Format: 1.8
Date: Sat, 27 Feb 2016 19:32:00 +0100
Source: tomcat6
Binary: libservlet2.5-java libservlet2.5-java-doc
Architecture: all
Version: 6.0.45+dfsg-1
Distribution: xenial-proposed
Urgency: medium
Maintainer: Launchpad Build Daemon <buildd@lgw01-40.buildd>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libservlet2.5-java - Servlet 2.5 and JSP 2.1 Java API classes
 libservlet2.5-java-doc - Servlet 2.5 and JSP 2.1 Java API documentation
Changes:
 tomcat6 (6.0.45+dfsg-1) unstable; urgency=medium
 .
   * Team upload.
   * Imported Upstream version 6.0.45+dfsg.
     - Remove all prebuilt jar files.
   * Declare compliance with Debian Policy 3.9.7.
   * Vcs-fields: Use https.
   * This update fixes the following security vulnerabilities in the source
     package. Since src:tomcat6 only builds libservlet2.5-java and
     documentation, users are not directly affected.
     - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
     - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
       processes redirects before considering security constraints and Filters.
     - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
       org.apache.catalina.manager.StatusManagerServlet on the
       org/apache/catalina/core/RestrictedServlets.properties list which allows
       remote authenticated users to bypass intended SecurityManager
       restrictions.
     - CVE-2016-0714: The session-persistence implementation in Apache Tomcat
       before 6.0.45 mishandles session attributes, which allows remote
       authenticated users to bypass intended SecurityManager restrictions.
     - CVE-2016-0763: The setGlobalContext method in
       org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
       not consider whether ResourceLinkFactory.setGlobalContext callers are
       authorized, which allows remote authenticated users to bypass intended
       SecurityManager restrictions and read or write to arbitrary application
       data, or cause a denial of service (application disruption), via a web
       application that sets a crafted global context.
     - CVE-2015-5351: The Manager and Host Manager applications in
       Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
       requests, which allows remote attackers to bypass a CSRF protection
       mechanism by using a token.
Checksums-Sha1:
 73f3f00e967a79cb91a6b4b76d0d48f61b0ec84a 156340 libservlet2.5-java-doc_6.0.45+dfsg-1_all.deb
 60b98f915ac236f64cca7d055e7845d7cb55699a 211620 libservlet2.5-java_6.0.45+dfsg-1_all.deb
Checksums-Sha256:
 cd4196cd87147aab01a4f0c31b773a2415a947af4e58b6f27aba126a767f6d5f 156340 libservlet2.5-java-doc_6.0.45+dfsg-1_all.deb
 a68e3499df7e16bfbbb8ac4f2798cc149c205b6471f37252bc22b572dc8d1b71 211620 libservlet2.5-java_6.0.45+dfsg-1_all.deb
Files:
 a2d9980b3c4329389a4402bbfad2c279 156340 doc optional libservlet2.5-java-doc_6.0.45+dfsg-1_all.deb
 10897c66f69681f452d126f7326f279d 211620 java optional libservlet2.5-java_6.0.45+dfsg-1_all.deb