tomcat8 (8.0.32-1ubuntu1.3) xenial-security; urgency=medium
* SECURITY UPDATE: timing attack in realm implementations
- debian/patches/CVE-2016-0762.patch: add time delays to
java/org/apache/catalina/realm/DataSourceRealm.java,
java/org/apache/catalina/realm/JDBCRealm.java,
java/org/apache/catalina/realm/MemoryRealm.java,
java/org/apache/catalina/realm/RealmBase.java.
- CVE-2016-0762
* SECURITY UPDATE: SecurityManager bypass via a Tomcat utility method
- debian/patches/CVE-2016-5018.patch: remove unnecessary code in
java/org/apache/jasper/runtime/JspRuntimeLibrary.java,
java/org/apache/jasper/security/SecurityClassLoad.java,
java/org/apache/jasper/servlet/JasperInitializer.java.
- CVE-2016-5018
* SECURITY UPDATE: mitigaton for httpoxy issue
- debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization
parameter to conf/web.xml, webapps/docs/cgi-howto.xml,
java/org/apache/catalina/servlets/CGIServlet.java.
- CVE-2016-5388
* SECURITY UPDATE: system properties read SecurityManager bypass
- debian/patches/CVE-2016-6794.patch: extend SecurityManager protection
to the system property replacement feature of the digester in
java/org/apache/catalina/loader/WebappClassLoaderBase.java,
java/org/apache/tomcat/util/digester/Digester.java,
java/org/apache/tomcat/util/security/PermissionCheck.java.
- CVE-2016-6794
* SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration
parameters
- debian/patches/CVE-2016-6796.patch: ignore some JSP options when
running under a SecurityManager in conf/web.xml,
java/org/apache/jasper/EmbeddedServletOptions.java,
java/org/apache/jasper/resources/LocalStrings.properties,
java/org/apache/jasper/servlet/JspServlet.java,
webapps/docs/jasper-howto.xml.
- CVE-2016-6796
* SECURITY UPDATE: web application global JNDI resource access
- debian/patches/CVE-2016-6797.patch: ensure that the global resource
is only visible via the ResourceLinkFactory when it is meant to be in
java/org/apache/catalina/core/NamingContextListener.java,
java/org/apache/naming/factory/ResourceLinkFactory.java,
test/org/apache/naming/TestNamingContext.java.
- CVE-2016-6797
* SECURITY UPDATE: HTTP response injection via invalid characters
- debian/patches/CVE-2016-6816.patch: add additional checks for valid
characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
java/org/apache/coyote/http11/InternalAprInputBuffer.java,
java/org/apache/coyote/http11/InternalInputBuffer.java,
java/org/apache/coyote/http11/LocalStrings.properties,
java/org/apache/tomcat/util/http/parser/HttpParser.java.
- CVE-2016-6816
* SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
- debian/patches/CVE-2016-8735.patch: explicitly configure allowed
credential types in
java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
- CVE-2016-8735
* SECURITY UPDATE: information leakage between requests
- debian/patches/CVE-2016-8745.patch: properly handle cache when unable
to complete sendfile request in
java/org/apache/tomcat/util/net/NioEndpoint.java.
- CVE-2016-8745
* SECURITY UPDATE: privilege escalation during package upgrade
- debian/rules, debian/tomcat8.postinst: properly set permissions on
/etc/tomcat8/Catalina/localhost.
- CVE-2016-9774
* SECURITY UPDATE: privilege escalation during package removal
- debian/tomcat8.postrm.in: don't reset permissions before removing
user.
- CVE-2016-9775
* debian/tomcat8.init: further hardening.
Date: 2017-01-18 13:32:09.679525+00:00
Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com>
https://launchpad.net/ubuntu/+source/tomcat8/8.0.32-1ubuntu1.3
Sorry, changesfile not available.
--
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/xenial-changes
