[DONE] wml://security/2016/dla-435.wml
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- --- english/security/2016/dla-435.wml 2016-04-08 01:54:44.000000000 +0500
+++ russian/security/2016/dla-435.wml 2016-04-18 12:34:34.198317800 +0500
@@ -1,71 +1,72 @@
- -<define-tag description>LTS security update</define-tag>
+#use wml::debian::translation-check translation="1.2" maintainer="Lev Lamberov"
+<define-tag description>обновление безопаÑ?ноÑ?Ñ?и LTS</define-tag>
<define-tag moreinfo>
- -<p>Tomcat 6, an implementation of the Java Servlet and the JavaServer
- -Pages (JSP) specifications and a pure Java web server environment, was
- -affected by multiple security issues prior version 6.0.45.</p>
+<p>Tomcat 6, Ñ?еализаÑ?иÑ? Ñ?пеÑ?иÑ?икаÑ?ий Java Servlet и JavaServer
+Pages (JSP), а Ñ?акже Ñ?иÑ?Ñ?ое Java-окÑ?Ñ?жение длÑ? веб-Ñ?еÑ?веÑ?а,
+Ñ?одеÑ?жиÑ? многоÑ?иÑ?леннÑ?е пÑ?облемÑ? безопаÑ?ноÑ?Ñ?и в веÑ?Ñ?иÑ?Ñ? до веÑ?Ñ?ии 6.0.45.</p>
<ul>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2015-5174">CVE-2015-5174</a>
- - <p>Directory traversal vulnerability in RequestUtil.java in Apache
- - Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27
- - allows remote authenticated users to bypass intended SecurityManager
- - restrictions and list a parent directory via a /.. (slash dot dot)
- - in a pathname used by a web application in a getResource,
- - getResourceAsStream, or getResourcePaths call, as demonstrated by
- - the $CATALINA_BASE/webapps directory.</p></li>
+ <p>Ð?бÑ?од каÑ?алога в RequestUtil.java в Apache
+ Tomcat 6.x до веÑ?Ñ?ии 6.0.45, 7.x до веÑ?Ñ?ии 7.0.65 и 8.x до веÑ?Ñ?ии 8.0.27
+ позволÑ?еÑ? Ñ?далÑ?ннÑ?м аÑ?Ñ?енÑ?иÑ?иÑ?иÑ?ованнÑ?м полÑ?зоваÑ?елÑ?м обÑ?одиÑ?Ñ? Ñ?пеÑ?иалÑ?нÑ?е огÑ?аниÑ?ениÑ?
+ SecurityManager и Ñ?знаÑ?Ñ? Ñ?одеÑ?жимое Ñ?одиÑ?елÑ?Ñ?кого каÑ?алоге Ñ? помоÑ?Ñ?Ñ? /.. (каÑ?аÑ? Ñ?еÑ?Ñ?а и две Ñ?оÑ?ки)
+ в имени пÑ?Ñ?и, иÑ?полÑ?зÑ?емом веб-пÑ?иложением в вÑ?зоваÑ? getResource,
+ getResourceAsStream или getResourcePaths, Ñ?Ñ?о пÑ?одемонÑ?Ñ?Ñ?иÑ?овано
+ каÑ?алогом $CATALINA_BASE/webapps.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2015-5345">CVE-2015-5345</a>
- - <p>The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before
- - 7.0.67, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes
- - redirects before considering security constraints and Filters, which
- - allows remote attackers to determine the existence of a directory
- - via a URL that lacks a trailing / (slash) character.</p></li>
+ <p>Ð?омпоненÑ? Mapper в Apache Tomcat 6.x до веÑ?Ñ?ии 6.0.45, 7.x до веÑ?Ñ?ии
+ 7.0.67, 8.x до веÑ?Ñ?ии 8.0.30 и 9.x до веÑ?Ñ?ии 9.0.0.M2 обÑ?абаÑ?Ñ?ваеÑ?
+ пеÑ?енапÑ?авлениÑ? до Ñ?аÑ?Ñ?моÑ?Ñ?ениÑ? к огÑ?аниÑ?ениÑ?м безопаÑ?ноÑ?Ñ?и и Ñ?илÑ?Ñ?Ñ?ам, Ñ?Ñ?о позволÑ?еÑ?
