Your message dated Wed, 23 Nov 2016 19:32:09 +0000 with message-id <e1c9dh7-0002su...@fasolo.debian.org> and subject line Bug#842663: fixed in tomcat7 7.0.56-3+deb8u5 has caused the Debian Bug report #842663, regarding CVE-2016-5018: Apache Tomcat Security Manager Bypass to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 842663: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842663 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: tomcat7 Severity: important Tags: security Hi, the following vulnerability was published for tomcat7. CVE-2016-5018[0]: Apache Tomcat Security Manager Bypass If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-5018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5018 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: tomcat7 Source-Version: 7.0.56-3+deb8u5 We believe that the bug you reported is fixed in the latest version of tomcat7, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 842...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebo...@apache.org> (supplier of updated tomcat7 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 12 Nov 2016 00:06:36 +0100 Source: tomcat7 Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs Architecture: source all Version: 7.0.56-3+deb8u5 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Description: libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation libtomcat7-java - Servlet and JSP engine -- core libraries tomcat7 - Servlet and JSP engine tomcat7-admin - Servlet and JSP engine -- admin web applications tomcat7-common - Servlet and JSP engine -- common files tomcat7-docs - Servlet and JSP engine -- documentation tomcat7-examples - Servlet and JSP engine -- example web applications tomcat7-user - Servlet and JSP engine -- tools to create user instances Closes: 842662 842663 842664 842665 842666 Changes: tomcat7 (7.0.56-3+deb8u5) jessie-security; urgency=high . * Fixed CVE-2016-0762: The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. (Closes: #842662) * Fixed CVE-2016-5018: A malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (Closes: #842663) * Fixed CVE-2016-6794: When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (Closes: #842664) * Fixed CVE-2016-6796: A malicious web application was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (Closes: #842665) * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (Closes: #842666) * CVE-2016-1240 follow-up: - The previous init.d fix was vulnerable to a race condition that could be exploited to make any existing file writable by the tomcat user. Thanks to Paul Szabo for the report and the fix. - The catalina.policy file generated on startup was affected by a similar vulnerability that could be exploited to overwrite any file on the system. Thanks to Paul Szabo for the report. * Hardened the init.d script, thanks to Paul Szabo Checksums-Sha1: 3be5b51e5c1484c8725b982843be3b7b52f51334 2758 tomcat7_7.0.56-3+deb8u5.dsc 194bd5bbb526845798dbc333bd2e29331e4371b8 86864 tomcat7_7.0.56-3+deb8u5.debian.tar.xz 8fd9159194ee71dc11dd1dc80a2683f3467bd38b 62706 tomcat7-common_7.0.56-3+deb8u5_all.deb 18371f7fcbabed3cc688b2dbd6286f0bf7f263ce 51704 tomcat7_7.0.56-3+deb8u5_all.deb 59890bb1c4a5bb2508672e261f1e15ec1a011058 39160 tomcat7-user_7.0.56-3+deb8u5_all.deb 963d1d9f3f80d007c040214bade6b050ba9d31e2 3624706 libtomcat7-java_7.0.56-3+deb8u5_all.deb 47a8460861fa939473edf20228c7596ab87aa0ed 314968 libservlet3.0-java_7.0.56-3+deb8u5_all.deb 