Mapping stable-security to proposed-updates. Accepted:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 23 Jun 2016 00:27:20 +0200 Source: tomcat8 Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs Architecture: source all Version: 8.0.14-1+deb8u2 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Description: libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries tomcat8 - Apache Tomcat 8 - Servlet and JSP engine tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user Changes: tomcat8 (8.0.14-1+deb8u2) jessie-security; urgency=high . * Team upload. . [ Emmanuel Bourg ] * Fix CVE-2016-3092: Denial-of-Service vulnerability with file uploads . [ Markus Koschany ] * Fix CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. * Fix CVE-2015-5345: The Mapper component in Apache Tomcat processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. * Fix CVE-2015-5346: Session fixation vulnerability in Apache Tomcat when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. * Fix CVE-2015-5351: The Manager and Host Manager applications in Apache Tomcat establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. * Fix CVE-2016-0706: Apache Tomcat does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. * Fix CVE-2016-0714: The session-persistence implementation in Apache Tomcat mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. * Fix CVE-2016-0763: The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. Checksums-Sha1: ca7f50f113add711416f82203d477e7d0c164f74 2842 tomcat8_8.0.14-1+deb8u2.dsc 63021a826bcda11958953e8ae87a10487d6c7a12 51272 tomcat8_8.0.14-1+deb8u2.debian.tar.xz 8ccda23f85207ab458a484429f7b87256f2035eb 55880 tomcat8-common_8.0.14-1+deb8u2_all.deb 605b06c792d9b5f355ab7fb6567a9f169c535152 45142 tomcat8_8.0.14-1+deb8u2_all.deb 27eafe08089c738ad1637e80cf76e5959c515c03 33036 tomcat8-user_8.0.14-1+deb8u2_all.deb a3366094df1c69f319e9976e6f766b6750b87750 4584584 libtomcat8-java_8.0.14-1+deb8u2_all.deb 73370869c10b8f493166eb615567cd910308285e 390458 libservlet3.1-java_8.0.14-1+deb8u2_all.deb 6192da4dc8d44f698fdb513ecfc5d7537b0de8f9 245552 libservlet3.1-java-doc_8.0.14-1+deb8u2_all.deb aa4b1dbe7e9ea772934aac2547c25f7bdf73a1fb 34358 tomcat8-admin_8.0.14-1+deb8u2_all.deb eba15595c68aa99172e55d038ea17463ef496911 192676 tomcat8-examples_8.0.14-1+deb8u2_all.deb 87acd9a0616cf8806cfeaccb9913c25a98687416 687576 tomcat8-docs_8.0.14-1+deb8u2_all.deb Checksums-Sha256: 2a2efa5870e046a5d8f2e1745eaefaef146c577330f7a174b2e924fce020bcc5 2842 tomcat8_8.0.14-1+deb8u2.dsc 4d106193a14f9f8e59f3774ea96e5aaa52ac73d2d56d6dd98e020e0e623ab112 51272 tomcat8_8.0.14-1+deb8u2.debian.tar.xz 3487873184e02ec0501b52b970709690f1b2fa8cdf720bc780697d7e8ad46e70 55880 tomcat8-common_8.0.14-1+deb8u2_all.deb 