706
  * SECURITY UPDATE: securityManager restrictions bypass via
    session-persistence implementation
    - debian/patches/CVE-2016-0714.patch: extend the session attribute
      filtering options in
      java/org/apache/catalina/ha/session/ClusterManagerBase.java
      java/org/apache/catalina/ha/session/mbeans-descriptors.xml,
      java/org/apache/catalina/session/LocalStrings.properties,
      java/org/apache/catalina/session/ManagerBase.java,
      java/org/apache/catalina/session/StandardManager.java,
      java/org/apache/catalina/session/mbeans-descriptors.xml,
      java/org/apache/catalina/util/CustomObjectInputStream.java,
      java/org/apache/catalina/util/LocalStrings.properties,
      webapps/docs/config/cluster-manager.xml,
      webapps/docs/config/manager.xml.
    - CVE-2016-0714
  * SECURITY UPDATE: securityManager restrictions bypass via crafted global
    context
    - debian/patches/CVE-2016-0763.patch: protect initialization in
      java/org/apache/naming/factory/ResourceLinkFactory.java.
    - CVE-2016-0763
  * SECURITY UPDATE: denial of service in FileUpload
    - debian/patches/CVE-2016-3092.patch: properly handle size in
      java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
    - CVE-2016-3092
  * debian/patches/fix_cookie_names_in_tests.patch: fix FTBFS by removing
    colons in cookie names which is illegal in newer java versions in
    test/org/apache/catalina/authenticator/*.java.

 -- Marc Deslauriers <email address hidden>  Wed, 29 Jun 2016 08:48:32 -0400

Upload details

Uploaded by:
Marc Deslauriers
Uploaded to:
Wily
Original maintainer:
Ubuntu Developers
Architectures:
all
Section:
java
Urgency:
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section

Builds

Wily: [FULLYBUILT] amd64

Downloads

File Size SHA-256 Checksum
tomcat7_7.0.64.orig.tar.xz 2.8 MiB 345ffe4c315ea57cc939a5d26999992e87c3c60d442d039d357b0614f61f9aaf
tomcat7_7.0.64-1ubuntu0.3.debian.tar.xz 76.7 KiB 9357363516bf4c2e38e5088694138f1811db74969dee7736650998a5f6c247bf
tomcat7_7.0.64-1ubuntu0.3.dsc 2.8 KiB 3580e3eac2202d8045a75acedb70b16e68907a5ea41e6990609406ce95bedf6e

View changes file

Binary packages built by this source

libservlet3.0-java: No summary available for libservlet3.0-java in ubuntu wily.

No description available for libservlet3.0-java in ubuntu wily.

libservlet3.0-java-doc: No summary available for libservlet3.0-java-doc in ubuntu wily.

No description available for libservlet3.0-java-doc in ubuntu wily.

libtomcat7-java: No summary available for libtomcat7-java in ubuntu wily.

No description available for libtomcat7-java in ubuntu wily.

tomcat7: No summary available for tomcat7 in ubuntu wily.

No description available for tomcat7 in ubuntu wily.

tomcat7-admin: No summary available for tomcat7-admin in ubuntu wily.

No description available for tomcat7-admin in ubuntu wily.

tomcat7-common: No summary available for tomcat7-common in ubuntu wily.

No description available for tomcat7-common in ubuntu wily.

tomcat7-docs: No summary available for tomcat7-docs in ubuntu wily.

No description available for tomcat7-docs in ubuntu wily.

tomcat7-examples: No summary available for tomcat7-examples in ubuntu wily.

No description available for tomcat7-examples in ubuntu wily.

tomcat7-user: No summary available for tomcat7-user in ubuntu wily.

No description available for tomcat7-user in ubuntu wily.