+ Ñ?далÑ?ннÑ?м злоÑ?мÑ?Ñ?ленникам опÑ?еделÑ?Ñ?Ñ? Ñ?Ñ?Ñ?еÑ?Ñ?вование каÑ?алога
+ Ñ? помоÑ?Ñ?Ñ? URL, в коÑ?оÑ?ом в конÑ?е оÑ?Ñ?Ñ?Ñ?вÑ?еÑ? Ñ?имвол / (каÑ?аÑ? Ñ?еÑ?Ñ?а).</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2015-5351">CVE-2015-5351</a>
- - <p>The Manager and Host Manager applications in Apache Tomcat
- - establish sessions and send CSRF tokens for arbitrary new requests,
- - which allows remote attackers to bypass a CSRF protection mechanism
- - by using a token.</p></li>
+ <p>Ð?Ñ?иложениÑ? Manager и Host Manager в Apache Tomcat Ñ?Ñ?Ñ?анавливаÑ?Ñ?
+ Ñ?еÑ?Ñ?ии и оÑ?пÑ?авлÑ?Ñ?Ñ? Ñ?окенÑ? CSRF в оÑ?веÑ? на пÑ?оизволÑ?нÑ?е новÑ?е запÑ?оÑ?Ñ?,
+ Ñ?Ñ?о позволÑ?еÑ? Ñ?далÑ?ннÑ?м злоÑ?мÑ?Ñ?ленникам обÑ?одиÑ?Ñ? меÑ?анизм заÑ?иÑ?Ñ? CSRF,
+ иÑ?полÑ?зÑ?Ñ? Ñ?окенÑ?.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2016-0706">CVE-2016-0706</a>
- - <p>Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before
- - 8.0.31, and 9.x before 9.0.0.M2 does not place
- - org.apache.catalina.manager.StatusManagerServlet on the org/apache
- - /catalina/core/RestrictedServlets.properties list, which allows
- - remote authenticated users to bypass intended SecurityManager
- - restrictions and read arbitrary HTTP requests, and consequently
- - discover session ID values, via a crafted web application.</p></li>
+ <p>Apache Tomcat 6.x до веÑ?Ñ?ии 6.0.45, 7.x до веÑ?Ñ?ии 7.0.68, 8.x до веÑ?Ñ?ии
+ 8.0.31 и 9.x до веÑ?Ñ?ии 9.0.0.M2 не помеÑ?аеÑ?
+ org.apache.catalina.manager.StatusManagerServlet в Ñ?пиÑ?ок org/apache
+ /catalina/core/RestrictedServlets.properties, Ñ?Ñ?о позволÑ?еÑ? Ñ?далÑ?ннÑ?м
+ аÑ?Ñ?енÑ?иÑ?иÑ?иÑ?ованнÑ?м полÑ?зоваÑ?елÑ?м обÑ?одиÑ?Ñ? Ñ?пеÑ?иалÑ?нÑ?е огÑ?аниÑ?ениÑ? SecurityManager
+ и Ñ?Ñ?иÑ?Ñ?ваÑ?Ñ? пÑ?оизволÑ?нÑ?е запÑ?оÑ?Ñ? HTTP, а заÑ?ем и обнаÑ?Ñ?живаÑ?Ñ?
+ знаÑ?ениÑ? иденÑ?иÑ?икаÑ?оÑ?ов Ñ?еÑ?Ñ?ии пÑ?и помоÑ?и Ñ?пеÑ?иалÑ?но Ñ?Ñ?оÑ?миÑ?ованного веб-пÑ?иложениÑ?.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2016-0714">CVE-2016-0714</a>
- - <p>The session-persistence implementation in Apache Tomcat 6.x before
- - 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before
- - 9.0.0.M2 mishandles session attributes, which allows remote
- - authenticated users to bypass intended SecurityManager restrictions
- - and execute arbitrary code in a privileged context via a web
- - application that places a crafted object in a session.</p></li>
+ <p>РеализаÑ?иÑ? session-persistence в Apache Tomcat 6.x до веÑ?Ñ?ии
+ 6.0.45, 7.x до веÑ?Ñ?ии 7.0.68, 8.x до веÑ?Ñ?ии 8.0.31 и 9.x до веÑ?Ñ?ии
+ 9.0.0.M2 непÑ?авилÑ?но обÑ?абаÑ?Ñ?ваеÑ? аÑ?Ñ?ибÑ?Ñ?Ñ? Ñ?еÑ?Ñ?ий, Ñ?Ñ?о позволÑ?еÑ? Ñ?далÑ?ннÑ?м
+ аÑ?Ñ?енÑ?иÑ?иÑ?иÑ?ованнÑ?м полÑ?зоваÑ?елÑ?м обÑ?одиÑ?Ñ? Ñ?пеÑ?иалÑ?нÑ?е огÑ?аниÑ?ениÑ? SecurityManager
+ и вÑ?полнÑ?Ñ?Ñ? пÑ?оизволÑ?нÑ?й код в пÑ?ивилегиÑ?ованном конÑ?екÑ?Ñ?е Ñ? помоÑ?Ñ?Ñ?
