[SECURITY] [DLA 623-1] tomcat7 security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : tomcat7
Version : 7.0.28-4+deb7u6
CVE ID : CVE-2016-1240
Dawid Golunski from legalhackers.com discovered that Debian's version
of Tomcat 7 was vulnerable to a local privilege escalation. Local
attackers who have gained access to the server in the context of the
tomcat7 user through a vulnerability in a web application were able to
replace the file with a symlink to an arbitrary file.
The full advisory can be found at
http://legalhackers.com/advisories/Tomcat-Debian-based-Root-Privilege-Escalation-Exploit.txt
In addition this security update also fixes Debian bug #821391. File
ownership in /etc/tomcat7 will no longer be unconditionally overridden
on upgrade. As another precaution the file permissions of Debian
specific configuration files in /etc/tomcat7 were changed to 640 to
disallow world readable access.
For Debian 7 "Wheezy", these problems have been fixed in version
7.0.28-4+deb7u6.
We recommend that you upgrade your tomcat7 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQJ8BAEBCgBmBQJX2rlNXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1Hkf04P/iOspGbez45ROf2GTfyTzPEp
zYDKW+fbMDQw14HVaf8V1FQLXDkFv857dvjbhWIhDfud0fv6iO7ExK2X/etFcM/O
kzv55FmaT8TGSqbY6odEWn8/rEN0NRqiLgNSgGHiYeQtpdIcl4otFmX3xCS1T6eK
Xm6BnJ7k2m/yT5WndagFkqINKNlRPD6vZ9DZiqeaU1nLRjKhk6cMeYkzKW5ZZw7/
KBHQapnkrj2v8qCQQAyf9bjt3kClTeuxXO1wNUodJg4esYsuhUJWHXcZk+EmJ5lw
0wW82jKiBYSle6OEbzhKFEtIKnhXhvVuwFjFYbHIlHdkWTns+zsYPSl6hBFaNBgb
ScTjCsnugdYJE+dst4gRPfzce9FlECCYvrdrJlwmxCkNJFMrXK+y3BsUr6Y1fDmN
8xKFhuM81GWL9CgS/i5jhVjP3P5RzCeLDn8l6gIq5EzHrLcgQRxJnWtpdFDSl2Ip
9JQCaZmUVmjCHVfuPjgWn2xZe1TWX/3SpdHs/nfQow5gXOPkUOuaNEK87B82mAMU
R0hRHijFKLOCQece83UGzhOWHycqGgMUHTg0tnLlPIQajheDNUh8dkRcCCrQxD6h
60QDzwXUUpCUwt4qeKgC7luShR+cn81tb8Sj+BitrEkI/TBtMmvaHDc/csSDYITb
hDRKVpi82WqXi8STJHsH
=Tmqh
-----END PGP SIGNATURE-----
Reply to: