-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : tomcat7 Version : 7.0.28-4+deb7u7 CVE ID : CVE-2016-0762 CVE-2016-5018 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 CVE-2016-6816 CVE-2016-8735 Debian Bug : 841655 842662 842663 842664 842665 842666 845385
Multiple security vulnerabilities have been discovered in the Tomcat servlet and JSP engine, which may result in possible timing attacks to determine valid user names, bypass of the SecurityManager, disclosure of system properties, unrestricted access to global resources, arbitrary file overwrites, and potentially escalation of privileges. In addition this update further hardens Tomcat's init and maintainer scripts to prevent possible privilege escalations. Thanks to Paul Szabo for the report. For Debian 7 "Wheezy", these problems have been fixed in version 7.0.28-4+deb7u7. We recommend that you upgrade your tomcat7 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlhAqoVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeRnDg//Y1Puw7OufejfvuBeMdL9dKeiTsJ5nTic5mU1qNlJM9wcvSYUEIVOYqmd 6hg7Z9hrdwyWVIfEeE6YM7UEGwSzyt8EXewmU5VwZeFeEquVodKv06MP+WuBVLDs JITXVqDapvyXd5VCAtIS+KGUPt4azL6fCe1l2utJi6u1l8Icu0koSkcD4sh+keE5 A5gwCaRuBitsc53LVdNLaA0xsu4fifgvcKYoXPUNn/TidWNKGHDEHYXkuJVV1Jkh 6szm9BBloYZOrP8FQKuUK+ckUZPJ+JXaWE2nycSpoyDivxNMzb3vi6l7HyeOnGYE byhwCRZ2smLTclKKvWLLbee0Bh+Ndxg1rLYaPrH3seATUuSkPWFnwGtGUNURx6or FTuxprnvfiSN0t3mAc0r0GE6+2q9AF6QTId8i8nMg7mwcJogo59oR29njUGzV6Yn 5wKbLjozv/V03oyY6BQzaD8h1XwKudJ9Snb3Mv0qCzsjfyYJ78JWisDV4ixMwgY0 ypzL3R9nHVeimSUm6MU2ayC1r226mOSn/KsP/HjDy3xW5a+bWsG+xm0JlSwo0XBx O7Jlr+x7tn4VlsXNjXNwRckVzo0wMEhyNFcmj4ZmHWeC2Fi/8m+TwcVUAvThaJmO RCa7omDVDAC0k5mVFCTzRRBzNaqc6GUFM8KYpXXM8qejpzy0qF0= =VMAu -----END PGP SIGNATURE-----