tomcat6 6.0.35-1ubuntu3.9 source package in Ubuntu
Changelog
tomcat6 (6.0.35-1ubuntu3.9) precise-security; urgency=medium
* SECURITY UPDATE: timing attack in realm implementations
- debian/patches/CVE-2016-0762.patch: add time delays to
java/org/apache/catalina/realm/MemoryRealm.java,
java/org/apache/catalina/realm/RealmBase.java.
- CVE-2016-0762
* SECURITY UPDATE: SecurityManager bypass via a utility method
- debian/patches/CVE-2016-5018.patch: remove unnecessary code in
java/org/apache/jasper/compiler/JspRuntimeContext.java,
java/org/apache/jasper/runtime/JspRuntimeLibrary.java,
java/org/apache/jasper/security/SecurityClassLoad.java.
- CVE-2016-5018
* SECURITY UPDATE: mitigaton for httpoxy issue
- debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization
parameter to conf/web.xml, webapps/docs/cgi-howto.xml,
java/org/apache/catalina/servlets/CGIServlet.java.
- CVE-2016-5388
* SECURITY UPDATE: system properties read SecurityManager bypass
- debian/patches/CVE-2016-6794.patch: extend SecurityManager protection
to the system property replacement feature of the digester in
java/org/apache/catalina/loader/WebappClassLoader.java,
java/org/apache/tomcat/util/digester/Digester.java,
java/org/apache/tomcat/util/security/PermissionCheck.java.
- CVE-2016-6794
* SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration
parameters
- debian/patches/CVE-2016-6796.patch: ignore some JSP options when
running under a SecurityManager in conf/web.xml,
java/org/apache/jasper/EmbeddedServletOptions.java,
java/org/apache/jasper/resources/LocalStrings.properties,
java/org/apache/jasper/servlet/JspServlet.java,
webapps/docs/jasper-howto.xml.
- CVE-2016-6796
* SECURITY UPDATE: web application global JNDI resource access
- debian/patches/CVE-2016-6797.patch: ensure that the global resource
is only visible via the ResourceLinkFactory when it is meant to be in
java/org/apache/catalina/core/NamingContextListener.java,
java/org/apache/naming/factory/ResourceLinkFactory.java.
- CVE-2016-6797
* SECURITY UPDATE: HTTP response injection via invalid characters
- debian/patches/CVE-2016-6816.patch: add additional checks for valid
characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
java/org/apache/coyote/http11/InternalAprInputBuffer.java,
java/org/apache/coyote/http11/InternalInputBuffer.java,
java/org/apache/coyote/http11/InternalNioInputBuffer.java,
java/org/apache/coyote/http11/LocalStrings.properties,
java/org/apache/tomcat/util/http/parser/HttpParser.java.
- CVE-2016-6816
* SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
- debian/patches/CVE-2016-8735.patch: explicitly configure allowed
credential types in
java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
- CVE-2016-8735
* SECURITY UPDATE: information leakage between requests
- debian/patches/CVE-2016-8745.patch: properly handle cache when unable
to complete sendfile request in
java/org/apache/tomcat/util/net/NioEndpoint.java.
- CVE-2016-8745
* SECURITY UPDATE: privilege escalation during package upgrade
- debian/rules, debian/tomcat6.postinst: properly set permissions on
/etc/tomcat7/Catalina/localhost.
- CVE-2016-9774
* SECURITY UPDATE: privilege escalation during package removal
- debian/tomcat6.postrm.in: don't reset permissions before removing
user.
- CVE-2016-9775
* debian/tomcat6.init: further hardening.
-- Marc Deslauriers <email address hidden> Thu, 19 Jan 2017 15:18:22 -0500
Upload details
- Uploaded by:
- Marc Deslauriers
- Uploaded to:
- Precise
- Original maintainer:
- Ubuntu Developers
- Architectures:
- all
- Section:
- java
- Urgency:
- Medium Urgency
See full publishing history Publishing
| Series | Published | Component | Section |
|---|
Downloads
| File | Size | SHA-256 Checksum |
|---|---|---|
| tomcat6_6.0.35.orig.tar.gz | 3.1 MiB | d348778396d7dde5c290c87d18464f9abc3b6d4d5e9a8e6ba13c4eddfebe6ab8 |
| tomcat6_6.0.35-1ubuntu3.9.debian.tar.gz | 98.8 KiB | f679107899425f8d00bdb12fc8526964202c1d0c775ccbb04c3258f89055dd49 |
| tomcat6_6.0.35-1ubuntu3.9.dsc | 2.7 KiB | 02ec0785ff26f0856750eb1a55f804f5639a822c4c99c8a050ca8d9804df51d7 |
Available diffs
Binary packages built by this source
- libservlet2.5-java: Servlet 2.5 and JSP 2.1 Java API classes
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Sun Microsystems, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains the Java Servlet and JSP library.
- libservlet2.5-java-doc: Servlet 2.5 and JSP 2.1 Java API documentation
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Sun Microsystems, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains the documentation for the Java Servlet and JSP library.
- libtomcat6-java: Servlet and JSP engine -- core libraries
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Sun Microsystems, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains the Tomcat core classes which can be used by other
Java applications to embed Tomcat.
- tomcat6: Servlet and JSP engine
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Sun Microsystems, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains only the startup scripts for the system-wide daemon.
No documentation or web applications are included here, please install
the tomcat6-docs and tomcat6-examples packages if you want them.
Install the authbind package if you need to use Tomcat on ports 1-1023.
Install tomcat6-user instead of this package if you don't want Tomcat to
start as a service.
- tomcat6-admin: Servlet and JSP engine -- admin web applications
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Sun Microsystems, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains the administrative web interfaces.
- tomcat6-common: Servlet and JSP engine -- common files
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Sun Microsystems, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains common files needed by the tomcat6 and tomcat6-user
packages (Tomcat 6 scripts and libraries).
- tomcat6-docs: Servlet and JSP engine -- documentation
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Sun Microsystems, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains the online documentation web application.
- tomcat6-examples: Servlet and JSP engine -- example web applications
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Sun Microsystems, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains the default Tomcat example webapps.
- tomcat6-extras: Servlet and JSP engine -- additional components
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Sun Microsystems, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains additional ("extra") component libraries.
(Currently only catalina-jmx-remote. jar.)
- tomcat6-user: Servlet and JSP engine -- tools to create user instances
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Sun Microsystems, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains files needed to create a user Tomcat instance.
This user Tomcat instance can be started and stopped using the scripts
provided in the Tomcat instance directory.
