[tomcat7] 01/01: Upload to jessie-security

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Fri Nov 11 23:09:35 UTC 2016 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch jessie
in repository tomcat7.

commit f6a09cd4f3ca568fa349ae2231cbe94b9ee768e5
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Sat Nov 12 00:06:53 2016 +0100

    Upload to jessie-security
---
 debian/changelog | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index b6e9301..1c00500 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,23 +2,24 @@ tomcat7 (7.0.56-3+deb8u5) jessie-security; urgency=high
 
   * Fixed CVE-2016-0762: The Realm implementations did not process the supplied
     password if the supplied user name did not exist. This made a timing attack
-    possible to determine valid user names.
+    possible to determine valid user names. (Closes: #842662)
   * Fixed CVE-2016-5018: A malicious web application was able to bypass
     a configured SecurityManager via a Tomcat utility method that was
-    accessible to web applications.
+    accessible to web applications. (Closes: #842663)
   * Fixed CVE-2016-6794: When a SecurityManager is configured, a web
     application's ability to read system properties should be controlled by
     the SecurityManager. Tomcat's system property replacement feature for
     configuration files could be used by a malicious web application to bypass
     the SecurityManager and read system properties that should not be visible.
+    (Closes: #842664)
   * Fixed CVE-2016-6796: A malicious web application was able to bypass
     a configured SecurityManager via manipulation of the configuration
-    parameters for the JSP Servlet.
+    parameters for the JSP Servlet. (Closes: #842665)
   * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application
     access to global JNDI resources to those resources explicitly linked to the
     web application. Therefore, it was possible for a web application to access
     any global JNDI resource whether an explicit ResourceLink had been
-    configured or not.
+    configured or not. (Closes: #842666)
   * CVE-2016-1240 follow-up:
     - The previous init.d fix was vulnerable to a race condition that could
       be exploited to make any existing file writable by the tomcat user.
@@ -28,7 +29,7 @@ tomcat7 (7.0.56-3+deb8u5) jessie-security; urgency=high
       Thanks to Paul Szabo for the report.
   * Hardened the init.d script, thanks to Paul Szabo
 
- -- Emmanuel Bourg <ebourg at apache.org>  Sun, 30 Oct 2016 12:51:13 +0100
+ -- Emmanuel Bourg <ebourg at apache.org>  Sat, 12 Nov 2016 00:06:36 +0100
 
 tomcat7 (7.0.56-3+deb8u4) jessie-security; urgency=high
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git

More information about the pkg-java-commits mailing list