Package "libservlet2.5-java-doc"

  tomcat6 (6.0.45+dfsg-1ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: privilege escalation via insecure init script
    - debian/tomcat6.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240

 -- Emilia Torino <email address hidden> Mon, 26 Oct 2020 11:52:05 -0300

  tomcat6 (6.0.45+dfsg-1ubuntu0.1) xenial-security; urgency=medium

  * Merge patches from Debian.
  * SECURITY UPDATE: Timing attack.
    - debian/patches/CVE-2016-0762.patch: Make timing attacks against the
      Realm implementations harder.
    - CVE-2016-0762
  * SECURITY UPDATE: SecurityManager bypass.
    - debian/patches/CVE-2016-5018.patch: Remove unnecessary code.
    - debian/patches/CVE-2016-5018-part2.patch: Fix regression.
    - debian/patches/CVE-2016-6794.patch: Provide a mechanism that enables
      the container to check if a component has been granted a given
      permission when running under a SecurityManager.
    - debian/patches/CVE-2016-6796.patch: Ignore some JSP options when
      running under a SecurityManager.
    - CVE-2016-5018
    - CVE-2016-6794
    - CVE-2016-6796
  * SECURITY UPDATE: Limited resources bypass.
    - debian/patches/CVE-2016-6797.patch: When adding and removing
      ResourceLinks dynamically, ensure that the global resource is only
      visible via the ResourceLinkFactory when it is meant to be.
    - debian/patches/CVE-2016-6797-part2.patch: Fix regression.
    - CVE-2016-6797
  * SECURITY UPDATE: Data injection in HTTP requests.
    - debian/patches/CVE-2016-6816.patch: Add additional checks for valid
      characters to the HTTP request line parsing so invalid request lines
      are rejected sooner.
    - CVE-2016-6816
  * SECURITY UPDATE: Remote code execution.
    - debian/patches/CVE-2016-8735.patch: Explicitly configure allowed
      credential types.
    - CVE-2016-8735

 -- Eduardo Barretto <email address hidden> Tue, 29 Sep 2020 10:08:34 -0300