tomcat7_7.0.28-4+deb7u4_amd64.changes ACCEPTED into oldstable-proposed-updates->oldstable-new

Debian FTP Masters ftpmaster at ftp-master.debian.org
Sun Apr 17 19:23:02 UTC 2016


Mapping oldstable-security to oldstable-proposed-updates.

Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 16 Apr 2016 13:07:43 +0200
Source: tomcat7
Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs
Architecture: source all
Version: 7.0.28-4+deb7u4
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
Changed-By: Markus Koschany <apo at debian.org>
Description: 
 libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes
 libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation
 libtomcat7-java - Servlet and JSP engine -- core libraries
 tomcat7    - Servlet and JSP engine
 tomcat7-admin - Servlet and JSP engine -- admin web applications
 tomcat7-common - Servlet and JSP engine -- common files
 tomcat7-docs - Servlet and JSP engine -- documentation
 tomcat7-examples - Servlet and JSP engine -- example web applications
 tomcat7-user - Servlet and JSP engine -- tools to create user instances
Changes: 
 tomcat7 (7.0.28-4+deb7u4) wheezy-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2014-0096:
     java/org/apache/catalina/servlets/DefaultServlet.java in the default
     servlet in Apache Tomcat does not properly restrict XSLT stylesheets, which
     allows remote attackers to bypass security-manager restrictions and read
     arbitrary files via a crafted web application that provides an XML external
     entity declaration in conjunction with an entity reference, related to an
     XML External Entity (XXE) issue.
   * Fix CVE-2014-0119:
     It was found that in limited circumstances it was possible for a malicious
     web application to replace the XML parsers used by Tomcat to process XSLTs
     for the default servlet, JSP documents, tag library descriptors (TLDs) and
     tag plugin configuration files. The injected XML parser(s) could then
     bypass the limits imposed on XML external entities and/or have visibility
     of the XML files processed for other web applications deployed on the same
     Tomcat instance.
   * Fix CVE-2015-5174:
     Directory traversal vulnerability in RequestUtil.java allows remote
     authenticated users to bypass intended SecurityManager restrictions and
     list a parent directory via a /.. (slash dot dot) in a pathname used by a
     web application in a getResource, getResourceAsStream, or getResourcePaths
     call, as demonstrated by the $CATALINA_BASE/webapps directory.
   * Fix CVE-2015-5345:
     The Mapper component in Apache Tomcat processes redirects before
     considering security constraints and Filters, which allows remote attackers
     to determine the existence of a directory via a URL that lacks a trailing /
     (slash) character.
   * Fix CVE-2015-5346:
     Session fixation vulnerability in Apache Tomcat when different session
     settings are used for deployments of multiple versions of the same web
     application, might allow remote attackers to hijack web sessions by
     leveraging use of a requestedSessionSSL field for an unintended request,
     related to CoyoteAdapter.java and Request.java.
   * Fix CVE-2015-5351:
     The Manager and Host Manager applications in Apache Tomcat establish
     sessions and send CSRF tokens for arbitrary new requests, which allows
     remote attackers to bypass a CSRF protection mechanism by using a token.
   * Fix CVE-2016-0706:
     Apache Tomcat does not place
     org.apache.catalina.manager.StatusManagerServlet on the
     org/apache/catalina/core/RestrictedServlets.properties list, which allows
     remote authenticated users to bypass intended SecurityManager restrictions
     and read arbitrary HTTP requests, and consequently discover session ID
     values, via a crafted web application.
   * Fix CVE-2016-0714:
     The session-persistence implementation in Apache Tomcat mishandles session
     attributes, which allows remote authenticated users to bypass intended
     SecurityManager restrictions and execute arbitrary code in a privileged
     context via a web application that places a crafted object in a session.
   * Fix CVE-2016-0763:
     The setGlobalContext method in
     org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
     not consider whether ResourceLinkFactory.setGlobalContext callers are
     authorized, which allows remote authenticated users to bypass intended
     SecurityManager restrictions and read or write to arbitrary application
     data, or cause a denial of service (application disruption), via a web
     application that sets a crafted global context.
Checksums-Sha1: 
 4460caa7aa6ef4b9194f73bcc5ba1195cfe9cddc 2760 tomcat7_7.0.28-4+deb7u4.dsc
 461b985c6271009a21cce55a7bab518288728253 128353 tomcat7_7.0.28-4+deb7u4.debian.tar.gz
 c48dfca36d7b94fbb36bcd0737e570a8d3638aa2 64338 tomcat7-common_7.0.28-4+deb7u4_all.deb
 d8cb22a7d8bed4623306c8bada2165db584b172a 51822 tomcat7_7.0.28-4+deb7u4_all.deb
 9fd1c0087276fe4f9235a4a6c7aaaebfb3c63d99 39876 tomcat7-user_7.0.28-4+deb7u4_all.deb
 c7a955c2ecbf1bbd664aea56814e45bc6757d7a7 3511536 libtomcat7-java_7.0.28-4+deb7u4_all.deb
 52ec47b768baccece0cb5e2d8188880679f04a9f 305930 libservlet3.0-java_7.0.28-4+deb7u4_all.deb
 9a9fed5be8e0b9ec6e59f3774f8c7eabb8705b48 301556 libservlet3.0-java-doc_7.0.28-4+deb7u4_all.deb
 2ceeca04ba97a02fbc95175505f937c75831ad61 52552 tomcat7-admin_7.0.28-4+deb7u4_all.deb
 0e1aa3a1dfa7ed25a7a3185a52bf3a9bbb766868 206206 tomcat7-examples_7.0.28-4+deb7u4_all.deb
 6c41d16bf038e10c4879430c97ee4d644db54c5d 647750 tomcat7-docs_7.0.28-4+deb7u4_all.deb
Checksums-Sha256: 
 997a41d934e6583e11cdf9cb97704a7727a56e641e35de40fe05bf5fbad4460b 2760 tomcat7_7.0.28-4+deb7u4.dsc
 d59d7e00795b9beae032d47537028e2c647c487e6b0be8beef5e84536e81bb9a 128353 tomcat7_7.0.28-4+deb7u4.debian.tar.gz
 2fbc9483ba6ca9ce1e84635277076e9a7d9427b0f2a71298700b0976bb9bfa39 64338 tomcat7-common_7.0.28-4+deb7u4_all.deb
 fe9f151dd8483e94ed4c2c1ebfb51525399ecb6162aec8cdd58974d67fb5d8d3 51822 tomcat7_7.0.28-4+deb7u4_all.deb
 5943f7437dadde5ef6b7d694e04f6ee936fd8c145d18901f60a2d218a30b67ce 39876 tomcat7-user_7.0.28-4+deb7u4_all.deb
 47cdded64fc11f40cdad2b7f084ba4d696885b5ff2da07c8b6b5d3cb7ace4bb4 3511536 libtomcat7-java_7.0.28-4+deb7u4_all.deb
 c96474dc4aa982b8a1091a4586a08d8c7ed30817108b4e8c5d60b4d71a03b515 305930 libservlet3.0-java_7.0.28-4+deb7u4_all.deb
 0bf327a8d5a6950550e6ce31a614cfe324acf07c9d4026f34c1a6b45a5457116 301556 libservlet3.0-java-doc_7.0.28-4+deb7u4_all.deb
 2c82840091ec826780f34a41fc76d8e27eb54cb76df0bbfda31e008d91e625be 52552 tomcat7-admin_7.0.28-4+deb7u4_all.deb
 4ee3271b72a206c00c6b3547fe70826e55062c35907ffc115a3185ee4952fcab 206206 tomcat7-examples_7.0.28-4+deb7u4_all.deb
 121c087180b807c75d9dee69197f588deae27cfd153189959481fe54a6f96c77 647750 tomcat7-docs_7.0.28-4+deb7u4_all.deb
Files: 
 c3328903d6d704453a1f8bfaad39fcc9 2760 java optional tomcat7_7.0.28-4+deb7u4.dsc
 001025a667661461f196298c4dcc23b5 128353 java optional tomcat7_7.0.28-4+deb7u4.debian.tar.gz
 d2c1d4e844caa116711cd0d5a08749cc 64338 java optional tomcat7-common_7.0.28-4+deb7u4_all.deb
 7d2daa4b713acaf3512bd7370324922f 51822 java optional tomcat7_7.0.28-4+deb7u4_all.deb
 fab48b3ad7b7bc4e9364acbe2597a52e 39876 java optional tomcat7-user_7.0.28-4+deb7u4_all.deb
 53a972b7a0d9a4159ca94f88db6e266f 3511536 java optional libtomcat7-java_7.0.28-4+deb7u4_all.deb
 ef12b5d1457eab37f644cf3abb327e63 305930 java optional libservlet3.0-java_7.0.28-4+deb7u4_all.deb
 7f666f1104540edd960b8aed18cac774 301556 doc optional libservlet3.0-java-doc_7.0.28-4+deb7u4_all.deb
 cdbdaed487b7e47c34175f2958a9e4d0 52552 java optional tomcat7-admin_7.0.28-4+deb7u4_all.deb
 14354421d9846d2f7d3209bcc67b9dbb 206206 java optional tomcat7-examples_7.0.28-4+deb7u4_all.deb
 7aaee802c823e6c0b1cb0d0926212db7 647750 doc optional tomcat7-docs_7.0.28-4+deb7u4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJXEkxeXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkcU4P/32nxExqTqqAX+93CbGB3hLv
FXrbwmqazYL1yiIx8/VCHSfbT0dXHomyyNTPi/5acRR75hLS46OxVxuf77Mqnt73
W9qsp1QNYmWNHz6mghSen5JBdAa5nUtNc0sschkkO4L0iq4X9C1yKN3BQjJ2SqoL
zc2nO31cMLp70EKnOdBio/E9iHsDy60Atp6Iz3OhILQWV0OfcThJjzuqvwG7IZsq
Q7/umHIHks7nfzg/scnxIkCuMVrJf0d3s1dBRel88D0VZTI97bRFmoKQLQoryaAp
jNXZ7VL6Za5qRFP6Mm0g5oQHXoI6vXgDvEauQeSvt/IYgXgKg6HugTLTo03AIixr
TlHRl5bMCbdpBIuG6EDqC/A6iuMhHCBUVGFkw0x6J6e0jcWacm1tNKWJXz8WIyRP
gkqwOimRIKmh3gT9s0Y3/A/Rzhut44SR8CFFiVjWqQfCMO7FgdpnKX0zB9V9DsQ+
l8odm2Ta70xq8p7HCNiV5wCIeS7ErJ05tgfDSPCBP6mt1XGOU7ug1YIfiEmrSLT3
maC47lwVRtNxVCHTZPE4CIWoqRwq9Bz7Df4T8UZg8OB+CCwRS2qsBQ7sffMcSfHZ
0wJt0nprWk4KClKA/c//RtOsqU1krIIq4MiGVpqIvUueNpvDUjZbmFdGgIv1YfB4
M+TQ+5DjF2wzcNBf1e5X
=nzVH
-----END PGP SIGNATURE-----


Thank you for your contribution to Debian.



More information about the pkg-java-maintainers mailing list