UbuntuUpdates.org

Package "tomcat7-user"

Name: tomcat7-user

Description:

Servlet and JSP engine -- tools to create user instances

Latest version: 7.0.68-1ubuntu0.4
Release: xenial (16.04)
Level: updates
Repository: universe
Head package: tomcat7
Homepage: http://tomcat.apache.org

Links


Download "tomcat7-user"


Other versions of "tomcat7-user" in Xenial

Repository Area Version
base universe 7.0.68-1
security universe 7.0.68-1ubuntu0.4

Changelog

Version: 7.0.68-1ubuntu0.4 2018-10-30 21:06:20 UTC

  tomcat7 (7.0.68-1ubuntu0.4) xenial-security; urgency=medium

  * SECURITY REGRESSION: security manager startup issue (LP: #1799990)
    - debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch:
      update to new /var/lib/tomcat7/policy location.
    - debian/tomcat7.postrm.in: remove policy directory.

 -- Eduardo Barretto <email address hidden> Tue, 30 Oct 2018 09:54:52 -0300

Source diff to previous version
1799990 tomcat7 doesn't start after upgrade to 7.0.68-1ubuntu0.3

Version: 7.0.68-1ubuntu0.3 2018-10-24 22:07:21 UTC

  tomcat7 (7.0.68-1ubuntu0.3) xenial-security; urgency=medium

  * SECURITY UPDATE: Timing attack can determine valid user names.
    - debian/patches/CVE-2016-0762.patch: fix in the Realm
      implementation.
    - CVE-2016-0762
  * SECURITY UPDATE: privilege escalation via insecure init script
    - debian/tomcat7.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240
  * SECURITY UPDATE: SecurityManager bypass via a utility method.
    - debian/patches/CVE-2016-5018.patch: remove unnecessary code in
      java/org/apache/jasper/compiler/JspRuntimeContext.java,
      java/org/apache/jasper/runtime/JspRuntimeLibrary.java,
      java/org/apache/jasper/security/SecurityClassLoad.java.
    - debian/patches/CVE-2016-5018-part2.patch: fix a regression when
      using Jasper with SecurityManager enabled.
    - CVE-2016-5018
  * SECURITY UPDATE: system properties read SecurityManager bypass
    - debian/patches/CVE-2016-6794.patch: extend SecurityManager
      protection to the system property replacement feature of the
      digester in java/org/apache/catalina/loader/WebappClassLoader.java,
      java/org/apache/tomcat/util/digester/Digester.java,
      java/org/apache/tomcat/util/security/PermissionCheck.java.
    - CVE-2016-6794
  * SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration
    parameters.
    - debian/patches/CVE-2016-6796.patch: ignore some JSP options when
      running under a SecurityManager in conf/web.xml,
      java/org/apache/jasper/EmbeddedServletOptions.java,
      java/org/apache/jasper/resources/LocalStrings.properties,
      java/org/apache/jasper/servlet/JspServlet.java,
      webapps/docs/jasper-howto.xml.
    - CVE-2016-6796
  * SECURITY UPDATE: web application global JNDI resource access
    - debian/patches/CVE-2016-6797.patch: ensure that the global resource
      is only visible via the ResourceLinkFactory when it is meant to be
      in java/org/apache/catalina/core/NamingContextListener.java,
      java/org/apache/naming/factory/ResourceLinkFactory.java,
      test/org/apache/naming/TestNamingContext.java.
    - CVE-2016-6797
  * SECURITY UPDATE: HTTP response injection via invalid characters
    - debian/patches/CVE-2016-6816.patch: add additional checks for valid
      characters in
      java/org/apache/coyote/http11/AbstractInputBuffer.java,
      java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/http/parser/HttpParser.java.
    - CVE-2016-6816
  * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
    - debian/patches/CVE-2016-8735.patch: explicitly configure allowed
      credential types in
      java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
    - CVE-2016-8735
  * SECURITY UPDATE: information leakage between requests
    - debian/patches/CVE-2016-8745.patch: properly handle cache when
      unable to complete sendfile request in
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2016-8745
  * SECURITY UPDATE: privilege escalation during package upgrade
    - debian/rules, debian/tomcat7.postinst: properly set permissions on
      /etc/tomcat7/Catalina/localhost.
    - CVE-2016-9774
  * SECURITY UPDATE: privilege escalation during package removal
    - debian/tomcat7.postrm.in: don't reset permissions before removing
      user.
    - CVE-2016-9775
  * debian/tomcat7.init: further hardening.

 -- Eduardo Barretto <email address hidden> Fri, 19 Oct 2018 10:46:37 -0300

Source diff to previous version
CVE-2016-0762 Apache Tomcat Realm Timing Attack
CVE-2016-1240 The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and
CVE-2016-5018 Apache Tomcat Security Manager Bypass
CVE-2016-6794 Apache Tomcat System Property Disclosure
CVE-2016-6796 Apache Tomcat Security Manager Bypass
CVE-2016-6797 Apache Tomcat Unrestricted Access to Global Resources
CVE-2016-6816 information disclosure
CVE-2016-8735 remote code execution
CVE-2016-8745 A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0
CVE-2016-9774 tomcat8: privilege escalation during package upgrade
CVE-2016-9775 tomcat8: privilege escalation during package removal

Version: 7.0.68-1ubuntu0.1 2016-07-05 20:06:35 UTC

  tomcat7 (7.0.68-1ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileUpload
    - debian/patches/CVE-2016-3092.patch: properly handle size in
      java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
    - CVE-2016-3092

 -- Marc Deslauriers <email address hidden> Mon, 27 Jun 2016 14:13:17 -0400




About   -   Send Feedback to @ubuntu_updates