Accepted tomcat6 6.0.45+dfsg-1~deb7u3 (source all) into oldstable

To: dispatch@tracker.debian.org, debian-lts-changes@lists.debian.org
Subject: Accepted tomcat6 6.0.45+dfsg-1~deb7u3 (source all) into oldstable
From: Markus Koschany <apo@debian.org>
Date: Thu, 01 Dec 2016 20:40:19 +0000
Message-id: <[🔎] E1cCY9T-0000aq-Li@seger.debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 01 Dec 2016 20:01:25 +0000
Source: tomcat6
Binary: tomcat6-common tomcat6 tomcat6-user libtomcat6-java libservlet2.4-java libservlet2.5-java libservlet2.5-java-doc tomcat6-admin tomcat6-examples tomcat6-docs tomcat6-extras
Architecture: source all
Version: 6.0.45+dfsg-1~deb7u3
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description: 
 libservlet2.4-java - Transitional package for libservlet2.5-java
 libservlet2.5-java - Servlet 2.5 and JSP 2.1 Java API classes
 libservlet2.5-java-doc - Servlet 2.5 and JSP 2.1 Java API documentation
 libtomcat6-java - Servlet and JSP engine -- core libraries
 tomcat6    - Servlet and JSP engine
 tomcat6-admin - Servlet and JSP engine -- admin web applications
 tomcat6-common - Servlet and JSP engine -- common files
 tomcat6-docs - Servlet and JSP engine -- documentation
 tomcat6-examples - Servlet and JSP engine -- example web applications
 tomcat6-extras - Servlet and JSP engine -- additional components
 tomcat6-user - Servlet and JSP engine -- tools to create user instances
Changes: 
 tomcat6 (6.0.45+dfsg-1~deb7u3) wheezy-security; urgency=high
 .
   * Fixed CVE-2016-0762: The Realm implementations did not process the supplied
     password if the supplied user name did not exist. This made a timing attack
     possible to determine valid user names.
   * Fixed CVE-2016-5018: A malicious web application was able to bypass
     a configured SecurityManager via a Tomcat utility method that was
     accessible to web applications.
   * Fixed CVE-2016-6794: When a SecurityManager is configured, a web
     application's ability to read system properties should be controlled by
     the SecurityManager. Tomcat's system property replacement feature for
     configuration files could be used by a malicious web application to bypass
     the SecurityManager and read system properties that should not be visible.
   * Fixed CVE-2016-6796: A malicious web application was able to bypass
     a configured SecurityManager via manipulation of the configuration
     parameters for the JSP Servlet.
   * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application
     access to global JNDI resources to those resources explicitly linked to the
     web application. Therefore, it was possible for a web application to access
     any global JNDI resource whether an explicit ResourceLink had been
     configured or not.
   * Fixed CVE-2016-6816: The code that parsed the HTTP request line permitted
     invalid characters. This could be exploited, in conjunction with a proxy
     that also permitted the invalid characters but with a different
     interpretation, to inject data into the HTTP response. By manipulating the
     HTTP response the attacker could poison a web-cache, perform an XSS attack
     and/or obtain sensitive information from requests other then their own.
   * Fixed CVE-2016-8735: The JmxRemoteLifecycleListener was not updated to take
     account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations
     using this listener remained vulnerable to a similar remote code execution
     vulnerability.
   * CVE-2016-1240 follow-up:
     - The previous init.d fix was vulnerable to a race condition that could
       be exploited to make any existing file writable by the tomcat user.
       Thanks to Paul Szabo for the report and the fix.
     - The catalina.policy file generated on startup was affected by a similar
       vulnerability that could be exploited to overwrite any file on the system.
       Thanks to Paul Szabo for the report.
   * Hardened the init.d script, thanks to Paul Szabo
   * Fix possible privilege escalation via package purge by removing the chown
     command in postrm maintainer script. See #845385 for more information.