06e71c527ede4861de94b48a0b04a99bd29db1291d4b30a7dd041c2190bbeef0 45142 tomcat8_8.0.14-1+deb8u2_all.deb b1bf744d29c93b1860dbc16db5a8fcad6a550cee2a86fd28f34ffb024394d799 33036 tomcat8-user_8.0.14-1+deb8u2_all.deb 11a373444918763e695aa04a4a33fe0074dda4011288a4fa0d57edcf7ab9223d 4584584 libtomcat8-java_8.0.14-1+deb8u2_all.deb be5ed2c36166f4b51f02d98bfb6747600ea5ac9ee6b18a184babe2dd9ee6b8ee 390458 libservlet3.1-java_8.0.14-1+deb8u2_all.deb c98daa11b3d43f660021d01aad5dde284926f8cc1b6a0388ba35c3d5266ff149 245552 libservlet3.1-java-doc_8.0.14-1+deb8u2_all.deb c379ee6d52c5ca6c6ffb97d85ea8b7c869546f0066a27d83f7848fa1e801ea62 34358 tomcat8-admin_8.0.14-1+deb8u2_all.deb 9e3a299922cd7b67d5774daab569ba62f51bb2fcca18fe489161730718c8215b 192676 tomcat8-examples_8.0.14-1+deb8u2_all.deb 7b0cb2f7c2615ebbe20d391f0ee151724218b3aea85b7e741a740962d55512fb 687576 tomcat8-docs_8.0.14-1+deb8u2_all.deb Files: dfdef0ed0d05c31b09cf301c8a49ae07 2842 java optional tomcat8_8.0.14-1+deb8u2.dsc 8291999432526cfc4e647aa6dc7e9341 51272 java optional tomcat8_8.0.14-1+deb8u2.debian.tar.xz 50cbca4d67aeaac6ee4b27bf19ae073a 55880 java optional tomcat8-common_8.0.14-1+deb8u2_all.deb 0a4e326c9b69f33009afd6939a968ad2 45142 java optional tomcat8_8.0.14-1+deb8u2_all.deb 796badca01fbafc16a29bf81a647a334 33036 java optional tomcat8-user_8.0.14-1+deb8u2_all.deb 76322936a6719b5584f110593f586d86 4584584 java optional libtomcat8-java_8.0.14-1+deb8u2_all.deb ca2775909a063d901f8ef96b45044a57 390458 java optional libservlet3.1-java_8.0.14-1+deb8u2_all.deb 7d7766df7e13d166ac910da67123997b 245552 doc optional libservlet3.1-java-doc_8.0.14-1+deb8u2_all.deb bb73870b83bc598af4e39e7706ca98e3 34358 java optional tomcat8-admin_8.0.14-1+deb8u2_all.deb 0b8ac5a78a8031e061b40007bd1198d6 192676 java optional tomcat8-examples_8.0.14-1+deb8u2_all.deb 67d6dafd54b235ea3a8853073ce63fc7 687576 doc optional tomcat8-docs_8.0.14-1+deb8u2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXbZlZAAoJEPUTxBnkudCs1QYP/32hEfPN6zaB7QG4spaDt2uT LosNci0LNN2mwHc4L2uXWnOFChGFgRyHdGVEDysX6568GqbYkDTcqZGdXbM2lWE2 /dyI7HJRclv05p2whGCYsrXsPEHeLVWnrIDu7RBNWWtCf0FrN/DFKE7c+HW+dh1k bNfkLQx30Wu36Z9yNmqZZAsqVj/p9AluNomzPBBvb/wgID+q5vwb4gS+GEtRh2cJ g3mUXnIMtwrfgp+Xy1ma1lb6xZ6EXZAZlbEljQN1m4t0Qqp0A25He4zsjK3Ql32B Ly2gOl933KjHwyjZKMjptozdyFYXFh72wGYQm0MlTg29G5X+bFS8atUgLLEGOf6z LQTLrZ9jrrH6k/7uK9kA9Zc8CpJOTKVIhs4nMEPWzXhCQ3cx+Q1PjooCRdVSzAxA bo5YFvwZkP+IWcpIjSknspnmmYioLY2l5DQvJxspEhmwcBr7FgfdjR+UUZyZs9p9 Qkh3xBrPfjHjoYN42vry0hz4/b9wgmwSmfqTV9s7e5SrpNDA48Hcv44Hgc1DEbyo IHJK/xqJvl1TPLhtNt0o4Kd2MomsDA0qZLWvSI8fAY9S0J+6goR6CBMRul5tN0XO xM8wslNbNz7LuA4eI3E7FmCtgdKzAUTWV0Ya69ux+DpWTtwumcXAmRhSwWOQrKZ6 NnvaMaCNt+oZVUNi4thS =HIQ9 -----END PGP SIGNATURE----- Thank you for your contribution to Debian. __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.