Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-728-1 tomcat6

Debian Security Advisory

DLA-728-1 tomcat6 -- LTS security update

Date Reported:

01 Dec 2016

Affected Packages:

tomcat6

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 841655, Bug 842662, Bug 842663, Bug 842664, Bug 842665, Bug 842666, Bug 845385.
In Mitre's CVE dictionary: CVE-2016-0762, CVE-2016-5018, CVE-2016-6794, CVE-2016-6796, CVE-2016-6797, CVE-2016-6816, CVE-2016-8735.

More information:

Multiple security vulnerabilities have been discovered in the Tomcat servlet and JSP engine, which may result in possible timing attacks to determine valid user names, bypass of the SecurityManager, disclosure of system properties, unrestricted access to global resources, arbitrary file overwrites, and potentially escalation of privileges.

In addition this update further hardens Tomcat's init and maintainer scripts to prevent possible privilege escalations. Thanks to Paul Szabo for the report.

This is probably the last security update of Tomcat 6 which will reach its end-of-life exactly in one month. We strongly recommend to switch to another supported version such as Tomcat 7 at your earliest convenience.

For Debian 7 Wheezy, these problems have been fixed in version 6.0.45+dfsg-1~deb7u3.

We recommend that you upgrade your tomcat6 packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS