Your message dated Wed, 23 Nov 2016 19:32:09 +0000
with message-id <e1c9dh7-0002so...@fasolo.debian.org>
and subject line Bug#842662: fixed in tomcat7 7.0.56-3+deb8u5
has caused the Debian Bug report #842662,
regarding CVE-2016-0762: Apache Tomcat Realm Timing Attack
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
842662: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842662
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: tomcat7
Severity: importantx
Tags: security

Hi,

the following vulnerability was published for tomcat7.

CVE-2016-0762[0]:
Apache Tomcat Realm Timing Attack

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-0762
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0762
Please adjust the affected versions in the BTS as needed.

--- End Message ---
--- Begin Message ---
Source: tomcat7
Source-Version: 7.0.56-3+deb8u5

We believe that the bug you reported is fixed in the latest version of
tomcat7, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 842...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebo...@apache.org> (supplier of updated tomcat7 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 12 Nov 2016 00:06:36 +0100
Source: tomcat7
Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java 
libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs
Architecture: source all
Version: 7.0.56-3+deb8u5
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebo...@apache.org>
Description:
 libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes
 libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation
 libtomcat7-java - Servlet and JSP engine -- core libraries
 tomcat7    - Servlet and JSP engine
 tomcat7-admin - Servlet and JSP engine -- admin web applications
 tomcat7-common - Servlet and JSP engine -- common files
 tomcat7-docs - Servlet and JSP engine -- documentation
 tomcat7-examples - Servlet and JSP engine -- example web applications
 tomcat7-user - Servlet and JSP engine -- tools to create user instances
Closes: 842662 842663 842664 842665 842666
Changes:
 tomcat7 (7.0.56-3+deb8u5) jessie-security; urgency=high
 .
   * Fixed CVE-2016-0762: The Realm implementations did not process the supplied
     password if the supplied user name did not exist. This made a timing attack
     possible to determine valid user names. (Closes: #842662)
   * Fixed CVE-2016-5018: A malicious web application was able to bypass
     a configured SecurityManager via a Tomcat utility method that was
     accessible to web applications. (Closes: #842663)
   * Fixed CVE-2016-6794: When a SecurityManager is configured, a web
     application's ability to read system properties should be controlled by
     the SecurityManager. Tomcat's system property replacement feature for
     configuration files could be used by a malicious web application to bypass
     the SecurityManager and read system properties that should not be visible.
     (Closes: #842664)
   * Fixed CVE-2016-6796: A malicious web application was able to bypass
     a configured SecurityManager via manipulation of the configuration
     parameters for the JSP Servlet. (Closes: #842665)
   * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application
     access to global JNDI resources to those resources explicitly linked to the
     web application. Therefore, it was possible for a web application to access
     any global JNDI resource whether an explicit ResourceLink had been
     configured or not. (Closes: #842666)
   * CVE-2016-1240 follow-up:
     - The previous init.d fix was vulnerable to a race condition that could
       be exploited to make any existing file writable by the tomcat user.
       Thanks to Paul Szabo for the report and the fix.
     - The catalina.policy file generated on startup was affected by a similar
       vulnerability that could be exploited to overwrite any file on the 
system.
       Thanks to Paul Szabo for the report.
   * Hardened the init.d script, thanks to Paul Szabo
Checksums-Sha1:
 3be5b51e5c1484c8725b982843be3b7b52f51334 2758 tomcat7_7.0.56-3+deb8u5.dsc
