tomcat7 (7.0.52-1ubuntu0.6) trusty-security; urgency=medium
* SECURITY UPDATE: directory traversal vulnerability in RequestUtil.java
- debian/patches/CVE-2015-5174.patch: fix normalization edge cases in
java/org/apache/tomcat/util/http/RequestUtil.java,
test/org/apache/tomcat/util/http/TestRequestUtil.java.
- CVE-2015-5174
* SECURITY UPDATE: information disclosure via redirects by mapper
- debian/patches/CVE-2015-5345.patch: fix redirect logic in
java/org/apache/catalina/Context.java,
java/org/apache/catalina/authenticator/FormAuthenticator.java,
java/org/apache/catalina/core/StandardContext.java,
java/org/apache/catalina/core/mbeans-descriptors.xml,
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/catalina/servlets/WebdavServlet.java,
java/org/apache/catalina/startup/FailedContext.java,
java/org/apache/tomcat/util/http/mapper/Mapper.java,
test/org/apache/catalina/startup/TomcatBaseTest.java,
webapps/docs/config/context.xml,
test/org/apache/catalina/core/TesterContext.java.
- CVE-2015-5345
* SECURITY UPDATE: session fixation vulnerability
- debian/patches/CVE-2015-5346.patch: handle different session settings
in java/org/apache/catalina/connector/CoyoteAdapter.java,
java/org/apache/catalina/connector/Request.java.
- CVE-2015-5346
* SECURITY UPDATE: CSRF protection mechanism bypass
- debian/patches/CVE-2015-5351.patch: don't create sessions
unnecessarily in webapps/host-manager/WEB-INF/jsp/401.jsp,
webapps/host-manager/WEB-INF/jsp/403.jsp,
webapps/host-manager/WEB-INF/jsp/404.jsp,
webapps/host-manager/index.jsp,
webapps/manager/WEB-INF/web.xml,
webapps/manager/index.jsp.
- CVE-2015-5351
* SECURITY UPDATE: securityManager restrictions bypass via
StatusManagerServlet
- debian/patches/CVE-2016-0706.patch: place servlet in restricted list
in java/org/apache/catalina/core/RestrictedServlets.properties.
- CVE-2016-0706
* SECURITY UPDATE: securityManager restrictions bypass via
session-persistence implementation
- debian/patches/CVE-2016-0714.patch: extend the session attribute
filtering options in
java/org/apache/catalina/ha/session/ClusterManagerBase.java
java/org/apache/catalina/ha/session/mbeans-descriptors.xml,
java/org/apache/catalina/session/LocalStrings.properties,
java/org/apache/catalina/session/ManagerBase.java,
java/org/apache/catalina/session/StandardManager.java,
java/org/apache/catalina/session/mbeans-descriptors.xml,
java/org/apache/catalina/util/CustomObjectInputStream.java,
java/org/apache/catalina/util/LocalStrings.properties,
webapps/docs/config/cluster-manager.xml,
webapps/docs/config/manager.xml.
- CVE-2016-0714
* SECURITY UPDATE: securityManager restrictions bypass via crafted global
context
- debian/patches/CVE-2016-0763.patch: protect initialization in
java/org/apache/naming/factory/ResourceLinkFactory.java.
- CVE-2016-0763
* SECURITY UPDATE: denial of service in FileUpload
- debian/patches/CVE-2016-3092.patch: properly handle size in
java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
- CVE-2016-3092
* debian/patches/fix_cookie_names_in_tests.patch: fix FTBFS by removing
colons in cookie names which is illegal in newer java versions in
test/org/apache/catalina/authenticator/*.java.
-- Marc Deslauriers <email address hidden> Wed, 29 Jun 2016 12:50:02 -0400
|
CVE-2015-5174 |
Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote auth |
CVE-2015-5345 |
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before con |
CVE-2015-5346 |
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are us |
CVE-2015-5351 |
The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions a |
CVE-2016-0706 |
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManag |
CVE-2016-0714 |
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles s |
CVE-2016-0763 |
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x befo |
|