Checksums-Sha1: 
 b3fe056968e7ceb67264f5d1ceefc19246030d83 2905 tomcat6_6.0.45+dfsg-1~deb7u3.dsc
 70dc7c53dbed3b50678f545698b0ad80975c48e7 61037 tomcat6_6.0.45+dfsg-1~deb7u3.debian.tar.gz
 a3bd5baed94319c6a6fdcbf9d44e81ead3da3d36 58480 tomcat6-common_6.0.45+dfsg-1~deb7u3_all.deb
 e99cd9a752ebc8f6bafd979b381ad714270f5473 52114 tomcat6_6.0.45+dfsg-1~deb7u3_all.deb
 31c97d44f2f4bbec74ab25816e17c69117390d8a 41810 tomcat6-user_6.0.45+dfsg-1~deb7u3_all.deb
 3501815b97019e970e837b78f41374c1fbb10192 3167254 libtomcat6-java_6.0.45+dfsg-1~deb7u3_all.deb
 b2bb8e4006cf441d16619d19a9d63cacb0edc2bf 15698 libservlet2.4-java_6.0.45+dfsg-1~deb7u3_all.deb
 2890606a9cc9c1d477f0c7043da19caeac17e1d6 242038 libservlet2.5-java_6.0.45+dfsg-1~deb7u3_all.deb
 17bcf0eaa6bed7f8e2eb759e1a159a7ec2975354 274038 libservlet2.5-java-doc_6.0.45+dfsg-1~deb7u3_all.deb
 aa55de8ffed190335633275221723828cbf5cc7f 51256 tomcat6-admin_6.0.45+dfsg-1~deb7u3_all.deb
 007957bfca3759add1223d983cce66ab34651352 166250 tomcat6-examples_6.0.45+dfsg-1~deb7u3_all.deb
 8d7b50ac8dbef798838fd8cddb4126bdd59548db 605090 tomcat6-docs_6.0.45+dfsg-1~deb7u3_all.deb
 84f2c6e5ae89985556d358287c6d804ff5155b29 15912 tomcat6-extras_6.0.45+dfsg-1~deb7u3_all.deb
Checksums-Sha256: 
 8e1c560ea0373e82b381a6e205b4277ec5f557c052c800505fd4c3c4680c7c00 2905 tomcat6_6.0.45+dfsg-1~deb7u3.dsc
 0a4db99599d226f84a99e39505ad378c3ae314a8a5b3d6aa08fa320735fac91e 61037 tomcat6_6.0.45+dfsg-1~deb7u3.debian.tar.gz
 6630bbb355fbea8dd111e3c0d87e2d1d708621bdc7c1ad35a03277431c3cbdd1 58480 tomcat6-common_6.0.45+dfsg-1~deb7u3_all.deb
 de48ed66b419a074080da01bbda78175efa97fb5cf194e503ea25b54120b6bb2 52114 tomcat6_6.0.45+dfsg-1~deb7u3_all.deb
 673c6c6a1bf47aeb1282885c05bbb767c3473d2c941402a63ae0c965c6c9a9fe 41810 tomcat6-user_6.0.45+dfsg-1~deb7u3_all.deb
 8271c31cbc89a3b5875b8adc74a8a40008ed84dd46b7b18f6a0665667242177d 3167254 libtomcat6-java_6.0.45+dfsg-1~deb7u3_all.deb
 3702588efbb6a429eb3eb01103ddce8ea61e62eddb2e36e2e5601c93bde6870f 15698 libservlet2.4-java_6.0.45+dfsg-1~deb7u3_all.deb
 aaa2c2d8d5b785666f12bc7295d0500df58901dc8e961827240a16c602ab8ddb 242038 libservlet2.5-java_6.0.45+dfsg-1~deb7u3_all.deb
 0e151eea9ecbaef336a47d4b29e61af33f6af430672606c2df5478b6b1a6b7ff 274038 libservlet2.5-java-doc_6.0.45+dfsg-1~deb7u3_all.deb
 26f29db4087536ae5bd031037109e0970308a0065361eab12ffb9eafcc87f3cb 51256 tomcat6-admin_6.0.45+dfsg-1~deb7u3_all.deb
 8eb44da1eb154bcbeb305955f61dbd02c468997d5f995979df6fe88ad0396a47 166250 tomcat6-examples_6.0.45+dfsg-1~deb7u3_all.deb
 ecde2b8713f4350b3fdc650ab151ce08c03f22472c32c4394e4fe2667897dfee 605090 tomcat6-docs_6.0.45+dfsg-1~deb7u3_all.deb