 194bd5bbb526845798dbc333bd2e29331e4371b8 86864 
tomcat7_7.0.56-3+deb8u5.debian.tar.xz
 8fd9159194ee71dc11dd1dc80a2683f3467bd38b 62706 
tomcat7-common_7.0.56-3+deb8u5_all.deb
 18371f7fcbabed3cc688b2dbd6286f0bf7f263ce 51704 tomcat7_7.0.56-3+deb8u5_all.deb
 59890bb1c4a5bb2508672e261f1e15ec1a011058 39160 
tomcat7-user_7.0.56-3+deb8u5_all.deb
 963d1d9f3f80d007c040214bade6b050ba9d31e2 3624706 
libtomcat7-java_7.0.56-3+deb8u5_all.deb
 47a8460861fa939473edf20228c7596ab87aa0ed 314968 
libservlet3.0-java_7.0.56-3+deb8u5_all.deb
 73fe30da8d5e7011b30dae608999a59063d3c351 205802 
libservlet3.0-java-doc_7.0.56-3+deb8u5_all.deb
 ef75bfaa088ca3ed2175cf10b71b582d2478efe9 40154 
tomcat7-admin_7.0.56-3+deb8u5_all.deb
 f795705b3cb876185425833a42b13466c2efba52 198344 
tomcat7-examples_7.0.56-3+deb8u5_all.deb
 dce737471448b07e2a3631c88de993aae7d95875 604986 
tomcat7-docs_7.0.56-3+deb8u5_all.deb
Checksums-Sha256:
 1419ee2e6bc3603de69b9eea7aae28c885e59d2c654e9a4f70a28f1a3feb2078 2758 
tomcat7_7.0.56-3+deb8u5.dsc
 edd0b3e02c76551f010ae3d36be238438b032e9704aedce8d14222ecd4189235 86864 
tomcat7_7.0.56-3+deb8u5.debian.tar.xz
 9bd19853053ee5b12445d111d6f62a3a10f8a619c6c9ab523801e36eb9f7b2a1 62706 
tomcat7-common_7.0.56-3+deb8u5_all.deb
 9745cc9ac52cdd750f0f6fddb39bcc941c9e756e3ce42dd4a3d65f73ef528ef0 51704 
tomcat7_7.0.56-3+deb8u5_all.deb
 0c9ca99681562296f1ed83cd4de7254e912e821f5700a5bd8a937dafd403658f 39160 
tomcat7-user_7.0.56-3+deb8u5_all.deb
 749ec2662389349fcfa4f044993e57f00f24efdcf24f58a49dd1a4bb80f317e0 3624706 
libtomcat7-java_7.0.56-3+deb8u5_all.deb
 17b2e3b9ce99d909a4ad6ba1e39c70c3d446113223f8014fd53394cdb4ab966f 314968 
libservlet3.0-java_7.0.56-3+deb8u5_all.deb
 b501588b7a5cc8950d01fdd1c851bfbe22f02f9f43ef5e2d65e5d20de84f6249 205802 
libservlet3.0-java-doc_7.0.56-3+deb8u5_all.deb
 6f67113fd5df568079991a7532eb0d2f43e0a333035518aad0f4a0916a41da71 40154 
tomcat7-admin_7.0.56-3+deb8u5_all.deb
 7f775e1a5b2be96d731aff9ec41c319926706ea57ddcd3964e23165f5becb6dd 198344 
tomcat7-examples_7.0.56-3+deb8u5_all.deb
 ca6142ab576d0c0512c9f3bd607cc53cf02234169c7b94a461fddd7241598144 604986 
tomcat7-docs_7.0.56-3+deb8u5_all.deb
Files:
 cc6e36ca896e291a3e7bfcc124680050 2758 java optional tomcat7_7.0.56-3+deb8u5.dsc
 babcf5ba95e2c199308022b2cf544f3d 86864 java optional 
tomcat7_7.0.56-3+deb8u5.debian.tar.xz
 3c9c33dc284943c17984277829f7767b 62706 java optional 
tomcat7-common_7.0.56-3+deb8u5_all.deb
 5e67cb0d8fe76aebde9221e7c8d76594 51704 java optional 
tomcat7_7.0.56-3+deb8u5_all.deb
 1fe6f733393e7f4bd0f84f120ec06e22 39160 java optional 
tomcat7-user_7.0.56-3+deb8u5_all.deb
 73ff0ead1ea15e82c2a6f47aab0f0711 3624706 java optional 
libtomcat7-java_7.0.56-3+deb8u5_all.deb
 b2885a2e3d99624ec559c376b1fb528e 314968 java optional 
libservlet3.0-java_7.0.56-3+deb8u5_all.deb
 8ccf701c0d39fc028e364ba26b5e8000 205802 doc optional 
libservlet3.0-java-doc_7.0.56-3+deb8u5_all.deb
 247f4d2ef0e922f803fd2f55369a33be 40154 java optional 
tomcat7-admin_7.0.56-3+deb8u5_all.deb
 3d9d118ce4792cc8aa0c27e39c213068 198344 java optional 
tomcat7-examples_7.0.56-3+deb8u5_all.deb
 6ad23aab958c56299dcca0bc6dd4349b 604986 doc optional 
tomcat7-docs_7.0.56-3+deb8u5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJYJk+aAAoJEPUTxBnkudCsRP4P/Aozh7hvv71FEFpiRyQ/p3mX
45XN3oD2Oqy3SKHMYSoJuiBHm6SCfq9WNpJiFD9TnaYuFWMMzXXg6z2PRpuQP1Mn
zwsx5/xEBk2XUHwj3eQdZpCzki5weY/+zIAb15mbQ89oM59sEBFH+bj9Hg1+gHvn
eFSb8kLl2OtDzTaA198PAh/IT8Ohn4IXHKkQdyroZ5eiYgpVAuO4KoDtj7HiHAYc
NayBV9xpjPTfZEUkmOQXZc9ZTR8pFxyKhRJa9vG4u4Gs9TtqRVqdk3W5z/WpNdgw
RCtp1ZDIkcckCDcG2IOp7rQ5SM9Pl1jDwGDPGQQykMRjfPPEVu3HIY/ZcFWDkESH
ZBC/Z/Q6urLXHQHNv83hqbqnCErXZ1p/+Bn84KrLiyOhIv4B0E6pswVWxmgRQX5Y
A2dwW4lzdnxHiwiHQBB2pwZBUxx1xtzlqs2LmwqvrrjmK43DYfnmECxUbiAO08QS
N9gnKLwOQwn/Y8LUYnzwplfG0TsWlfTl8UQ2EIMTYYG7LKbBv3BZ1+mvKjxSkB+1
pWhnSzLeKQvDDzEJlDhgeXOY2+cg/mG52Wj5XclrpeEdLfNOXkLzDMcywlXZBCzP
pSQico14k3c8h3m7dsbXcKaAn0t449m/B0ZhvNiK733GDMprT3zdoE6goEn8BQmK
4Z5ceCFcpbOgbjrrPo/E
=9PrN
-----END PGP SIGNATURE-----

--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to