Format: 1.8
Date: Thu, 19 Jan 2017 15:18:22 -0500
Source: tomcat6
Binary: tomcat6-common tomcat6 tomcat6-user libtomcat6-java libservlet2.5-java libservlet2.5-java-doc tomcat6-admin tomcat6-examples tomcat6-docs tomcat6-extras
Architecture: source
Version: 6.0.35-1ubuntu3.9
Distribution: precise-security
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers@ubuntu.com>
Description: 
 libservlet2.5-java - Servlet 2.5 and JSP 2.1 Java API classes
 libservlet2.5-java-doc - Servlet 2.5 and JSP 2.1 Java API documentation
 libtomcat6-java - Servlet and JSP engine -- core libraries
 tomcat6    - Servlet and JSP engine
 tomcat6-admin - Servlet and JSP engine -- admin web applications
 tomcat6-common - Servlet and JSP engine -- common files
 tomcat6-docs - Servlet and JSP engine -- documentation
 tomcat6-examples - Servlet and JSP engine -- example web applications
 tomcat6-extras - Servlet and JSP engine -- additional components
 tomcat6-user - Servlet and JSP engine -- tools to create user instances
Changes: 
 tomcat6 (6.0.35-1ubuntu3.9) precise-security; urgency=medium
 .
   * SECURITY UPDATE: timing attack in realm implementations
     - debian/patches/CVE-2016-0762.patch: add time delays to
       java/org/apache/catalina/realm/MemoryRealm.java,
       java/org/apache/catalina/realm/RealmBase.java.
     - CVE-2016-0762
   * SECURITY UPDATE: SecurityManager bypass via a utility method
     - debian/patches/CVE-2016-5018.patch: remove unnecessary code in
       java/org/apache/jasper/compiler/JspRuntimeContext.java,
       java/org/apache/jasper/runtime/JspRuntimeLibrary.java,
       java/org/apache/jasper/security/SecurityClassLoad.java.
     - CVE-2016-5018
   * SECURITY UPDATE: mitigaton for httpoxy issue
     - debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization
       parameter to conf/web.xml, webapps/docs/cgi-howto.xml,
       java/org/apache/catalina/servlets/CGIServlet.java.
     - CVE-2016-5388
   * SECURITY UPDATE: system properties read SecurityManager bypass
     - debian/patches/CVE-2016-6794.patch: extend SecurityManager protection
       to the system property replacement feature of the digester in
       java/org/apache/catalina/loader/WebappClassLoader.java,
       java/org/apache/tomcat/util/digester/Digester.java,
       java/org/apache/tomcat/util/security/PermissionCheck.java.
     - CVE-2016-6794
   * SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration
     parameters
     - debian/patches/CVE-2016-6796.patch: ignore some JSP options when
       running under a SecurityManager in conf/web.xml,
       java/org/apache/jasper/EmbeddedServletOptions.java,
       java/org/apache/jasper/resources/LocalStrings.properties,
       java/org/apache/jasper/servlet/JspServlet.java,
       webapps/docs/jasper-howto.xml.
     - CVE-2016-6796
   * SECURITY UPDATE: web application global JNDI resource access
     - debian/patches/CVE-2016-6797.patch: ensure that the global resource
       is only visible via the ResourceLinkFactory when it is meant to be in
       java/org/apache/catalina/core/NamingContextListener.java,
       java/org/apache/naming/factory/ResourceLinkFactory.java.
     - CVE-2016-6797
   * SECURITY UPDATE: HTTP response injection via invalid characters
     - debian/patches/CVE-2016-6816.patch: add additional checks for valid
       characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
       java/org/apache/coyote/http11/InternalAprInputBuffer.java,
       java/org/apache/coyote/http11/InternalInputBuffer.java,
       java/org/apache/coyote/http11/InternalNioInputBuffer.java,
       java/org/apache/coyote/http11/LocalStrings.properties,
       java/org/apache/tomcat/util/http/parser/HttpParser.java.
     - CVE-2016-6816
   * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
     - debian/patches/CVE-2016-8735.patch: explicitly configure allowed
       credential types in
       java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
     - CVE-2016-8735
   * SECURITY UPDATE: information leakage between requests
     - debian/patches/CVE-2016-8745.patch: properly handle cache when unable
       to complete sendfile request in
       java/org/apache/tomcat/util/net/NioEndpoint.java.
     - CVE-2016-8745
   * SECURITY UPDATE: privilege escalation during package upgrade
     - debian/rules, debian/tomcat6.postinst: properly set permissions on
       /etc/tomcat7/Catalina/localhost.
     - CVE-2016-9774
   * SECURITY UPDATE: privilege escalation during package removal
     - debian/tomcat6.postrm.in: don't reset permissions before removing
       user.
     - CVE-2016-9775
   * debian/tomcat6.init: further hardening.
Checksums-Sha1: 
 c6111428c9bc9388046aadfe43763bd7ab760cc2 2770 tomcat6_6.0.35-1ubuntu3.9.dsc
 3ccd92981f2ae568e0648ab73f6f309b6ccf4329 101168 tomcat6_6.0.35-1ubuntu3.9.debian.tar.gz
Checksums-Sha256: 
 02ec0785ff26f0856750eb1a55f804f5639a822c4c99c8a050ca8d9804df51d7 2770 tomcat6_6.0.35-1ubuntu3.9.dsc
 f679107899425f8d00bdb12fc8526964202c1d0c775ccbb04c3258f89055dd49 101168 tomcat6_6.0.35-1ubuntu3.9.debian.tar.gz
Files: 
 0a958d8e8f2f5eaf43e7fdf37bee0e1f 2770 java optional tomcat6_6.0.35-1ubuntu3.9.dsc
 40b9ecb646fdfcc630a45b41ea7e635b 101168 java optional tomcat6_6.0.35-1ubuntu3.9.debian.tar.gz
Original-Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>