-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : tomcat6 Version : 6.0.45-1~deb6u1 CVE ID : CVE-2015-5174 CVE-2015-5345 CVE-2015-5351 CVE-2016-0706 CVE-2016-0714 CVE-2016-0763
Tomcat 6, an implementation of the Java Servlet and the JavaServer Pages (JSP) specifications and a pure Java web server environment, was affected by multiple security issues prior version 6.0.45. CVE-2015-5174 Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. CVE-2015-5345 The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.67, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. CVE-2015-5351 The Manager and Host Manager applications in Apache Tomcat establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. CVE-2016-0706 Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache /catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. CVE-2016-0714 The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. CVE-2016-0763 The setGlobalContext method in org/apache/naming/factory /ResourceLinkFactory.java in Apache Tomcat does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. For Debian 6 "Squeeze", these problems have been fixed in version 6.0.45-1~deb6u1. We recommend that you upgrade your tomcat6 packages. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJW0fRzXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1Hks54P/RijDNdZxXDSozZVTwozFnj1 jPdA3sL5vKQEaTL5KJ12Oy9lu0oskaWcNMSyULKu7rH57FYtBhVnIYEPK3LCwsb/ 1Ca2auURqQ+uAYJsINvayYWgz9Z8ZeJ7wcqVYvbpNNIfqBtoRxn97PRcWWq5ljwd jfm9I2HuQpkw7T8cjnLjDMqROthKPaF8OI384Ge2dCRutI5nsNtiUJJH8Q/okT9/ wdPrkbzxzdQgNOTWab7ejpeki2ALQt18qK/LQv1ZtLrn4z84OTvbB6nPamtGG9Jz +yU85o+cnjsndQt8f4pknwHiDGOb0oKKkgegMXvXaI5S3Gq4cJmMNlmR8GiOw0xu LjYh/jI6E+V8vtmX+IwsOC2TXZrC2ZYjDS6ed4DBfJZlCV3G1+zrrEZAT5xykuAN PqRZnqJvEOJk+77lLO/WmCTVtu6ZUof/1dagleNqkwpgaCCWap+QakG7Pk5Klpp4 aKeV5b+Q9fh+V8A3P6zfyJpUA4HAHdqqrKre7ToPp0cwIJAhvs8ZvFldwNanj66H gf04vUb8Fl96uuuZWV2hMWeWO8whJMVSNv7lT3GG8mAd3wCZGG7XPbMhSrYK/SrQ szp2wzd0ByBjjBSXkUKKmZi4GUDEPsR1ro0tcltfTe4Zj8Po6lTKz0TBW+ir8drI TFUQV9t/H0dJwQeWIgYF =yk0i -----END PGP SIGNATURE-----