Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 23 Jun 2016 00:27:20 +0200
Source: tomcat8
Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libservlet3.1-java 
libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs
Architecture: source all
Version: 8.0.14-1+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebo...@apache.org>
Description:
 libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API 
classes
 libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java 
API documenta
 libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries
 tomcat8    - Apache Tomcat 8 - Servlet and JSP engine
 tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web 
application
 tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files
 tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation
 tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web 
applicati
 tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user
Changes:
 tomcat8 (8.0.14-1+deb8u2) jessie-security; urgency=high
 .
   * Team upload.
 .
   [ Emmanuel Bourg ]
   * Fix CVE-2016-3092: Denial-of-Service vulnerability with file uploads
 .
   [ Markus Koschany ]
   * Fix CVE-2015-5174:
     Directory traversal vulnerability in RequestUtil.java allows remote
     authenticated users to bypass intended SecurityManager restrictions and
     list a parent directory via a /.. (slash dot dot) in a pathname used by a
     web application in a getResource, getResourceAsStream, or getResourcePaths
     call, as demonstrated by the $CATALINA_BASE/webapps directory.
   * Fix CVE-2015-5345:
     The Mapper component in Apache Tomcat processes redirects before
     considering security constraints and Filters, which allows remote attackers
     to determine the existence of a directory via a URL that lacks a trailing /
     (slash) character.
   * Fix CVE-2015-5346:
     Session fixation vulnerability in Apache Tomcat when different session
     settings are used for deployments of multiple versions of the same web
     application, might allow remote attackers to hijack web sessions by
     leveraging use of a requestedSessionSSL field for an unintended request,
     related to CoyoteAdapter.java and Request.java.
   * Fix CVE-2015-5351:
     The Manager and Host Manager applications in Apache Tomcat establish
     sessions and send CSRF tokens for arbitrary new requests, which allows
     remote attackers to bypass a CSRF protection mechanism by using a token.
   * Fix CVE-2016-0706:
     Apache Tomcat does not place
     org.apache.catalina.manager.StatusManagerServlet on the
     org/apache/catalina/core/RestrictedServlets.properties list, which allows
     remote authenticated users to bypass intended SecurityManager restrictions
     and read arbitrary HTTP requests, and consequently discover session ID
     values, via a crafted web application.
   * Fix CVE-2016-0714:
     The session-persistence implementation in Apache Tomcat mishandles session
     attributes, which allows remote authenticated users to bypass intended
     SecurityManager restrictions and execute arbitrary code in a privileged
     context via a web application that places a crafted object in a session.
   * Fix CVE-2016-0763:
     The setGlobalContext method in
     org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
     not consider whether ResourceLinkFactory.setGlobalContext callers are
     authorized, which allows remote authenticated users to bypass intended
     SecurityManager restrictions and read or write to arbitrary application
     data, or cause a denial of service (application disruption), via a web
     application that sets a crafted global context.
Checksums-Sha1:
 ca7f50f113add711416f82203d477e7d0c164f74 2842 tomcat8_8.0.14-1+deb8u2.dsc
 63021a826bcda11958953e8ae87a10487d6c7a12 51272 
tomcat8_8.0.14-1+deb8u2.debian.tar.xz
 8ccda23f85207ab458a484429f7b87256f2035eb 55880 
