Format: 1.8 Date: Thu, 19 Jan 2017 12:38:29 -0500 Source: tomcat7 Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs Architecture: all i386_translations Version: 7.0.52-1ubuntu0.8 Distribution: trusty Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Marc Deslauriers Description: libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation libtomcat7-java - Servlet and JSP engine -- core libraries tomcat7 - Servlet and JSP engine tomcat7-admin - Servlet and JSP engine -- admin web applications tomcat7-common - Servlet and JSP engine -- common files tomcat7-docs - Servlet and JSP engine -- documentation tomcat7-examples - Servlet and JSP engine -- example web applications tomcat7-user - Servlet and JSP engine -- tools to create user instances Changes: tomcat7 (7.0.52-1ubuntu0.8) trusty-security; urgency=medium . * SECURITY UPDATE: SecurityManager bypass via a utility method - debian/patches/CVE-2016-5018.patch: remove unnecessary code in java/org/apache/jasper/compiler/JspRuntimeContext.java, java/org/apache/jasper/runtime/JspRuntimeLibrary.java, java/org/apache/jasper/security/SecurityClassLoad.java. - CVE-2016-5018 * SECURITY UPDATE: mitigaton for httpoxy issue - debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization parameter to conf/web.xml, webapps/docs/cgi-howto.xml, java/org/apache/catalina/servlets/CGIServlet.java. - CVE-2016-5388 * SECURITY UPDATE: system properties read SecurityManager bypass - debian/patches/CVE-2016-6794.patch: extend SecurityManager protection to the system property replacement feature of the digester in java/org/apache/catalina/loader/WebappClassLoader.java, java/org/apache/tomcat/util/digester/Digester.java, java/org/apache/tomcat/util/security/PermissionCheck.java. - CVE-2016-6794 * SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration parameters - debian/patches/CVE-2016-6796.patch: ignore some JSP options when running under a SecurityManager in conf/web.xml, java/org/apache/jasper/EmbeddedServletOptions.java, java/org/apache/jasper/resources/LocalStrings.properties, java/org/apache/jasper/servlet/JspServlet.java, webapps/docs/jasper-howto.xml. - CVE-2016-6796 * SECURITY UPDATE: web application global JNDI resource access - debian/patches/CVE-2016-6797.patch: ensure that the global resource is only visible via the ResourceLinkFactory when it is meant to be in java/org/apache/catalina/core/NamingContextListener.java, java/org/apache/naming/factory/ResourceLinkFactory.java, test/org/apache/naming/TestNamingContext.java. - CVE-2016-6797 * SECURITY UPDATE: HTTP response injection via invalid characters - debian/patches/CVE-2016-6816.patch: add additional checks for valid characters in java/org/apache/coyote/http11/AbstractInputBuffer.java, java/org/apache/coyote/http11/AbstractNioInputBuffer.java, java/org/apache/coyote/http11/InternalAprInputBuffer.java, java/org/apache/coyote/http11/InternalInputBuffer.java, java/org/apache/coyote/http11/LocalStrings.properties, java/org/apache/tomcat/util/http/parser/HttpParser.java. - CVE-2016-6816 * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener - debian/patches/CVE-2016-8735-pre.patch: remove the restriction that prevented the use of SSL when specifying a bind address in java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java, java/org/apache/catalina/mbeans/LocalStrings.properties, webapps/docs/config/listeners.xml. - debian/patches/CVE-2016-8735.patch: explicitly configure allowed credential types in java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java. - CVE-2016-8735 * SECURITY UPDATE: information leakage between requests - debian/patches/CVE-2016-8745.patch: properly handle cache when unable to complete sendfile request in java/org/apache/tomcat/util/net/NioEndpoint.java. - CVE-2016-8745 * SECURITY UPDATE: privilege escalation during package upgrade - debian/rules, debian/tomcat7.postinst: properly set permissions on /etc/tomcat7/Catalina/localhost. - CVE-2016-9774 * SECURITY UPDATE: privilege escalation during package removal - debian/tomcat7.postrm.in: don't reset permissions before removing user. - CVE-2016-9775 * debian/tomcat7.init: further hardening. Checksums-Sha1: b46c06e5b952c4ae34cbef1ef6200df7b383c0d0 47982 tomcat7-common_7.0.52-1ubuntu0.8_all.deb da242855311bdc3edf9056a269235ecaf0cf4e74 36008 tomcat7_7.0.52-1ubuntu0.8_all.deb b4a372e8c8bf6435dd7debb3aad38db60a5bc27b 24414 tomcat7-user_7.0.52-1ubuntu0.8_all.deb 0aebeaf2b775b0e132eb2397d405a9359f0f7c72 3653440 libtomcat7-java_7.0.52-1ubuntu0.8_all.deb 8d9aa8f8dcad612b442a9c41312a2978427ba31d 295768 libservlet3.0-java_7.0.52-1ubuntu0.8_all.deb 4a275c5a4bcbf1aa62df442dca5b2a8486a350b5 194506 libservlet3.0-java-doc_7.0.52-1ubuntu0.8_all.deb adb0818140eea6080c20b708dc26f228c2f86745 29406 tomcat7-admin_7.0.52-1ubuntu0.8_all.deb 85f8371d6a60a19a6565900bf71d20df7a5a3999 184750 tomcat7-examples_7.0.52-1ubuntu0.8_all.deb 0bc27c3e0d99195f04ac136d48d5e6ab74dfdb22 552202 tomcat7-docs_7.0.52-1ubuntu0.8_all.deb 4698ed8ae24e2e775bcc64d25fbe3426dc003219 8097 tomcat7_7.0.52-1ubuntu0.8_i386_translations.tar.gz Checksums-Sha256: 6c98bd36eaaacd923f88cfaa4bd5c264b90c4ae45c7586e0acfb0ca5c76a9fee 47982 tomcat7-common_7.0.52-1ubuntu0.8_all.deb b0c27f13ef52277b2a6d351f98365a59dfe05c47f1e3e9738db939e9d3d93a74 36008 tomcat7_7.0.52-1ubuntu0.8_all.deb ee284fadf0c542858ddeb4bae335fe17f7283e1bcf6f49968c6da393c752b623 24414 tomcat7-user_7.0.52-1ubuntu0.8_all.deb 421071d2066c07104d74c8dd88e4b25ecebf5bca2aa4aef113f7d9af470ff6c4 3653440 libtomcat7-java_7.0.52-1ubuntu0.8_all.deb b0bad45cf9f8f84c2ee38b4fc4f8707f0330946a28421036f9113d57f0c3b44b 295768 libservlet3.0-java_7.0.52-1ubuntu0.8_all.deb 61b5162f59afd50bcacc65f54d39e64510afe4da7a3838fb85446c10216f835f 194506 libservlet3.0-java-doc_7.0.52-1ubuntu0.8_all.deb bd90b44eabf4eccaccaf64f1f9d786259701e3d79d18fae623487c7bdf9e0ef2 29406 tomcat7-admin_7.0.52-1ubuntu0.8_all.deb b35c1f7f5dafd4464d6ab7579d59e44040c9c248a9263eca372c48454e7fb51e 184750 tomcat7-examples_7.0.52-1ubuntu0.8_all.deb 72f7114dbaa157dc8de42337d2a69b7d8a3d51753af25e9e342dff20f0c0a735 552202 tomcat7-docs_7.0.52-1ubuntu0.8_all.deb 3f46bb9a38327c4a37797af6885dd65c98a823a71d223f087b277e8ed4f3a01c 8097 tomcat7_7.0.52-1ubuntu0.8_i386_translations.tar.gz Files: 9f72f26de9969c63ef447881255d912d 47982 java optional tomcat7-common_7.0.52-1ubuntu0.8_all.deb 91ae71c774b1134a3af9cc33ed8765e8 36008 java optional tomcat7_7.0.52-1ubuntu0.8_all.deb 472eaa295ecaee344dbeffcb5971d01b 24414 java optional tomcat7-user_7.0.52-1ubuntu0.8_all.deb 2efa03705f3172bbe25e7a01a8fca46c 3653440 java optional libtomcat7-java_7.0.52-1ubuntu0.8_all.deb 1cd9421b4afdc7aa1528cd392862961c 295768 java optional libservlet3.0-java_7.0.52-1ubuntu0.8_all.deb 18c6df96ef3f6e8e91589ed5160f9561 194506 doc optional libservlet3.0-java-doc_7.0.52-1ubuntu0.8_all.deb 97cd97ffe0d5318a12b4c1b4d8544703 29406 java optional tomcat7-admin_7.0.52-1ubuntu0.8_all.deb 22e46fbc6eeabc3416be94d46810bb8d 184750 java optional tomcat7-examples_7.0.52-1ubuntu0.8_all.deb 7c2f85501ffc080156d061cb0337811a 552202 doc optional tomcat7-docs_7.0.52-1ubuntu0.8_all.deb 308a98776f2f865bb5ed23f59e3fa137 8097 raw-translations - tomcat7_7.0.52-1ubuntu0.8_i386_translations.tar.gz Original-Maintainer: Debian Java Maintainers