-
tomcat7 (7.0.68-1ubuntu0.4) xenial-security; urgency=medium
* SECURITY REGRESSION: security manager startup issue (LP: #1799990)
- debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch:
update to new /var/lib/tomcat7/policy location.
- debian/tomcat7.postrm.in: remove policy directory.
-- Eduardo Barretto <email address hidden> Tue, 30 Oct 2018 09:54:52 -0300
-
tomcat7 (7.0.68-1ubuntu0.3) xenial-security; urgency=medium
* SECURITY UPDATE: Timing attack can determine valid user names.
- debian/patches/CVE-2016-0762.patch: fix in the Realm
implementation.
- CVE-2016-0762
* SECURITY UPDATE: privilege escalation via insecure init script
- debian/tomcat7.init: don't follow symlinks when handling the
catalina.out file.
- CVE-2016-1240
* SECURITY UPDATE: SecurityManager bypass via a utility method.
- debian/patches/CVE-2016-5018.patch: remove unnecessary code in
java/org/apache/jasper/compiler/JspRuntimeContext.java,
java/org/apache/jasper/runtime/JspRuntimeLibrary.java,
java/org/apache/jasper/security/SecurityClassLoad.java.
- debian/patches/CVE-2016-5018-part2.patch: fix a regression when
using Jasper with SecurityManager enabled.
- CVE-2016-5018
* SECURITY UPDATE: system properties read SecurityManager bypass
- debian/patches/CVE-2016-6794.patch: extend SecurityManager
protection to the system property replacement feature of the
digester in java/org/apache/catalina/loader/WebappClassLoader.java,
java/org/apache/tomcat/util/digester/Digester.java,
java/org/apache/tomcat/util/security/PermissionCheck.java.
- CVE-2016-6794
* SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration
parameters.
- debian/patches/CVE-2016-6796.patch: ignore some JSP options when
running under a SecurityManager in conf/web.xml,
java/org/apache/jasper/EmbeddedServletOptions.java,
java/org/apache/jasper/resources/LocalStrings.properties,
java/org/apache/jasper/servlet/JspServlet.java,
webapps/docs/jasper-howto.xml.
- CVE-2016-6796
* SECURITY UPDATE: web application global JNDI resource access
- debian/patches/CVE-2016-6797.patch: ensure that the global resource
is only visible via the ResourceLinkFactory when it is meant to be
in java/org/apache/catalina/core/NamingContextListener.java,
java/org/apache/naming/factory/ResourceLinkFactory.java,
test/org/apache/naming/TestNamingContext.java.
- CVE-2016-6797
* SECURITY UPDATE: HTTP response injection via invalid characters
- debian/patches/CVE-2016-6816.patch: add additional checks for valid
characters in
java/org/apache/coyote/http11/AbstractInputBuffer.java,
java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
java/org/apache/coyote/http11/InternalAprInputBuffer.java,
java/org/apache/coyote/http11/InternalInputBuffer.java,
java/org/apache/coyote/http11/LocalStrings.properties,
java/org/apache/tomcat/util/http/parser/HttpParser.java.
- CVE-2016-6816
* SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
- debian/patches/CVE-2016-8735.patch: explicitly configure allowed
credential types in
java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
- CVE-2016-8735
* SECURITY UPDATE: information leakage between requests
- debian/patches/CVE-2016-8745.patch: properly handle cache when
unable to complete sendfile request in
java/org/apache/tomcat/util/net/NioEndpoint.java.
- CVE-2016-8745
* SECURITY UPDATE: privilege escalation during package upgrade
- debian/rules, debian/tomcat7.postinst: properly set permissions on
/etc/tomcat7/Catalina/localhost.
- CVE-2016-9774
* SECURITY UPDATE: privilege escalation during package removal
- debian/tomcat7.postrm.in: don't reset permissions before removing
user.
- CVE-2016-9775
* debian/tomcat7.init: further hardening.
-- Eduardo Barretto <email address hidden> Fri, 19 Oct 2018 10:46:37 -0300
-
tomcat7 (7.0.68-1ubuntu0.2) xenial; urgency=medium
* Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat7 contains
the '%' character (LP: #1666570).
* Fix javax.servlet.jsp POM to use servlet-api version 3.0 instead of
2.2 (LP: #1664179).
-- Joshua Powers <email address hidden> Tue, 28 Mar 2017 16:15:05 -0700
-
tomcat7 (7.0.68-1ubuntu0.1) xenial-security; urgency=medium
* SECURITY UPDATE: denial of service in FileUpload
- debian/patches/CVE-2016-3092.patch: properly handle size in
java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
- CVE-2016-3092
-- Marc Deslauriers <email address hidden> Mon, 27 Jun 2016 14:13:17 -0400
-
tomcat7 (7.0.68-1) unstable; urgency=medium
* Team upload.
* New upstream release (Closes: #814640)
- Refreshed the patches
- New build dependencies on easymock, cglib and objenesis
- Added ASM to the test classpath (required by Easymock)
* Use LC_ALL instead of LANG to format the date and make the documentation
reproducible on the builders
* Standards-Version updated to 3.9.7 (no changes)
* Use secure Vcs-* URLs
-- Emmanuel Bourg <email address hidden> Thu, 18 Feb 2016 22:26:43 +0100
-
tomcat7 (7.0.64-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
* Install the missing WebSocket jars in /usr/share/tomcat7/lib/
(Closes: #787220, LP: #1326687)
* Changed the authbind configuration to allow IPv6 connections (LP: #1443041)
* Fixed an upgrade error when /etc/tomcat7/tomcat-users.xml is removed
(LP: #1010791)
* Fixed a minor HTML error in the default index.html file (LP: #1236132)
-- Emmanuel Bourg <email address hidden> Fri, 28 Aug 2015 09:47:33 +0200