+ веб-пÑ?иложениÑ?, помеÑ?аÑ?Ñ?его в Ñ?еÑ?Ñ?иÑ? Ñ?пеÑ?иалÑ?но Ñ?Ñ?оÑ?миÑ?ованнÑ?й обÑ?екÑ?.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2016-0763">CVE-2016-0763</a>
- - <p>The setGlobalContext method in org/apache/naming/factory
- - /ResourceLinkFactory.java in Apache Tomcat does not consider whether
- - ResourceLinkFactory.setGlobalContext callers are authorized, which
- - allows remote authenticated users to bypass intended SecurityManager
- - restrictions and read or write to arbitrary application data, or
- - cause a denial of service (application disruption), via a web
- - application that sets a crafted global context.</p></li>
+ <p>Ð?еÑ?од setGlobalContext в org/apache/naming/factory
+ /ResourceLinkFactory.java в Apache Tomcat не вÑ?полнÑ?еÑ? пÑ?овеÑ?кÑ? авÑ?оÑ?изаÑ?ии
+ вÑ?зÑ?ваÑ?Ñ?иÑ? Ñ?Ñ?нкÑ?ий ResourceLinkFactory.setGlobalContext, Ñ?Ñ?о позволÑ?еÑ?
+ Ñ?далÑ?ннÑ?м аÑ?Ñ?енÑ?иÑ?иÑ?иÑ?ованнÑ?м полÑ?зоваÑ?елÑ?м обÑ?одиÑ?Ñ? Ñ?пеÑ?иалÑ?нÑ?е огÑ?аниÑ?ениÑ? SecurityManager
+ и вÑ?полнÑ?Ñ?Ñ? Ñ?Ñ?ение или запиÑ?Ñ? в пÑ?оизволÑ?нÑ?е даннÑ?е пÑ?иложениÑ?, либо
+ вÑ?зÑ?ваÑ?Ñ? оÑ?каз в обÑ?лÑ?живании (Ñ?бой пÑ?иложениÑ?) пÑ?и помоÑ?и веб-пÑ?иложениÑ?,
+ коÑ?оÑ?ое Ñ?оздаÑ?Ñ? Ñ?пеÑ?иалÑ?но Ñ?Ñ?оÑ?миÑ?ованнÑ?й глобалÑ?нÑ?й конÑ?екÑ?Ñ?.</p></li>
</ul>
- -<p>For Debian 6 <q>Squeeze</q>, these problems have been fixed in version
+<p>Ð? Debian 6 <q>Squeeze</q> Ñ?Ñ?и пÑ?облемÑ? бÑ?ли иÑ?пÑ?авленÑ? в веÑ?Ñ?ии
6.0.45-1~deb6u1.</p>
- -<p>We recommend that you upgrade your tomcat6 packages.</p>
+<p>РекомендÑ?еÑ?Ñ?Ñ? обновиÑ?Ñ? пакеÑ?Ñ? tomcat6.</p>
</define-tag>
# do not modify the following line
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXFI4qAAoJEF7nbuICFtKlIM0P/RRgAo2S1aWW5MMwnSbrfrEY
8z+R1Xso9JkXA2lwqm/MwD6Dr/ZaIQ5CwDauofBxbjG2wdud/Yq0VEh6MU7ufk9f
V5hGVMdyyxWBXIgJsnFe/pXrAbpGl4UNnnd1WZ9SlCeMDD1jxcOfNkAK/4GPAzW2
9HfSLXq6RcHo5Wfrser/oNTryDmffO9JRChufdlAPGgMudwfkWaUBPVwWk6TK1R8
ZV7AZXD2uZU1V1Ci9jawhA58VTb8TZeYco7iwCCiLd7zpDKMtuXwPcjsLsyl3C8l
a/cHaiPx0JPgD8atgr7vgWwhy3wS+Wu8KlHTFPS3xFg1nxEsK15Yi7tV2lkHV2nJ
pUIG607IcUAp3GnTRHzsIeuPRoowj6bA1iHtbO/c7gDFIym/k8wg2pt9fKZY2Qwv
2IQnVCHhDiLqmTE7QKSQK6GuO3TcnBGy1yC+VEN/IGkXdpRFZ1Bel6VMTlYJ6srX
AcKGPFuSDvgbt1SCaZYF+hKPfRPeAp3R/PaNRc0J8B2BNJDYRXDzdenB7Br0+ctx
ESgObq2ygb1qLNxJS98hSs2z15KGvZIhGehF+j/NNKmgpsZi5TeUsHyqxI+Bz7Hm
aNN9TVyPNx5hAqrGDrXZDsGXLR5LZhZDse34ToKwufNBKyJsdDDMw+/B2PZ9ACmy
WNDBHFWkxoRrezdTSrS/
=9mMw
-----END PGP SIGNATURE-----
Reply to: