[SECURITY] [DLA 435-1] tomcat6 security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : tomcat6
Version : 6.0.45-1~deb6u1
CVE ID : CVE-2015-5174 CVE-2015-5345 CVE-2015-5351
CVE-2016-0706 CVE-2016-0714 CVE-2016-0763
Tomcat 6, an implementation of the Java Servlet and the JavaServer
Pages (JSP) specifications and a pure Java web server environment, was
affected by multiple security issues prior version 6.0.45.
CVE-2015-5174
Directory traversal vulnerability in RequestUtil.java in Apache
Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27
allows remote authenticated users to bypass intended SecurityManager
restrictions and list a parent directory via a /.. (slash dot dot)
in a pathname used by a web application in a getResource,
getResourceAsStream, or getResourcePaths call, as demonstrated by
the $CATALINA_BASE/webapps directory.
CVE-2015-5345
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before
7.0.67, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes
redirects before considering security constraints and Filters, which
allows remote attackers to determine the existence of a directory
via a URL that lacks a trailing / (slash) character.
CVE-2015-5351
The Manager and Host Manager applications in Apache Tomcat
establish sessions and send CSRF tokens for arbitrary new requests,
which allows remote attackers to bypass a CSRF protection mechanism
by using a token.
CVE-2016-0706
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before
8.0.31, and 9.x before 9.0.0.M2 does not place
org.apache.catalina.manager.StatusManagerServlet on the org/apache
/catalina/core/RestrictedServlets.properties list, which allows
remote authenticated users to bypass intended SecurityManager
restrictions and read arbitrary HTTP requests, and consequently
discover session ID values, via a crafted web application.
CVE-2016-0714
The session-persistence implementation in Apache Tomcat 6.x before
6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before
9.0.0.M2 mishandles session attributes, which allows remote
authenticated users to bypass intended SecurityManager restrictions
and execute arbitrary code in a privileged context via a web
application that places a crafted object in a session.
CVE-2016-0763
The setGlobalContext method in org/apache/naming/factory
/ResourceLinkFactory.java in Apache Tomcat does not consider whether
ResourceLinkFactory.setGlobalContext callers are authorized, which
allows remote authenticated users to bypass intended SecurityManager
restrictions and read or write to arbitrary application data, or
cause a denial of service (application disruption), via a web
application that sets a crafted global context.
For Debian 6 "Squeeze", these problems have been fixed in version
6.0.45-1~deb6u1.
We recommend that you upgrade your tomcat6 packages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQJ8BAEBCgBmBQJW0fRzXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1Hks54P/RijDNdZxXDSozZVTwozFnj1
jPdA3sL5vKQEaTL5KJ12Oy9lu0oskaWcNMSyULKu7rH57FYtBhVnIYEPK3LCwsb/
1Ca2auURqQ+uAYJsINvayYWgz9Z8ZeJ7wcqVYvbpNNIfqBtoRxn97PRcWWq5ljwd
jfm9I2HuQpkw7T8cjnLjDMqROthKPaF8OI384Ge2dCRutI5nsNtiUJJH8Q/okT9/
wdPrkbzxzdQgNOTWab7ejpeki2ALQt18qK/LQv1ZtLrn4z84OTvbB6nPamtGG9Jz
+yU85o+cnjsndQt8f4pknwHiDGOb0oKKkgegMXvXaI5S3Gq4cJmMNlmR8GiOw0xu
LjYh/jI6E+V8vtmX+IwsOC2TXZrC2ZYjDS6ed4DBfJZlCV3G1+zrrEZAT5xykuAN
PqRZnqJvEOJk+77lLO/WmCTVtu6ZUof/1dagleNqkwpgaCCWap+QakG7Pk5Klpp4
aKeV5b+Q9fh+V8A3P6zfyJpUA4HAHdqqrKre7ToPp0cwIJAhvs8ZvFldwNanj66H
gf04vUb8Fl96uuuZWV2hMWeWO8whJMVSNv7lT3GG8mAd3wCZGG7XPbMhSrYK/SrQ
szp2wzd0ByBjjBSXkUKKmZi4GUDEPsR1ro0tcltfTe4Zj8Po6lTKz0TBW+ir8drI
TFUQV9t/H0dJwQeWIgYF
=yk0i
-----END PGP SIGNATURE-----
Reply to: