-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 01 Dec 2016 23:00:20 +0100 Source: tomcat7 Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs Architecture: source all Version: 7.0.28-4+deb7u7 Distribution: wheezy-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation libtomcat7-java - Servlet and JSP engine -- core libraries tomcat7 - Servlet and JSP engine tomcat7-admin - Servlet and JSP engine -- admin web applications tomcat7-common - Servlet and JSP engine -- common files tomcat7-docs - Servlet and JSP engine -- documentation tomcat7-examples - Servlet and JSP engine -- example web applications tomcat7-user - Servlet and JSP engine -- tools to create user instances Changes: tomcat7 (7.0.28-4+deb7u7) wheezy-security; urgency=high . * Fixed CVE-2016-0762: The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. * Fixed CVE-2016-5018: A malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. * Fixed CVE-2016-6794: When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. * Fixed CVE-2016-6796: A malicious web application was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. * Fixed CVE-2016-6816: The code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. * Fixed CVE-2016-8735: The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. * CVE-2016-1240 follow-up: - The previous init.d fix was vulnerable to a race condition that could be exploited to make any existing file writable by the tomcat user. Thanks to Paul Szabo for the report and the fix. - The catalina.policy file generated on startup was affected by a similar vulnerability that could be exploited to overwrite any file on the system. Thanks to Paul Szabo for the report. * Hardened the init.d script, thanks to Paul Szabo * Fix possible privilege escalation via package purge by removing the chown command in postrm maintainer script. See #845385 for more information. Checksums-Sha1: c9542a1e21136efa7aed96324c196f2f94b5f2fa 2795 tomcat7_7.0.28-4+deb7u7.dsc 035dc377b750cdcbc713f05dc90309260efca58d 183767 tomcat7_7.0.28-4+deb7u7.debian.tar.gz 88474cf434631ae2304edc9c6a0ee7a804a8b8a7 65774 tomcat7-common_7.0.28-4+deb7u7_all.deb 48f1c01c52d11421f4c7cbf8a362d3829a2477ec 53072 tomcat7_7.0.28-4+deb7u7_all.deb 7e5fb96febed4f0ff7c5545416bc747e1a53902c 41042 tomcat7-user_7.0.28-4+deb7u7_all.deb 96198d4c3f04a9e146aa8b61d41cdde9ee679dca 3503700 libtomcat7-java_7.0.28-4+deb7u7_all.deb b498786194d86fae6b2628ac5f43860880b96173 307034 libservlet3.0-java_7.0.28-4+deb7u7_all.deb b3f33bc0d223ef1ef3ec56e4ff270f0f96005ee6 320664 libservlet3.0-java-doc_7.0.28-4+deb7u7_all.deb 3f1b1245b26764d4c16e297caa275b1377b1108f 53702 tomcat7-admin_7.0.28-4+deb7u7_all.deb 20c8fa65dbce031b7761e83356139477454705bf 207316 tomcat7-examples_7.0.28-4+deb7u7_all.deb d9cad246f2512544b56327a7b926ed0e28009f36 648778 tomcat7-docs_7.0.28-4+deb7u7_all.deb Checksums-Sha256: 4cbd58ea8ea8ce757116f0d1e0f978dce0cd62e8d3c34e7e76ece033a72c83e0 2795 tomcat7_7.0.28-4+deb7u7.dsc 