Format: 1.8 Date: Thu, 11 Oct 2018 18:55:25 -0300 Source: tomcat6 Binary: tomcat6-common tomcat6 tomcat6-user libtomcat6-java libservlet2.4-java libservlet2.5-java libservlet2.5-java-doc tomcat6-admin tomcat6-examples tomcat6-docs tomcat6-extras Architecture: all Version: 6.0.39-1ubuntu0.1 Distribution: trusty Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Eduardo Barretto Description: libservlet2.4-java - Transitional package for libservlet2.5-java libservlet2.5-java - Servlet 2.5 and JSP 2.1 Java API classes libservlet2.5-java-doc - Servlet 2.5 and JSP 2.1 Java API documentation libtomcat6-java - Servlet and JSP engine -- core libraries tomcat6 - Servlet and JSP engine tomcat6-admin - Servlet and JSP engine -- admin web applications tomcat6-common - Servlet and JSP engine -- common files tomcat6-docs - Servlet and JSP engine -- documentation tomcat6-examples - Servlet and JSP engine -- example web applications tomcat6-extras - Servlet and JSP engine -- additional components tomcat6-user - Servlet and JSP engine -- tools to create user instances Changes: tomcat6 (6.0.39-1ubuntu0.1) trusty-security; urgency=medium . * SECURITY UPDATE: Integer overflow - debian/patches/CVE-2014-0075.patch: Fix integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java - CVE-2014-0075 * SECURITY UPDATE: Bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference. - debian/patches/CVE-2014-0096.patch: Properly restrict XSLT stylesheets - CVE-2014-0096 * SECURITY UPDATE: Fix integer overflow. - debian/patches/CVE-2014-0099.patch: Fix in java/org/apache/tomcat/util/buf/Ascii.java - CVE-2014-0099 * SECURITY UPDATE: Read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference. - debian/patches/CVE-2014-0119-1.patch: fix in SecurityClassLoad.java and DefaultServlet.java - debian/patches/CVE-2014-0119-2.patch: fix in TldConfig.java - debian/patches/CVE-2014-0119-3.patch: fix in multiple files - CVE-2014-0119 * SECURITY UPDATE: Add error flag to allow subsequent attempts at reading after an error to fail fast. - debian/patches/CVE-2014-0227.patch: fix in ChunkedInputFilter.java - CVE-2014-0227 * SECURITY UPDATE: DoS (thread consumption) via a series of aborted upload attempts. - debian/patches/CVE-2014-0230.patch: add support for maxSwallowSize - CVE-2014-0230 * SECURITY UPDATE: Bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation. - debian/patches/CVE-2014-7810-1.patch: fix in BeanELResolver.java - debian/patches/CVE-2014-7810-2.patch: fix in PageContextImpl.java and SecurityClassLoad.java - CVE-2014-7810 * SECURITY UPDATE: Directory traversal vulnerability in RequestUtil.java - debian/patches/CVE-2015-5174.patch: fix in RequestUtil.java - CVE-2015-5174 * SECURITY UPDATE: Remote attackers can determine the existence of a directory via a URL that lacks a trailing slash character. - debian/patches/CVE-2015-5345-1.patch: fix in multiple files - debian/patches/CVE-2015-5345-2.patch: fix in multiple files - CVE-2015-5345 * SECURITY UPDATE: Bypass CSRF protection mechanism by using a token. - debian/patches/CVE-2015-5351-1.patch: fix in manager application - debian/patches/CVE-2015-5351-2.patch: fix in host-manager application - CVE-2015-5351 * SECURITY UPDATE: Bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. - debian/patches/CVE-2016-0706.patch: fix in RestrictedServlets.properties - CVE-2016-0706 * SECURITY UPDATE: Bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. - debian/patches/CVE-2016-0714-1.patch: fix in multiple files. - debian/patches/CVE-2016-0714-2.patch: fix in multiple files. - CVE-2016-0714 * SECURITY UPDATE: Possible to determine valid user names. - debian/patches/CVE-2016-0762.patch: fix in MemoryRealm.java and RealmBase.java - CVE-2016-0762 * SECURITY UPDATE: Bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. - debian/patches/CVE-2016-0763.patch: fix in ResourceLinkFactory.java - CVE-2016-0763 * SECURITY UPDATE: Access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file. - debian/tomcat6.init: don't follow symlinks when handling the catalina.out file. - CVE-2016-1240 Checksums-Sha1: 5599c324b8f2c69d40a255c188c464789093539e 43660 tomcat6-common_6.0.39-1ubuntu0.1_all.deb cfcb98cc53eb63552fcca38c5c64f5a8841a7745 35240 tomcat6_6.0.39-1ubuntu0.1_all.deb f5769ef22e41180b50cf5a3118c1001bd5d9fea6 25658 tomcat6-user_6.0.39-1ubuntu0.1_all.deb fcc0c2c78d6e2984fd3c68576eed52ce34553401 3063744 libtomcat6-java_6.0.39-1ubuntu0.1_all.deb d54558df1e18341a801f98cc31bb470634c11072 2946 libservlet2.4-java_6.0.39-1ubuntu0.1_all.deb a4c1479f95f7ae545e66b6498e801edfe9a7491f 209994 libservlet2.5-java_6.0.39-1ubuntu0.1_all.deb fa02888cb5a76a1c4de5e7c3e208d5b84fde42a0 167864 libservlet2.5-java-doc_6.0.39-1ubuntu0.1_all.deb 1f561430326e57d8492b05484f9e7cae7d941c4d 25668 tomcat6-admin_6.0.39-1ubuntu0.1_all.deb a43d63574187e7acc574ef08d20410202db195f9 119478 tomcat6-examples_6.0.39-1ubuntu0.1_all.deb 5d3c9e511559b86ab6043e19bdb649b2f33b460f 428544 tomcat6-docs_6.0.39-1ubuntu0.1_all.deb deb9d685034eb2ff4816e8507ef2c1124abb9185 6022 tomcat6-extras_6.0.39-1ubuntu0.1_all.deb Checksums-Sha256: 77af3e1d2245965919ea99da6855e17ca6c032ac757fccff471813db1f6fdae2 43660 tomcat6-common_6.0.39-1ubuntu0.1_all.deb 84987180682eb1448d94c65b0699c81b78919b0192cbc4dd3da8efd2f31bfe6a 35240 tomcat6_6.0.39-1ubuntu0.1_all.deb 5de13f5a1085d4b3541ad1329fc004bdcdc942c2b3190539f8af27797a733934 25658 tomcat6-user_6.0.39-1ubuntu0.1_all.deb 82a72a1dd35c40ad8359f107d8ae99223008207b5d3a17e7e92375594f7e5c0b 3063744 libtomcat6-java_6.0.39-1ubuntu0.1_all.deb 5c5be36db51bd4a739cdfc39cb8bc5ef2352a82c7fe74d191553fa99d0c388e7 2946 libservlet2.4-java_6.0.39-1ubuntu0.1_all.deb db85a0450bcfb7a3551bdf1c6b3c4cd0c9a3686d7cc6193813cad306c2abd3c4 209994 libservlet2.5-java_6.0.39-1ubuntu0.1_all.deb 762c6cacf06a7cc06a3cd68011f020d7ee247b95c28b04148166cc068a127bef 167864 libservlet2.5-java-doc_6.0.39-1ubuntu0.1_all.deb bd363c825b22c13826adf603bdf74146954bade88fef6834b263f9f47a63fbc2 25668 tomcat6-admin_6.0.39-1ubuntu0.1_all.deb 04becef51a8dd181a8ba7a78787dd5a5c1970e9c41c150d15962e193d29fdbad 119478 tomcat6-examples_6.0.39-1ubuntu0.1_all.deb 706a7ffeb9f73f451e7e6ff075a31527441f877f299eacf7742b7c17449b25b4 428544 tomcat6-docs_6.0.39-1ubuntu0.1_all.deb 8837f6ede188eff6fe1b337aaf1ce24d478b94dec725eb4abe628445b67816d4 6022 tomcat6-extras_6.0.39-1ubuntu0.1_all.deb Files: 25bc430e52232a4d557deac70dab07b9 43660 java optional tomcat6-common_6.0.39-1ubuntu0.1_all.deb 81d5efcc60a540db34e59975d0d45d3a 35240 java optional tomcat6_6.0.39-1ubuntu0.1_all.deb 274f3c4d74dbf03a547315fd9df1e2ef 25658 java optional tomcat6-user_6.0.39-1ubuntu0.1_all.deb 900e06c027309a3d128af059fb6241fd 3063744 java optional libtomcat6-java_6.0.39-1ubuntu0.1_all.deb 1b35232dfdf109a63fa9d847711a7b46 2946 oldlibs extra libservlet2.4-java_6.0.39-1ubuntu0.1_all.deb 6b8459f50ba6acda680baada2a36dd28 209994 java optional libservlet2.5-java_6.0.39-1ubuntu0.1_all.deb c3d8b728786f4161a40e80b120114e5b 167864 doc optional libservlet2.5-java-doc_6.0.39-1ubuntu0.1_all.deb 9461136da590faf3ed2176862f11904a 25668 java optional tomcat6-admin_6.0.39-1ubuntu0.1_all.deb 8d3d8d1da1b9cdc669ab962c618bc5b8 119478 java optional tomcat6-examples_6.0.39-1ubuntu0.1_all.deb 6c2a6d582278b564be136b0ee994a883 428544 doc optional tomcat6-docs_6.0.39-1ubuntu0.1_all.deb 44707a7e8ac95d91fb4a36b5001c6e01 6022 java optional tomcat6-extras_6.0.39-1ubuntu0.1_all.deb Original-Maintainer: Debian Java Maintainers