Package "tomcat7"

Name:	tomcat7
Description:	This package is just an umbrella for a group of other packages, it has no description. Description samples from packages in group: Servlet and JSP engine -- tools to create user instances
Latest version:	7.0.52-1ubuntu0.16
Release:	trusty (14.04)
Level:	updates
Repository:	universe

Links

Raw Package Information

All versions of this package

Bug fixes

List of files in package

Repository home page

Other versions of "tomcat7" in Trusty

Repository	Area	Version
base	universe	7.0.52-1
base	main	7.0.52-1
security	universe	7.0.52-1ubuntu0.16
security	main	7.0.52-1ubuntu0.16
updates	main	7.0.52-1ubuntu0.16

Packages in group

Deleted packages are displayed in grey.

tomcat7-user

Changelog

Version: 7.0.52-1ubuntu0.10 2017-02-20 20:07:13 UTC

tomcat7 (7.0.52-1ubuntu0.10) trusty-security; urgency=medium * SECURITY UPDATE: DoS via CPU consumption (LP: #1663318) - debian/patches/CVE-2017-6056.patch: fix infinite loop in java/org/apache/coyote/http11/AbstractInputBuffer.java. - CVE-2017-6056 -- Marc Deslauriers <email address hidden> Fri, 17 Feb 2017 08:51:12 -0500

Source diff to previous version

1663318	Tomcat 7 keeps using 100% CPU after sending an invalid HTTP request
CVE-2017-6056	It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of se

Version: 7.0.52-1ubuntu0.9 2017-02-02 17:06:47 UTC

tomcat7 (7.0.52-1ubuntu0.9) trusty-security; urgency=medium * SECURITY REGRESSION: security manager startup issue (LP: #1659589) - debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch: update to new /var/lib/tomcat7/policy location. - debian/tomcat7.postrm.in: remove policy directory. -- Marc Deslauriers <email address hidden> Wed, 01 Feb 2017 10:40:22 -0500

Source diff to previous version

1659589

tomcat7 7.0.52-1ubuntu0.8 crashes on startup with TOMCAT7_SECURITY=yes

Version: 7.0.52-1ubuntu0.8 2017-01-23 21:06:51 UTC

tomcat7 (7.0.52-1ubuntu0.8) trusty-security; urgency=medium * SECURITY UPDATE: SecurityManager bypass via a utility method - debian/patches/CVE-2016-5018.patch: remove unnecessary code in java/org/apache/jasper/compiler/JspRuntimeContext.java, java/org/apache/jasper/runtime/JspRuntimeLibrary.java, java/org/apache/jasper/security/SecurityClassLoad.java. - CVE-2016-5018 * SECURITY UPDATE: mitigaton for httpoxy issue - debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization parameter to conf/web.xml, webapps/docs/cgi-howto.xml, java/org/apache/catalina/servlets/CGIServlet.java. - CVE-2016-5388 * SECURITY UPDATE: system properties read SecurityManager bypass - debian/patches/CVE-2016-6794.patch: extend SecurityManager protection to the system property replacement feature of the digester in java/org/apache/catalina/loader/WebappClassLoader.java, java/org/apache/tomcat/util/digester/Digester.java, java/org/apache/tomcat/util/security/PermissionCheck.java. - CVE-2016-6794 * SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration parameters - debian/patches/CVE-2016-6796.patch: ignore some JSP options when running under a SecurityManager in conf/web.xml, java/org/apache/jasper/EmbeddedServletOptions.java, java/org/apache/jasper/resources/LocalStrings.properties, java/org/apache/jasper/servlet/JspServlet.java, webapps/docs/jasper-howto.xml. - CVE-2016-6796 * SECURITY UPDATE: web application global JNDI resource access - debian/patches/CVE-2016-6797.patch: ensure that the global resource is only visible via the ResourceLinkFactory when it is meant to be in java/org/apache/catalina/core/NamingContextListener.java, java/org/apache/naming/factory/ResourceLinkFactory.java, test/org/apache/naming/TestNamingContext.java. - CVE-2016-6797 * SECURITY UPDATE: HTTP response injection via invalid characters - debian/patches/CVE-2016-6816.patch: add additional checks for valid characters in java/org/apache/coyote/http11/AbstractInputBuffer.java, java/org/apache/coyote/http11/AbstractNioInputBuffer.java, java/org/apache/coyote/http11/InternalAprInputBuffer.java, java/org/apache/coyote/http11/InternalInputBuffer.java, java/org/apache/coyote/http11/LocalStrings.properties, java/org/apache/tomcat/util/http/parser/HttpParser.java. - CVE-2016-6816 * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener - debian/patches/CVE-2016-8735-pre.patch: remove the restriction that prevented the use of SSL when specifying a bind address in java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java, java/org/apache/catalina/mbeans/LocalStrings.properties, webapps/docs/config/listeners.xml. - debian/patches/CVE-2016-8735.patch: explicitly configure allowed credential types in java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java. - CVE-2016-8735 * SECURITY UPDATE: information leakage between requests - debian/patches/CVE-2016-8745.patch: properly handle cache when unable to complete sendfile request in java/org/apache/tomcat/util/net/NioEndpoint.java. - CVE-2016-8745 * SECURITY UPDATE: privilege escalation during package upgrade - debian/rules, debian/tomcat7.postinst: properly set permissions on /etc/tomcat7/Catalina/localhost. - CVE-2016-9774 * SECURITY UPDATE: privilege escalation during package removal - debian/tomcat7.postrm.in: don't reset permissions before removing user. - CVE-2016-9775 * debian/tomcat7.init: further hardening. -- Marc Deslauriers <email address hidden> Thu, 19 Jan 2017 12:38:29 -0500

