Public bug reported:

Please sync tomcat8 8.0.36-3 (main) from Debian unstable (main)

Explanation of the Ubuntu delta and why it can be dropped:
  * SECURITY UPDATE: privilege escalation via insecure init script
    - debian/tomcat8.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240

Fixed in Debian

Changelog entries since current yakkety version 8.0.36-2ubuntu1:

tomcat8 (8.0.36-3) unstable; urgency=high

  * Team upload.
  * Fixed CVE-2016-1240: A flaw in the init.d startup script allows local
    attackers who have gained access to the server in the context of the
    tomcat user through a vulnerability in a web application to replace
    the catalina.out file with a symlink to an arbitrary file on the system,
    potentially leading to a root privilege escalation.
    Thanks to Dawid Golunski for the report.
  * Removed the default 128M heap limit (LP: #568823)
  * Depend on taglibs-standard instead of jakarta-taglibs-standard

 -- Emmanuel Bourg <>  Wed, 14 Sep 2016 10:20:28 +0200

** Affects: tomcat8 (Ubuntu)
     Importance: Wishlist
         Status: New

** Changed in: tomcat8 (Ubuntu)
   Importance: Undecided => Wishlist

You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

  Sync tomcat8 8.0.36-3 (main) from Debian unstable (main)

To manage notifications about this bug go to:

ubuntu-bugs mailing list

Reply via email to