tomcat6 (6.0.45+dfsg-1) unstable; urgency=medium
* Team upload.
* Imported Upstream version 6.0.45+dfsg.
- Remove all prebuilt jar files.
* Declare compliance with Debian Policy 3.9.7.
* Vcs-fields: Use https.
* This update fixes the following security vulnerabilities in the source
package. Since src:tomcat6 only builds libservlet2.5-java and
documentation, users are not directly affected.
- CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
- CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
processes redirects before considering security constraints and Filters.
- CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
org.apache.catalina.manager.StatusManagerServlet on the
org/apache/catalina/core/RestrictedServlets.properties list which allows
remote authenticated users to bypass intended SecurityManager
restrictions.
- CVE-2016-0714: The session-persistence implementation in Apache Tomcat
before 6.0.45 mishandles session attributes, which allows remote
authenticated users to bypass intended SecurityManager restrictions.
- CVE-2016-0763: The setGlobalContext method in
org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
not consider whether ResourceLinkFactory.setGlobalContext callers are
authorized, which allows remote authenticated users to bypass intended
SecurityManager restrictions and read or write to arbitrary application
data, or cause a denial of service (application disruption), via a web
application that sets a crafted global context.
- CVE-2015-5351: The Manager and Host Manager applications in
Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
requests, which allows remote attackers to bypass a CSRF protection
mechanism by using a token.
Date: 2016-02-27 22:25:46.441019+00:00
Changed-By: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Signed-By: Matthias Klose <d...@ubuntu.com>
https://launchpad.net/ubuntu/+source/tomcat6/6.0.45+dfsg-1
Sorry, changesfile not available.
--
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/xenial-changes