73fe30da8d5e7011b30dae608999a59063d3c351 205802 libservlet3.0-java-doc_7.0.56-3+deb8u5_all.deb ef75bfaa088ca3ed2175cf10b71b582d2478efe9 40154 tomcat7-admin_7.0.56-3+deb8u5_all.deb f795705b3cb876185425833a42b13466c2efba52 198344 tomcat7-examples_7.0.56-3+deb8u5_all.deb dce737471448b07e2a3631c88de993aae7d95875 604986 tomcat7-docs_7.0.56-3+deb8u5_all.deb Checksums-Sha256: 1419ee2e6bc3603de69b9eea7aae28c885e59d2c654e9a4f70a28f1a3feb2078 2758 tomcat7_7.0.56-3+deb8u5.dsc edd0b3e02c76551f010ae3d36be238438b032e9704aedce8d14222ecd4189235 86864 tomcat7_7.0.56-3+deb8u5.debian.tar.xz 9bd19853053ee5b12445d111d6f62a3a10f8a619c6c9ab523801e36eb9f7b2a1 62706 tomcat7-common_7.0.56-3+deb8u5_all.deb 9745cc9ac52cdd750f0f6fddb39bcc941c9e756e3ce42dd4a3d65f73ef528ef0 51704 tomcat7_7.0.56-3+deb8u5_all.deb 0c9ca99681562296f1ed83cd4de7254e912e821f5700a5bd8a937dafd403658f 39160 tomcat7-user_7.0.56-3+deb8u5_all.deb 749ec2662389349fcfa4f044993e57f00f24efdcf24f58a49dd1a4bb80f317e0 3624706 libtomcat7-java_7.0.56-3+deb8u5_all.deb 17b2e3b9ce99d909a4ad6ba1e39c70c3d446113223f8014fd53394cdb4ab966f 314968 libservlet3.0-java_7.0.56-3+deb8u5_all.deb b501588b7a5cc8950d01fdd1c851bfbe22f02f9f43ef5e2d65e5d20de84f6249 205802 libservlet3.0-java-doc_7.0.56-3+deb8u5_all.deb 6f67113fd5df568079991a7532eb0d2f43e0a333035518aad0f4a0916a41da71 40154 tomcat7-admin_7.0.56-3+deb8u5_all.deb 7f775e1a5b2be96d731aff9ec41c319926706ea57ddcd3964e23165f5becb6dd 198344 tomcat7-examples_7.0.56-3+deb8u5_all.deb ca6142ab576d0c0512c9f3bd607cc53cf02234169c7b94a461fddd7241598144 604986 tomcat7-docs_7.0.56-3+deb8u5_all.deb Files: cc6e36ca896e291a3e7bfcc124680050 2758 java optional tomcat7_7.0.56-3+deb8u5.dsc babcf5ba95e2c199308022b2cf544f3d 86864 java optional tomcat7_7.0.56-3+deb8u5.debian.tar.xz 3c9c33dc284943c17984277829f7767b 62706 java optional tomcat7-common_7.0.56-3+deb8u5_all.deb 5e67cb0d8fe76aebde9221e7c8d76594 51704 java optional tomcat7_7.0.56-3+deb8u5_all.deb 1fe6f733393e7f4bd0f84f120ec06e22 39160 java optional tomcat7-user_7.0.56-3+deb8u5_all.deb 73ff0ead1ea15e82c2a6f47aab0f0711 3624706 java optional libtomcat7-java_7.0.56-3+deb8u5_all.deb b2885a2e3d99624ec559c376b1fb528e 314968 java optional libservlet3.0-java_7.0.56-3+deb8u5_all.deb 8ccf701c0d39fc028e364ba26b5e8000 205802 doc optional libservlet3.0-java-doc_7.0.56-3+deb8u5_all.deb 247f4d2ef0e922f803fd2f55369a33be 40154 java optional tomcat7-admin_7.0.56-3+deb8u5_all.deb 3d9d118ce4792cc8aa0c27e39c213068 198344 java optional tomcat7-examples_7.0.56-3+deb8u5_all.deb 6ad23aab958c56299dcca0bc6dd4349b 604986 doc optional tomcat7-docs_7.0.56-3+deb8u5_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJYJk+aAAoJEPUTxBnkudCsRP4P/Aozh7hvv71FEFpiRyQ/p3mX 45XN3oD2Oqy3SKHMYSoJuiBHm6SCfq9WNpJiFD9TnaYuFWMMzXXg6z2PRpuQP1Mn zwsx5/xEBk2XUHwj3eQdZpCzki5weY/+zIAb15mbQ89oM59sEBFH+bj9Hg1+gHvn eFSb8kLl2OtDzTaA198PAh/IT8Ohn4IXHKkQdyroZ5eiYgpVAuO4KoDtj7HiHAYc NayBV9xpjPTfZEUkmOQXZc9ZTR8pFxyKhRJa9vG4u4Gs9TtqRVqdk3W5z/WpNdgw RCtp1ZDIkcckCDcG2IOp7rQ5SM9Pl1jDwGDPGQQykMRjfPPEVu3HIY/ZcFWDkESH ZBC/Z/Q6urLXHQHNv83hqbqnCErXZ1p/+Bn84KrLiyOhIv4B0E6pswVWxmgRQX5Y A2dwW4lzdnxHiwiHQBB2pwZBUxx1xtzlqs2LmwqvrrjmK43DYfnmECxUbiAO08QS N9gnKLwOQwn/Y8LUYnzwplfG0TsWlfTl8UQ2EIMTYYG7LKbBv3BZ1+mvKjxSkB+1 pWhnSzLeKQvDDzEJlDhgeXOY2+cg/mG52Wj5XclrpeEdLfNOXkLzDMcywlXZBCzP pSQico14k3c8h3m7dsbXcKaAn0t449m/B0ZhvNiK733GDMprT3zdoE6goEn8BQmK 4Z5ceCFcpbOgbjrrPo/E =9PrN -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
