Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 12 Nov 2016 00:06:36 +0100
Source: tomcat7
Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java 
libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs
Architecture: source all
Version: 7.0.56-3+deb8u5
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebo...@apache.org>
Description:
 libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes
 libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation
 libtomcat7-java - Servlet and JSP engine -- core libraries
 tomcat7    - Servlet and JSP engine
 tomcat7-admin - Servlet and JSP engine -- admin web applications
 tomcat7-common - Servlet and JSP engine -- common files
 tomcat7-docs - Servlet and JSP engine -- documentation
 tomcat7-examples - Servlet and JSP engine -- example web applications
 tomcat7-user - Servlet and JSP engine -- tools to create user instances
Closes: 842662 842663 842664 842665 842666
Changes:
 tomcat7 (7.0.56-3+deb8u5) jessie-security; urgency=high
 .
   * Fixed CVE-2016-0762: The Realm implementations did not process the supplied
     password if the supplied user name did not exist. This made a timing attack
     possible to determine valid user names. (Closes: #842662)
   * Fixed CVE-2016-5018: A malicious web application was able to bypass
     a configured SecurityManager via a Tomcat utility method that was
     accessible to web applications. (Closes: #842663)
   * Fixed CVE-2016-6794: When a SecurityManager is configured, a web
     application's ability to read system properties should be controlled by
     the SecurityManager. Tomcat's system property replacement feature for
     configuration files could be used by a malicious web application to bypass
     the SecurityManager and read system properties that should not be visible.
     (Closes: #842664)
   * Fixed CVE-2016-6796: A malicious web application was able to bypass
     a configured SecurityManager via manipulation of the configuration
     parameters for the JSP Servlet. (Closes: #842665)
   * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application
     access to global JNDI resources to those resources explicitly linked to the
     web application. Therefore, it was possible for a web application to access
     any global JNDI resource whether an explicit ResourceLink had been
     configured or not. (Closes: #842666)
   * CVE-2016-1240 follow-up:
     - The previous init.d fix was vulnerable to a race condition that could
       be exploited to make any existing file writable by the tomcat user.
       Thanks to Paul Szabo for the report and the fix.
     - The catalina.policy file generated on startup was affected by a similar
       vulnerability that could be exploited to overwrite any file on the 
system.
       Thanks to Paul Szabo for the report.
   * Hardened the init.d script, thanks to Paul Szabo
Checksums-Sha1:
 3be5b51e5c1484c8725b982843be3b7b52f51334 2758 tomcat7_7.0.56-3+deb8u5.dsc
 194bd5bbb526845798dbc333bd2e29331e4371b8 86864 
tomcat7_7.0.56-3+deb8u5.debian.tar.xz
 8fd9159194ee71dc11dd1dc80a2683f3467bd38b 62706 
tomcat7-common_7.0.56-3+deb8u5_all.deb
 18371f7fcbabed3cc688b2dbd6286f0bf7f263ce 51704 tomcat7_7.0.56-3+deb8u5_all.deb
 59890bb1c4a5bb2508672e261f1e15ec1a011058 39160 
tomcat7-user_7.0.56-3+deb8u5_all.deb
 963d1d9f3f80d007c040214bade6b050ba9d31e2 3624706 
libtomcat7-java_7.0.56-3+deb8u5_all.deb
 47a8460861fa939473edf20228c7596ab87aa0ed 314968 
libservlet3.0-java_7.0.56-3+deb8u5_all.deb