Source diff to previous version

CVE-2016-5018	Apache Tomcat Security Manager Bypass
CVE-2016-5388	Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the pr
CVE-2016-6794	Apache Tomcat System Property Disclosure
CVE-2016-6796	Apache Tomcat Security Manager Bypass
CVE-2016-6797	Apache Tomcat Unrestricted Access to Global Resources
CVE-2016-6816	information disclosure
CVE-2016-8735	remote code execution
CVE-2016-9774	tomcat8: privilege escalation during package upgrade
CVE-2016-9775	tomcat8: privilege escalation during package removal

Version: 7.0.52-1ubuntu0.7 2016-09-19 20:06:29 UTC

tomcat7 (7.0.52-1ubuntu0.7) trusty-security; urgency=medium * SECURITY UPDATE: privilege escalation via insecure init script - debian/tomcat7.init: don't follow symlinks when handling the catalina.out file. - CVE-2016-1240 * SECURITY REGRESSION: change in behaviour after security update (LP: #1609819) - debian/patches/CVE-2015-5345-2.patch: fix using the new mapperContextRootRedirectEnabled option in java/org/apache/catalina/connector/MapperListener.java, change mapperContextRootRedirectEnabled default to true in java/org/apache/catalina/core/StandardContext.java, webapps/docs/config/context.xml. This reverts the change in behaviour following the CVE-2015-5345 security update and was also done upstream in later releases. -- Marc Deslauriers <email address hidden> Fri, 16 Sep 2016 09:19:37 -0400

Source diff to previous version

1609819	CVE-2015-5345 patch issue on tomcat7
CVE-2015-5345	The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before con

Version: 7.0.52-1ubuntu0.6 2016-07-05 20:06:31 UTC

tomcat7 (7.0.52-1ubuntu0.6) trusty-security; urgency=medium * SECURITY UPDATE: directory traversal vulnerability in RequestUtil.java - debian/patches/CVE-2015-5174.patch: fix normalization edge cases in java/org/apache/tomcat/util/http/RequestUtil.java, test/org/apache/tomcat/util/http/TestRequestUtil.java. - CVE-2015-5174 * SECURITY UPDATE: information disclosure via redirects by mapper - debian/patches/CVE-2015-5345.patch: fix redirect logic in java/org/apache/catalina/Context.java, java/org/apache/catalina/authenticator/FormAuthenticator.java, java/org/apache/catalina/core/StandardContext.java, java/org/apache/catalina/core/mbeans-descriptors.xml, java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/servlets/WebdavServlet.java, java/org/apache/catalina/startup/FailedContext.java, java/org/apache/tomcat/util/http/mapper/Mapper.java, test/org/apache/catalina/startup/TomcatBaseTest.java, webapps/docs/config/context.xml, test/org/apache/catalina/core/TesterContext.java. - CVE-2015-5345 * SECURITY UPDATE: session fixation vulnerability - debian/patches/CVE-2015-5346.patch: handle different session settings in java/org/apache/catalina/connector/CoyoteAdapter.java, java/org/apache/catalina/connector/Request.java. - CVE-2015-5346 * SECURITY UPDATE: CSRF protection mechanism bypass - debian/patches/CVE-2015-5351.patch: don't create sessions unnecessarily in webapps/host-manager/WEB-INF/jsp/401.jsp, webapps/host-manager/WEB-INF/jsp/403.jsp, webapps/host-manager/WEB-INF/jsp/404.jsp, webapps/host-manager/index.jsp, webapps/manager/WEB-INF/web.xml, webapps/manager/index.jsp. - CVE-2015-5351 * SECURITY UPDATE: securityManager restrictions bypass via StatusManagerServlet - debian/patches/CVE-2016-0706.patch: place servlet in restricted list in java/org/apache/catalina/core/RestrictedServlets.properties. - CVE-2016-0706 * SECURITY UPDATE: securityManager restrictions bypass via session-persistence implementation - debian/patches/CVE-2016-0714.patch: extend the session attribute filtering options in java/org/apache/catalina/ha/session/ClusterManagerBase.java java/org/apache/catalina/ha/session/mbeans-descriptors.xml, java/org/apache/catalina/session/LocalStrings.properties, java/org/apache/catalina/session/ManagerBase.java, java/org/apache/catalina/session/StandardManager.java, java/org/apache/catalina/session/mbeans-descriptors.xml, java/org/apache/catalina/util/CustomObjectInputStream.java, java/org/apache/catalina/util/LocalStrings.properties, webapps/docs/config/cluster-manager.xml, webapps/docs/config/manager.xml. - CVE-2016-0714 * SECURITY UPDATE: securityManager restrictions bypass via crafted global context - debian/patches/CVE-2016-0763.patch: protect initialization in java/org/apache/naming/factory/ResourceLinkFactory.java. - CVE-2016-0763 * SECURITY UPDATE: denial of service in FileUpload - debian/patches/CVE-2016-3092.patch: properly handle size in java/org/apache/tomcat/util/http/fileupload/MultipartStream.java. - CVE-2016-3092 * debian/patches/fix_cookie_names_in_tests.patch: fix FTBFS by removing colons in cookie names which is illegal in newer java versions in test/org/apache/catalina/authenticator/*.java. -- Marc Deslauriers <email address hidden> Wed, 29 Jun 2016 12:50:02 -0400

CVE-2015-5174	Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote auth
CVE-2015-5345	The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before con
CVE-2015-5346	Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are us
CVE-2015-5351	The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions a
CVE-2016-0706	Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManag
CVE-2016-0714	The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles s
CVE-2016-0763	The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x befo

About - Send Feedback to @ubuntu_updates

Package "tomcat7"

Links

Other versions of "tomcat7" in Trusty

Packages in group

Changelog

Share this page

Bookmarks

Latest updates

proposed

updates

PPA updates