Package "tomcat6"

Name: tomcat6


This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • Servlet 2.5 and JSP 2.1 Java API classes
  • Servlet 2.5 and JSP 2.1 Java API documentation

Latest version: 6.0.45+dfsg-1ubuntu0.2
Release: xenial (16.04)
Level: updates
Repository: universe


Other versions of "tomcat6" in Xenial

Repository Area Version
base universe 6.0.45+dfsg-1
security universe 6.0.45+dfsg-1ubuntu0.2

Packages in group

Deleted packages are displayed in grey.


Version: 6.0.45+dfsg-1ubuntu0.2 2020-10-27 18:06:17 UTC

  tomcat6 (6.0.45+dfsg-1ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: privilege escalation via insecure init script
    - debian/tomcat6.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240

 -- Emilia Torino <email address hidden> Mon, 26 Oct 2020 11:52:05 -0300

Source diff to previous version
CVE-2016-1240 The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and

Version: 6.0.45+dfsg-1ubuntu0.1 2020-09-30 07:06:51 UTC

  tomcat6 (6.0.45+dfsg-1ubuntu0.1) xenial-security; urgency=medium

  * Merge patches from Debian.
  * SECURITY UPDATE: Timing attack.
    - debian/patches/CVE-2016-0762.patch: Make timing attacks against the
      Realm implementations harder.
    - CVE-2016-0762
  * SECURITY UPDATE: SecurityManager bypass.
    - debian/patches/CVE-2016-5018.patch: Remove unnecessary code.
    - debian/patches/CVE-2016-5018-part2.patch: Fix regression.
    - debian/patches/CVE-2016-6794.patch: Provide a mechanism that enables
      the container to check if a component has been granted a given
      permission when running under a SecurityManager.
    - debian/patches/CVE-2016-6796.patch: Ignore some JSP options when
      running under a SecurityManager.
    - CVE-2016-5018
    - CVE-2016-6794
    - CVE-2016-6796
  * SECURITY UPDATE: Limited resources bypass.
    - debian/patches/CVE-2016-6797.patch: When adding and removing
      ResourceLinks dynamically, ensure that the global resource is only
      visible via the ResourceLinkFactory when it is meant to be.
    - debian/patches/CVE-2016-6797-part2.patch: Fix regression.
    - CVE-2016-6797
  * SECURITY UPDATE: Data injection in HTTP requests.
    - debian/patches/CVE-2016-6816.patch: Add additional checks for valid
      characters to the HTTP request line parsing so invalid request lines
      are rejected sooner.
    - CVE-2016-6816
  * SECURITY UPDATE: Remote code execution.
    - debian/patches/CVE-2016-8735.patch: Explicitly configure allowed
      credential types.
    - CVE-2016-8735

 -- Eduardo Barretto <email address hidden> Tue, 29 Sep 2020 10:08:34 -0300

CVE-2016-0762 Apache Tomcat Realm Timing Attack
CVE-2016-5018 Apache Tomcat Security Manager Bypass
CVE-2016-6794 Apache Tomcat System Property Disclosure
CVE-2016-6796 Apache Tomcat Security Manager Bypass
CVE-2016-6797 Apache Tomcat Unrestricted Access to Global Resources
CVE-2016-6816 information disclosure
CVE-2016-8735 remote code execution

About   -   Send Feedback to @ubuntu_updates