Format: 1.8 Date: Mon, 16 Jan 2017 08:18:27 -0500 Source: tomcat8 Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs Architecture: all amd64_translations Version: 8.0.32-1ubuntu1.3 Distribution: xenial Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Marc Deslauriers Description: libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries tomcat8 - Apache Tomcat 8 - Servlet and JSP engine tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user Changes: tomcat8 (8.0.32-1ubuntu1.3) xenial-security; urgency=medium . * SECURITY UPDATE: timing attack in realm implementations - debian/patches/CVE-2016-0762.patch: add time delays to java/org/apache/catalina/realm/DataSourceRealm.java, java/org/apache/catalina/realm/JDBCRealm.java, java/org/apache/catalina/realm/MemoryRealm.java, java/org/apache/catalina/realm/RealmBase.java. - CVE-2016-0762 * SECURITY UPDATE: SecurityManager bypass via a Tomcat utility method - debian/patches/CVE-2016-5018.patch: remove unnecessary code in java/org/apache/jasper/runtime/JspRuntimeLibrary.java, java/org/apache/jasper/security/SecurityClassLoad.java, java/org/apache/jasper/servlet/JasperInitializer.java. - CVE-2016-5018 * SECURITY UPDATE: mitigaton for httpoxy issue - debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization parameter to conf/web.xml, webapps/docs/cgi-howto.xml, java/org/apache/catalina/servlets/CGIServlet.java. - CVE-2016-5388 * SECURITY UPDATE: system properties read SecurityManager bypass - debian/patches/CVE-2016-6794.patch: extend SecurityManager protection to the system property replacement feature of the digester in java/org/apache/catalina/loader/WebappClassLoaderBase.java, java/org/apache/tomcat/util/digester/Digester.java, java/org/apache/tomcat/util/security/PermissionCheck.java. - CVE-2016-6794 * SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration parameters - debian/patches/CVE-2016-6796.patch: ignore some JSP options when running under a SecurityManager in conf/web.xml, java/org/apache/jasper/EmbeddedServletOptions.java, java/org/apache/jasper/resources/LocalStrings.properties, java/org/apache/jasper/servlet/JspServlet.java, webapps/docs/jasper-howto.xml. - CVE-2016-6796 * SECURITY UPDATE: web application global JNDI resource access - debian/patches/CVE-2016-6797.patch: ensure that the global resource is only visible via the ResourceLinkFactory when it is meant to be in java/org/apache/catalina/core/NamingContextListener.java, java/org/apache/naming/factory/ResourceLinkFactory.java, test/org/apache/naming/TestNamingContext.java. - CVE-2016-6797 * SECURITY UPDATE: HTTP response injection via invalid characters - debian/patches/CVE-2016-6816.patch: add additional checks for valid characters in java/org/apache/coyote/http11/AbstractInputBuffer.java, java/org/apache/coyote/http11/AbstractNioInputBuffer.java, java/org/apache/coyote/http11/InternalAprInputBuffer.java, java/org/apache/coyote/http11/InternalInputBuffer.java, java/org/apache/coyote/http11/LocalStrings.properties, java/org/apache/tomcat/util/http/parser/HttpParser.java. - CVE-2016-6816 * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener - debian/patches/CVE-2016-8735.patch: explicitly configure allowed credential types in java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java. - CVE-2016-8735 * SECURITY UPDATE: information leakage between requests - debian/patches/CVE-2016-8745.patch: properly handle cache when unable to complete sendfile request in