[ubuntu/zesty-proposed] tomcat8 8.0.38-2ubuntu1 (Accepted)
Marc Deslauriers
marc.deslauriers at ubuntu.com
Wed Feb 15 18:03:15 UTC 2017
tomcat8 (8.0.38-2ubuntu1) zesty; urgency=medium
* SECURITY UPDATE: HTTP response injection via invalid characters
- debian/patches/CVE-2016-6816.patch: add additional checks for valid
characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
java/org/apache/coyote/http11/InternalAprInputBuffer.java,
java/org/apache/coyote/http11/InternalInputBuffer.java,
java/org/apache/coyote/http11/LocalStrings.properties,
java/org/apache/tomcat/util/http/parser/HttpParser.java.
- CVE-2016-6816
* SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
- debian/patches/CVE-2016-8735.patch: explicitly configure allowed
credential types in
java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
- CVE-2016-8735
* SECURITY UPDATE: information leakage between requests
- debian/patches/CVE-2016-8745.patch: properly handle cache when unable
to complete sendfile request in
java/org/apache/tomcat/util/net/NioEndpoint.java.
- CVE-2016-8745
* SECURITY UPDATE: privilege escalation during package upgrade
- debian/rules, debian/tomcat8.postinst: properly set permissions on
/etc/tomcat8/Catalina/localhost.
- CVE-2016-9774
* SECURITY UPDATE: privilege escalation during package removal
- debian/tomcat8.postrm.in: don't reset permissions before removing
user.
- CVE-2016-9775
Date: Wed, 15 Feb 2017 08:38:11 -0500
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/tomcat8/8.0.38-2ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 15 Feb 2017 08:38:11 -0500
Source: tomcat8
Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libtomcat8-embed-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs
Architecture: source
Version: 8.0.38-2ubuntu1
Distribution: zesty
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Description:
libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes
libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta
libtomcat8-embed-java - Apache Tomcat 8 - Servlet and JSP engine -- embed libraries
libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries
tomcat8 - Apache Tomcat 8 - Servlet and JSP engine
tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application
tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files
tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation
tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati
tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user
Changes:
tomcat8 (8.0.38-2ubuntu1) zesty; urgency=medium
.
* SECURITY UPDATE: HTTP response injection via invalid characters
- debian/patches/CVE-2016-6816.patch: add additional checks for valid
characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
java/org/apache/coyote/http11/InternalAprInputBuffer.java,
java/org/apache/coyote/http11/InternalInputBuffer.java,
java/org/apache/coyote/http11/LocalStrings.properties,
java/org/apache/tomcat/util/http/parser/HttpParser.java.
- CVE-2016-6816
* SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
- debian/patches/CVE-2016-8735.patch: explicitly configure allowed
credential types in
java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
- CVE-2016-8735
* SECURITY UPDATE: information leakage between requests
- debian/patches/CVE-2016-8745.patch: properly handle cache when unable
to complete sendfile request in
java/org/apache/tomcat/util/net/NioEndpoint.java.
- CVE-2016-8745
* SECURITY UPDATE: privilege escalation during package upgrade
- debian/rules, debian/tomcat8.postinst: properly set permissions on
/etc/tomcat8/Catalina/localhost.
- CVE-2016-9774
* SECURITY UPDATE: privilege escalation during package removal
- debian/tomcat8.postrm.in: don't reset permissions before removing
user.
- CVE-2016-9775
Checksums-Sha1:
e0d212bdd43ad1c02e62ab4e81ff0d393b852467 3015 tomcat8_8.0.38-2ubuntu1.dsc
5c0f43a13d12d1946a8f38c5712b2f7f3e1b8c64 43008 tomcat8_8.0.38-2ubuntu1.debian.tar.xz
Checksums-Sha256:
21c433bfdcb79c1591df27c6409c3aa68e547761746a32eae9aee15c433fd257 3015 tomcat8_8.0.38-2ubuntu1.dsc
f314e152bc4173e84afd20199076d6a078e15e15d82f884dc2a52f84b1ead399 43008 tomcat8_8.0.38-2ubuntu1.debian.tar.xz
Files:
1634a5866a0aa7f90f2c797702991f5a 3015 java optional tomcat8_8.0.38-2ubuntu1.dsc
0e1961fed98b6be8a68614a2f98881dd 43008 java optional tomcat8_8.0.38-2ubuntu1.debian.tar.xz
Original-Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJYpJViAAoJEGVp2FWnRL6TWWsQAI4cEtpqZTb4+rixXC6++JgI
BpS1DexH3pIQK9i+maxwkv1gRzmQts4FxLpcuX4RTxAgveH3Ucwh+rkfzfRE7Lgd
2inYh1S7R9uy1+sYmV0vZ6+MQft/8ruwpLFc032V6dX1yO4r0yD/Ve3klrY+NFhu
vQiFSOKZ4NFFeiJ2wQAOyw4sexDT4XSHT8jrgrynzuv9iEARbHrHxaKSbLfF4ugx
KRQoBSWeKGmrG2JAWPAgBbrsDAQaVMsmLXXygJj7jyUiRga2JOdly0lHMFJsOu1D
3+3sND3MBGtjSwn3iQsBVGGAxUWcxCGC3MI6TG6SZdeMkjV+VmlXNGBG7GSzU6Sw
w+k6UAjXqgSl6e/LHDjNy1G9y824Bsl6ouxPFKL0YjXSf8k8gEMokZbbi1INRVYN
uDzFOPvDpDKhoWS5MV/G2l9yDM0LpAs9Wbu73s5nbw40SieECb/+QA5b4d2WCMrq
5JtZ+b2vBUc7XwYIqsKYwKUd/FNELpgRUipLrvIB1J6Wg2AueSdFC9617xNxO6NG
seM9iwrs4kO0TPT15RKPeFpNNiEvzTLWkJc5aVgpKk9/Ueh18iQ6Y7Jw9V94u+B8
LkwPs1j5VMFg3NQMUtIuqZR1pW3o5MRg9e6RXYl4EBlgWxB8esq1eaXzOtbEbjxg
612vo0lKse7GL173B1q3
=dGJX
-----END PGP SIGNATURE-----
More information about the Zesty-changes
mailing list