This is an automated email from the git hooks/post-receive script. apo-guest pushed a commit to branch master in repository tomcat6.
commit 537c67173566022702fa7322c153882739acf0b7 Author: Markus Koschany <[email protected]> Date: Sat Feb 27 16:17:15 2016 +0100 Update changelog --- debian/changelog | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/debian/changelog b/debian/changelog index daefc9e..6b6c388 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,37 @@ +tomcat6 (6.0.45-1) unstable; urgency=medium + + * Team upload. + * Imported Upstream version 6.0.45. + * Declare compliance with Debian Policy 3.9.7. + * Vcs-fields: Use https. + * This update fixes the following security vulnerabilities in the source + package. Since src:tomcat6 only builds libservlet2.5-java and + documentation, users are not directly affected. + - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java. + - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45 + processes redirects before considering security constraints and Filters. + - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place + org.apache.catalina.manager.StatusManagerServlet on the + org/apache/catalina/core/RestrictedServlets.properties list which allows + remote authenticated users to bypass intended SecurityManager + restrictions. + - CVE-2016-0714: The session-persistence implementation in Apache Tomcat before + 6.0.45 mishandles session attributes, which allows remote authenticated + users to bypass intended SecurityManager restrictions. + - CVE-2016-0763: The setGlobalContext method in + org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does + not consider whether ResourceLinkFactory.setGlobalContext callers are + authorized, which allows remote authenticated users to bypass intended + SecurityManager restrictions and read or write to arbitrary application + data, or cause a denial of service (application disruption), via a web + application that sets a crafted global context. + - CVE-2015-5351: The Manager and Host Manager applications in + Apache Tomcat establish sessions and send CSRF tokens for arbitrary new + requests, which allows remote attackers to bypass a CSRF protection + mechanism by using a token. + + -- Markus Koschany <[email protected]> Sat, 27 Feb 2016 16:12:05 +0100 + tomcat6 (6.0.41-4) unstable; urgency=medium * Removed the timstamp from the Javadoc of the Servlet API -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat6.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