java/org/apache/tomcat/util/net/NioEndpoint.java. - CVE-2016-8745 * SECURITY UPDATE: privilege escalation during package upgrade - debian/rules, debian/tomcat8.postinst: properly set permissions on /etc/tomcat8/Catalina/localhost. - CVE-2016-9774 * SECURITY UPDATE: privilege escalation during package removal - debian/tomcat8.postrm.in: don't reset permissions before removing user. - CVE-2016-9775 * debian/tomcat8.init: further hardening. Checksums-Sha1: 4660f2d01fa2c19d977bd29898e58f24b343670b 241268 libservlet3.1-java-doc_8.0.32-1ubuntu1.3_all.deb d0690369509ca7213acbf9ad04d81c48ad72aa36 389844 libservlet3.1-java_8.0.32-1ubuntu1.3_all.deb aff9ff10799844a0a2b07616970bb114f8879f05 4651012 libtomcat8-java_8.0.32-1ubuntu1.3_all.deb 55b384f9dbb863521b2578954178cd77cf021886 30852 tomcat8-admin_8.0.32-1ubuntu1.3_all.deb 4ce607df9468f6ecb541981df345be7be8850d10 53070 tomcat8-common_8.0.32-1ubuntu1.3_all.deb a8828dac11b479518426bc80cd9035f83fe59e0a 675168 tomcat8-docs_8.0.32-1ubuntu1.3_all.deb b73ad5d7c82ac07a57ca9e3dd60b0910b9cbe82d 187834 tomcat8-examples_8.0.32-1ubuntu1.3_all.deb 0f45bd71312ab16895c8abae77eea5b4e6465a4f 30714 tomcat8-user_8.0.32-1ubuntu1.3_all.deb 0c6c732ec4c7732c5ccb25f6ee687200ed67638c 42222 tomcat8_8.0.32-1ubuntu1.3_all.deb 1c0c876a6c2e47f3b7a9282af3c2422cfcb4d3a3 8169 tomcat8_8.0.32-1ubuntu1.3_amd64_translations.tar.gz Checksums-Sha256: 60de20ac396de76bb538c6562247ee740daa44fbebd63e3d569d592326574fda 241268 libservlet3.1-java-doc_8.0.32-1ubuntu1.3_all.deb 053237bda63fe01b3fbf7196cd0adb2abe51960f65071c99f922606c21fe1d2b 389844 libservlet3.1-java_8.0.32-1ubuntu1.3_all.deb 02d83a72bcd9cd971149fceeedc4a5fc990962d4acae04ffa55beceda163eecb 4651012 libtomcat8-java_8.0.32-1ubuntu1.3_all.deb ba1299829a9a7c44534babd177526f49a66370c8931e32d9ab8a36eb0ce5ddd3 30852 tomcat8-admin_8.0.32-1ubuntu1.3_all.deb 3ccc5dc823758f0836107b691f93b1de82ceafe4d5690dda7dec82551b53d5b5 53070 tomcat8-common_8.0.32-1ubuntu1.3_all.deb aa1550c5a686cf08dc8a1a825e85341116488e17a8a86d58fdfc8aeb67cad62c 675168 tomcat8-docs_8.0.32-1ubuntu1.3_all.deb 6a9ea508ff8976ed2f847194f08cec3e38cd38bea64e036217d66362b442d7c4 187834 tomcat8-examples_8.0.32-1ubuntu1.3_all.deb aec2a8ce4a9ccf5cb7bd59247587e359ff09441cb5c884f5a33ba567b99f9ad1 30714 tomcat8-user_8.0.32-1ubuntu1.3_all.deb 1cc93959f81d731ecdaa4d34e50e393565789647b20793bec18bb96c74b23812 42222 tomcat8_8.0.32-1ubuntu1.3_all.deb 7d9f60ffc558da1277a10581de1643e51aa8a0d004fb778c3e7a939c2d23052d 8169 tomcat8_8.0.32-1ubuntu1.3_amd64_translations.tar.gz Files: 4507e12749c94163a2f34b0b2bd4d080 241268 doc optional libservlet3.1-java-doc_8.0.32-1ubuntu1.3_all.deb 5198ab9888a5afccd2c2a5b2cce593cb 389844 java optional libservlet3.1-java_8.0.32-1ubuntu1.3_all.deb c41c54b2db90764414b9c26cc9fbc501 4651012 java optional libtomcat8-java_8.0.32-1ubuntu1.3_all.deb 1a7a44324ec9c9bff9be3b1c16dcda90 30852 java optional tomcat8-admin_8.0.32-1ubuntu1.3_all.deb 4dc83892570d14a05b78a5b5bc5b7802 53070 java optional tomcat8-common_8.0.32-1ubuntu1.3_all.deb dd90b77487d35ea2db47b2c6b5dd9ad6 675168 doc optional tomcat8-docs_8.0.32-1ubuntu1.3_all.deb fb70b494f82639d9cf5109e0a46ea8b6 187834 java optional tomcat8-examples_8.0.32-1ubuntu1.3_all.deb 0ddddfb5a27a9c33d65375db3ac70a5c 30714 java optional tomcat8-user_8.0.32-1ubuntu1.3_all.deb 5995e89d0b6549cec772075c74c97b2c 42222 java optional tomcat8_8.0.32-1ubuntu1.3_all.deb 8036c324f79140bc1c3d9753081c222b 8169 raw-translations - tomcat8_8.0.32-1ubuntu1.3_amd64_translations.tar.gz Original-Maintainer: Debian Java Maintainers