 73fe30da8d5e7011b30dae608999a59063d3c351 205802 
libservlet3.0-java-doc_7.0.56-3+deb8u5_all.deb
 ef75bfaa088ca3ed2175cf10b71b582d2478efe9 40154 
tomcat7-admin_7.0.56-3+deb8u5_all.deb
 f795705b3cb876185425833a42b13466c2efba52 198344 
tomcat7-examples_7.0.56-3+deb8u5_all.deb
 dce737471448b07e2a3631c88de993aae7d95875 604986 
tomcat7-docs_7.0.56-3+deb8u5_all.deb
Checksums-Sha256:
 1419ee2e6bc3603de69b9eea7aae28c885e59d2c654e9a4f70a28f1a3feb2078 2758 
tomcat7_7.0.56-3+deb8u5.dsc
 edd0b3e02c76551f010ae3d36be238438b032e9704aedce8d14222ecd4189235 86864 
tomcat7_7.0.56-3+deb8u5.debian.tar.xz
 9bd19853053ee5b12445d111d6f62a3a10f8a619c6c9ab523801e36eb9f7b2a1 62706 
tomcat7-common_7.0.56-3+deb8u5_all.deb
 9745cc9ac52cdd750f0f6fddb39bcc941c9e756e3ce42dd4a3d65f73ef528ef0 51704 
tomcat7_7.0.56-3+deb8u5_all.deb
 0c9ca99681562296f1ed83cd4de7254e912e821f5700a5bd8a937dafd403658f 39160 
tomcat7-user_7.0.56-3+deb8u5_all.deb
 749ec2662389349fcfa4f044993e57f00f24efdcf24f58a49dd1a4bb80f317e0 3624706 
libtomcat7-java_7.0.56-3+deb8u5_all.deb
 17b2e3b9ce99d909a4ad6ba1e39c70c3d446113223f8014fd53394cdb4ab966f 314968 
libservlet3.0-java_7.0.56-3+deb8u5_all.deb
 b501588b7a5cc8950d01fdd1c851bfbe22f02f9f43ef5e2d65e5d20de84f6249 205802 
libservlet3.0-java-doc_7.0.56-3+deb8u5_all.deb
 6f67113fd5df568079991a7532eb0d2f43e0a333035518aad0f4a0916a41da71 40154 
tomcat7-admin_7.0.56-3+deb8u5_all.deb
 7f775e1a5b2be96d731aff9ec41c319926706ea57ddcd3964e23165f5becb6dd 198344 
tomcat7-examples_7.0.56-3+deb8u5_all.deb
 ca6142ab576d0c0512c9f3bd607cc53cf02234169c7b94a461fddd7241598144 604986 
tomcat7-docs_7.0.56-3+deb8u5_all.deb
Files:
 cc6e36ca896e291a3e7bfcc124680050 2758 java optional tomcat7_7.0.56-3+deb8u5.dsc
 babcf5ba95e2c199308022b2cf544f3d 86864 java optional 
tomcat7_7.0.56-3+deb8u5.debian.tar.xz
 3c9c33dc284943c17984277829f7767b 62706 java optional 
tomcat7-common_7.0.56-3+deb8u5_all.deb
 5e67cb0d8fe76aebde9221e7c8d76594 51704 java optional 
tomcat7_7.0.56-3+deb8u5_all.deb
 1fe6f733393e7f4bd0f84f120ec06e22 39160 java optional 
tomcat7-user_7.0.56-3+deb8u5_all.deb
 73ff0ead1ea15e82c2a6f47aab0f0711 3624706 java optional 
libtomcat7-java_7.0.56-3+deb8u5_all.deb
 b2885a2e3d99624ec559c376b1fb528e 314968 java optional 
libservlet3.0-java_7.0.56-3+deb8u5_all.deb
 8ccf701c0d39fc028e364ba26b5e8000 205802 doc optional 
libservlet3.0-java-doc_7.0.56-3+deb8u5_all.deb
 247f4d2ef0e922f803fd2f55369a33be 40154 java optional 
tomcat7-admin_7.0.56-3+deb8u5_all.deb
 3d9d118ce4792cc8aa0c27e39c213068 198344 java optional 
tomcat7-examples_7.0.56-3+deb8u5_all.deb
 6ad23aab958c56299dcca0bc6dd4349b 604986 doc optional 
tomcat7-docs_7.0.56-3+deb8u5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJYJk+aAAoJEPUTxBnkudCsRP4P/Aozh7hvv71FEFpiRyQ/p3mX
45XN3oD2Oqy3SKHMYSoJuiBHm6SCfq9WNpJiFD9TnaYuFWMMzXXg6z2PRpuQP1Mn
zwsx5/xEBk2XUHwj3eQdZpCzki5weY/+zIAb15mbQ89oM59sEBFH+bj9Hg1+gHvn
eFSb8kLl2OtDzTaA198PAh/IT8Ohn4IXHKkQdyroZ5eiYgpVAuO4KoDtj7HiHAYc
NayBV9xpjPTfZEUkmOQXZc9ZTR8pFxyKhRJa9vG4u4Gs9TtqRVqdk3W5z/WpNdgw
RCtp1ZDIkcckCDcG2IOp7rQ5SM9Pl1jDwGDPGQQykMRjfPPEVu3HIY/ZcFWDkESH
ZBC/Z/Q6urLXHQHNv83hqbqnCErXZ1p/+Bn84KrLiyOhIv4B0E6pswVWxmgRQX5Y
A2dwW4lzdnxHiwiHQBB2pwZBUxx1xtzlqs2LmwqvrrjmK43DYfnmECxUbiAO08QS
N9gnKLwOQwn/Y8LUYnzwplfG0TsWlfTl8UQ2EIMTYYG7LKbBv3BZ1+mvKjxSkB+1
pWhnSzLeKQvDDzEJlDhgeXOY2+cg/mG52Wj5XclrpeEdLfNOXkLzDMcywlXZBCzP
pSQico14k3c8h3m7dsbXcKaAn0t449m/B0ZhvNiK733GDMprT3zdoE6goEn8BQmK
4Z5ceCFcpbOgbjrrPo/E
=9PrN
-----END PGP SIGNATURE-----


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to