 33c11c0a37a375461e568001e1b2d3608e2353c974ca30c2ffce0197a51ed0e0 15912 tomcat6-extras_6.0.45+dfsg-1~deb7u3_all.deb
Files: 
 3fe1e9477ed4f6499774cd0baeeed45a 2905 java optional tomcat6_6.0.45+dfsg-1~deb7u3.dsc
 3845b41f1ecaca43e21236bc3ca36d35 61037 java optional tomcat6_6.0.45+dfsg-1~deb7u3.debian.tar.gz
 d1dd1593f4b86c004b152e3f3e8460ee 58480 java optional tomcat6-common_6.0.45+dfsg-1~deb7u3_all.deb
 46776adb24228fa9927fb69db231e5f3 52114 java optional tomcat6_6.0.45+dfsg-1~deb7u3_all.deb
 f7326853376962e8f88495122ff51688 41810 java optional tomcat6-user_6.0.45+dfsg-1~deb7u3_all.deb
 57be7f58343e2e3e45fabb0dba421920 3167254 java optional libtomcat6-java_6.0.45+dfsg-1~deb7u3_all.deb
 f680bdadea3c65f2c11fbe5e94f348f9 15698 oldlibs extra libservlet2.4-java_6.0.45+dfsg-1~deb7u3_all.deb
 a26d9d42ef98495a1b71bb148faa762c 242038 java optional libservlet2.5-java_6.0.45+dfsg-1~deb7u3_all.deb
 90672bc3a8b42c0643cd0d7622a8e4ab 274038 doc optional libservlet2.5-java-doc_6.0.45+dfsg-1~deb7u3_all.deb
 5f8c0c0145fee2ec6e6fe6d4ed450ef6 51256 java optional tomcat6-admin_6.0.45+dfsg-1~deb7u3_all.deb
 4b304ffb1f72777eb95edde43329e5e1 166250 java optional tomcat6-examples_6.0.45+dfsg-1~deb7u3_all.deb
 40af23215dcf3aaa83d7d614f2ffa580 605090 doc optional tomcat6-docs_6.0.45+dfsg-1~deb7u3_all.deb
 23d7e8bafad77805ba50037b70f853b6 15912 java optional tomcat6-extras_6.0.45+dfsg-1~deb7u3_all.deb

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlhAiRNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk1QAQAL6UOraPf7/89YzggopWIS6gfgvPjRH6eASN
0+c111I371p4iLqGLaD2AeEHr0rlmA4C/hZvo5yVV+AJ3lPA8sPsdNOHvOWpki8W
VtCrzqLMp8WZYJ50Z0+1e+eWnEtSP2BP0TJ9LWTwJtI1/xrbEAHdQWRLYjP69nQr
Vj3b4ocg4epReALc+NRr1leXPH92Mh9K2ppYxRG0WYXMqj7TTQB89MIqe2ynA7j1
qXgFTiLmgwjix4frhfz3tSCMi8Chi+4Rs5HWN2iteBoh3TXNANIwqdLv9A7xYfED
5S9w7EM4bpskeCXTUgyo30jPyMYwctuAISnPj3DPWeQJXUHnm5KpY2lcVamZgjb0
F8XmJcfA8vHN/yAyDPjeDnVt9tpZF84+rGtPphBFLt2sE0QoVLfe1hCKw2re2It0
7LKmhBGvmpaFYO56Q+I3mtwmv4h/iISZERaEu4qNNOsTGob31vCswF8x0Ko41fBa
6s++OWoeffa/88HXoXhi2qy9qjVMvzuutqXesMV0gxFl2HTkPuVFWmsvJ0wYuKB1
/OvePP4poRbJ3BvtdgGamCU0vxE62wNeboSn8WJKKs5hWJ0+P5RRPaxGqcWsXjz8
ECoIm3fposrZPBAIvEfJAcVCnNTidOShY/VltM9rloqPRkL3DQyY1H8qzUC98FpA
LfDaYxG4
=mAUo
-----END PGP SIGNATURE-----
Reply to:
Prev by Date: Accepted firefox-esr 45.5.1esr-1~deb7u1 (source all amd64) into oldstable
Next by Date: Accepted tomcat7 7.0.28-4+deb7u7 (source all) into oldstable
Previous by thread: Accepted firefox-esr 45.5.1esr-1~deb7u1 (source all amd64) into oldstable
Next by thread: Accepted tomcat7 7.0.28-4+deb7u7 (source all) into oldstable
Index(es):
- Date
- Thread