tomcat8-common_8.0.14-1+deb8u2_all.deb
 605b06c792d9b5f355ab7fb6567a9f169c535152 45142 tomcat8_8.0.14-1+deb8u2_all.deb
 27eafe08089c738ad1637e80cf76e5959c515c03 33036 
tomcat8-user_8.0.14-1+deb8u2_all.deb
 a3366094df1c69f319e9976e6f766b6750b87750 4584584 
libtomcat8-java_8.0.14-1+deb8u2_all.deb
 73370869c10b8f493166eb615567cd910308285e 390458 
libservlet3.1-java_8.0.14-1+deb8u2_all.deb
 6192da4dc8d44f698fdb513ecfc5d7537b0de8f9 245552 
libservlet3.1-java-doc_8.0.14-1+deb8u2_all.deb
 aa4b1dbe7e9ea772934aac2547c25f7bdf73a1fb 34358 
tomcat8-admin_8.0.14-1+deb8u2_all.deb
 eba15595c68aa99172e55d038ea17463ef496911 192676 
tomcat8-examples_8.0.14-1+deb8u2_all.deb
 87acd9a0616cf8806cfeaccb9913c25a98687416 687576 
tomcat8-docs_8.0.14-1+deb8u2_all.deb
Checksums-Sha256:
 2a2efa5870e046a5d8f2e1745eaefaef146c577330f7a174b2e924fce020bcc5 2842 
tomcat8_8.0.14-1+deb8u2.dsc
 4d106193a14f9f8e59f3774ea96e5aaa52ac73d2d56d6dd98e020e0e623ab112 51272 
tomcat8_8.0.14-1+deb8u2.debian.tar.xz
 3487873184e02ec0501b52b970709690f1b2fa8cdf720bc780697d7e8ad46e70 55880 
tomcat8-common_8.0.14-1+deb8u2_all.deb
 06e71c527ede4861de94b48a0b04a99bd29db1291d4b30a7dd041c2190bbeef0 45142 
tomcat8_8.0.14-1+deb8u2_all.deb
 b1bf744d29c93b1860dbc16db5a8fcad6a550cee2a86fd28f34ffb024394d799 33036 
tomcat8-user_8.0.14-1+deb8u2_all.deb
 11a373444918763e695aa04a4a33fe0074dda4011288a4fa0d57edcf7ab9223d 4584584 
libtomcat8-java_8.0.14-1+deb8u2_all.deb
 be5ed2c36166f4b51f02d98bfb6747600ea5ac9ee6b18a184babe2dd9ee6b8ee 390458 
libservlet3.1-java_8.0.14-1+deb8u2_all.deb
 c98daa11b3d43f660021d01aad5dde284926f8cc1b6a0388ba35c3d5266ff149 245552 
libservlet3.1-java-doc_8.0.14-1+deb8u2_all.deb
 c379ee6d52c5ca6c6ffb97d85ea8b7c869546f0066a27d83f7848fa1e801ea62 34358 
tomcat8-admin_8.0.14-1+deb8u2_all.deb
 9e3a299922cd7b67d5774daab569ba62f51bb2fcca18fe489161730718c8215b 192676 
tomcat8-examples_8.0.14-1+deb8u2_all.deb
 7b0cb2f7c2615ebbe20d391f0ee151724218b3aea85b7e741a740962d55512fb 687576 
tomcat8-docs_8.0.14-1+deb8u2_all.deb
Files:
 dfdef0ed0d05c31b09cf301c8a49ae07 2842 java optional tomcat8_8.0.14-1+deb8u2.dsc
 8291999432526cfc4e647aa6dc7e9341 51272 java optional 
tomcat8_8.0.14-1+deb8u2.debian.tar.xz
 50cbca4d67aeaac6ee4b27bf19ae073a 55880 java optional 
tomcat8-common_8.0.14-1+deb8u2_all.deb
 0a4e326c9b69f33009afd6939a968ad2 45142 java optional 
tomcat8_8.0.14-1+deb8u2_all.deb
 796badca01fbafc16a29bf81a647a334 33036 java optional 
tomcat8-user_8.0.14-1+deb8u2_all.deb
 76322936a6719b5584f110593f586d86 4584584 java optional 
libtomcat8-java_8.0.14-1+deb8u2_all.deb
 ca2775909a063d901f8ef96b45044a57 390458 java optional 
libservlet3.1-java_8.0.14-1+deb8u2_all.deb
 7d7766df7e13d166ac910da67123997b 245552 doc optional 
libservlet3.1-java-doc_8.0.14-1+deb8u2_all.deb
 bb73870b83bc598af4e39e7706ca98e3 34358 java optional 
tomcat8-admin_8.0.14-1+deb8u2_all.deb
 0b8ac5a78a8031e061b40007bd1198d6 192676 java optional 
tomcat8-examples_8.0.14-1+deb8u2_all.deb
 67d6dafd54b235ea3a8853073ce63fc7 687576 doc optional 
tomcat8-docs_8.0.14-1+deb8u2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXbZlZAAoJEPUTxBnkudCs1QYP/32hEfPN6zaB7QG4spaDt2uT
LosNci0LNN2mwHc4L2uXWnOFChGFgRyHdGVEDysX6568GqbYkDTcqZGdXbM2lWE2
/dyI7HJRclv05p2whGCYsrXsPEHeLVWnrIDu7RBNWWtCf0FrN/DFKE7c+HW+dh1k
bNfkLQx30Wu36Z9yNmqZZAsqVj/p9AluNomzPBBvb/wgID+q5vwb4gS+GEtRh2cJ
g3mUXnIMtwrfgp+Xy1ma1lb6xZ6EXZAZlbEljQN1m4t0Qqp0A25He4zsjK3Ql32B
Ly2gOl933KjHwyjZKMjptozdyFYXFh72wGYQm0MlTg29G5X+bFS8atUgLLEGOf6z
LQTLrZ9jrrH6k/7uK9kA9Zc8CpJOTKVIhs4nMEPWzXhCQ3cx+Q1PjooCRdVSzAxA
bo5YFvwZkP+IWcpIjSknspnmmYioLY2l5DQvJxspEhmwcBr7FgfdjR+UUZyZs9p9
Qkh3xBrPfjHjoYN42vry0hz4/b9wgmwSmfqTV9s7e5SrpNDA48Hcv44Hgc1DEbyo
IHJK/xqJvl1TPLhtNt0o4Kd2MomsDA0qZLWvSI8fAY9S0J+6goR6CBMRul5tN0XO
xM8wslNbNz7LuA4eI3E7FmCtgdKzAUTWV0Ya69ux+DpWTtwumcXAmRhSwWOQrKZ6
NnvaMaCNt+oZVUNi4thS
=HIQ9
-----END PGP SIGNATURE-----


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to