[tomcat6] 04/06: Update changelog

Markus Koschany apo-guest at moszumanska.debian.org
Sat Feb 27 15:31:20 GMT 2016 

This is an automated email from the git hooks/post-receive script.

apo-guest pushed a commit to branch master
in repository tomcat6.

commit 537c67173566022702fa7322c153882739acf0b7
Author: Markus Koschany <apo at debian.org>
Date:   Sat Feb 27 16:17:15 2016 +0100

    Update changelog
---
 debian/changelog | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index daefc9e..6b6c388 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,37 @@
+tomcat6 (6.0.45-1) unstable; urgency=medium
+
+  * Team upload.
+  * Imported Upstream version 6.0.45.
+  * Declare compliance with Debian Policy 3.9.7.
+  * Vcs-fields: Use https.
+  * This update fixes the following security vulnerabilities in the source
+    package. Since src:tomcat6 only builds libservlet2.5-java and
+    documentation, users are not directly affected.
+    - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
+    - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
+      processes redirects before considering security constraints and Filters.
+    - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
+      org.apache.catalina.manager.StatusManagerServlet on the
+      org/apache/catalina/core/RestrictedServlets.properties list which allows
+      remote authenticated users to bypass intended SecurityManager
+      restrictions.
+    - CVE-2016-0714: The session-persistence implementation in Apache Tomcat before
+      6.0.45 mishandles session attributes, which allows remote authenticated
+      users to bypass intended SecurityManager restrictions.
+    - CVE-2016-0763: The setGlobalContext method in
+      org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
+      not consider whether ResourceLinkFactory.setGlobalContext callers are
+      authorized, which allows remote authenticated users to bypass intended
+      SecurityManager restrictions and read or write to arbitrary application
+      data, or cause a denial of service (application disruption), via a web
+      application that sets a crafted global context.
+    - CVE-2015-5351: The Manager and Host Manager applications in
+      Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
+      requests, which allows remote attackers to bypass a CSRF protection
+      mechanism by using a token.
+
+ -- Markus Koschany <apo at debian.org>  Sat, 27 Feb 2016 16:12:05 +0100
+
 tomcat6 (6.0.41-4) unstable; urgency=medium
 
   * Removed the timstamp from the Javadoc of the Servlet API

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat6.git

More information about the pkg-java-commits mailing list