311e49bcba783c41947d671a57959afe26377ea634c524453f338c817557ce32 183767 tomcat7_7.0.28-4+deb7u7.debian.tar.gz 8eca70cc62d8be6008ef992db4d566855060f089435b9ca8e9771cc38e525310 65774 tomcat7-common_7.0.28-4+deb7u7_all.deb dbf817254ca1f631276ba42289526358abfbf99aeeb94cf40ff0a55fdfb95f93 53072 tomcat7_7.0.28-4+deb7u7_all.deb 8fc1d24f2bf9a0519b57fdb07c33ef6a96262a3d1b184bb71118168bbb00e7cd 41042 tomcat7-user_7.0.28-4+deb7u7_all.deb 08027b91aeb0fa99ce34ab2ca1189ae63039ad2de043b7acf037bb0eb430ecaf 3503700 libtomcat7-java_7.0.28-4+deb7u7_all.deb 745452186c76277388bfb7f95537e78bdf55a46953151cf1a5e082fbcbaee02d 307034 libservlet3.0-java_7.0.28-4+deb7u7_all.deb a70cbbb5775dcea9b2ad5647e66dbd810fe75f595ddbe92bd069fce52c68928d 320664 libservlet3.0-java-doc_7.0.28-4+deb7u7_all.deb 458d4f4483b4816ff2b62d64ecac481c0cd9bc05a164c093eda12cc41673ad0c 53702 tomcat7-admin_7.0.28-4+deb7u7_all.deb 9871b3cdf983645a9b6993a03999387dd64d7727dcab9d1c1699180e3804278e 207316 tomcat7-examples_7.0.28-4+deb7u7_all.deb 05529afb5fc6d7aa1dc912609b7193c08c0520869e58484d150e3b19dba2a44a 648778 tomcat7-docs_7.0.28-4+deb7u7_all.deb Files: d3f314fe981b4283df5e1d57447de568 2795 java optional tomcat7_7.0.28-4+deb7u7.dsc eeb98cb049a1e336a8a7845593c77ff5 183767 java optional tomcat7_7.0.28-4+deb7u7.debian.tar.gz d3dac481496999265653b0ad88aac8c0 65774 java optional tomcat7-common_7.0.28-4+deb7u7_all.deb e68f1f5b0a4b3ee5210160c18a5b84f6 53072 java optional tomcat7_7.0.28-4+deb7u7_all.deb 8776461879102e2462f905fd133fd32a 41042 java optional tomcat7-user_7.0.28-4+deb7u7_all.deb 7206f42b292f41dd61af3e2ad4cfd096 3503700 java optional libtomcat7-java_7.0.28-4+deb7u7_all.deb 3279b13004f079112b3ef115b4791fe7 307034 java optional libservlet3.0-java_7.0.28-4+deb7u7_all.deb 3f704b048d6a151cd8f99d54aa7853b2 320664 doc optional libservlet3.0-java-doc_7.0.28-4+deb7u7_all.deb b27ee69bc0e7adf99a560cf038940498 53702 java optional tomcat7-admin_7.0.28-4+deb7u7_all.deb 0075eb37f73839bdc27869ac1a02fba2 207316 java optional tomcat7-examples_7.0.28-4+deb7u7_all.deb 0ef493cfeb1e3868f6e3df497864d2a5 648778 doc optional tomcat7-docs_7.0.28-4+deb7u7_all.deb
-----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlhAo2tfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkSE0P/2yk3x8LIZyQEM/+kZburtbkVaMXJOw9anup yDhNexPH1S1p0uIXQ83EfK02/TRT1nAIULmwTLM6X6Xd8piFLZyiFDdtPpWBOEEe Rp+ujN1ZiDGyaMA+pt/xWEDTNTZVbzFeu03UVCOAYQA1KPSFIOrLpNWnkDkEioly 8rO4axubt1TEwZ8gUN/QpJrB134JPclN1/eYPuRvVelFx40j+ra0xOb8zbi8sUZ0 e5Kl0CjGMX7NhkoebeyN33kzIzAoiyVddRL5bBHRAWP7WTL7ucSwEBm9xKWXRwni MwcgYBR29muRvV2FcWfKMykCN6PkZG6oyZHYNiwSOf3S3x+FF0lBkHqxk0jlOo+4 dXZRS1+xy882OMaj337VIji0Wc0FC3sJh3wu6K6jcFsF8FYkXyAw+SybxKHJFz+s iKIfA9VeYCNV8YC+ndZq91eeHG+q6MdTadAE1I9YTgA7JNHlLcbxXyaVe/122yiB yKqMUJtL01IYHy2HDXbIiXygpW0b3rzuLCY+kSkx5HAoh5NbjHRvzQEt8bmELrZJ NUhaBWpPLvT6k4lDK3bKg8osCB+pvR0sOCRRCw1D6v8xl8enHN8S+PYFbxIQiPQA xRZdjMY70eiU1Fqyz77Uvn/haxJP8/uFW/JT4hToitvRHqgQVWir/wZW0ggzgHJo qWs/bnSx =7huU -----END PGP SIGNATURE-----