[SECURITY] [DLA 729-1] tomcat7 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 729-1] tomcat7 security update
From: Markus Koschany <apo@debian.org>
Date: Thu, 1 Dec 2016 23:56:06 +0100
Message-id: <[🔎] be299a62-d87f-f904-72fb-342960b1bb2a@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : tomcat7
Version        : 7.0.28-4+deb7u7
CVE ID         : CVE-2016-0762 CVE-2016-5018 CVE-2016-6794
                 CVE-2016-6796 CVE-2016-6797 CVE-2016-6816
                 CVE-2016-8735
Debian Bug     : 841655 842662 842663 842664 842665 842666 845385


Multiple security vulnerabilities have been discovered in the Tomcat
servlet and JSP engine, which may result in possible timing attacks to
determine valid user names, bypass of the SecurityManager, disclosure of
system properties, unrestricted access to global resources, arbitrary
file overwrites, and potentially escalation of privileges.

In addition this update further hardens Tomcat's init and maintainer
scripts to prevent possible privilege escalations. Thanks to Paul
Szabo for the report.

For Debian 7 "Wheezy", these problems have been fixed in version
7.0.28-4+deb7u7.

We recommend that you upgrade your tomcat7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlhAqoVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRnDg//Y1Puw7OufejfvuBeMdL9dKeiTsJ5nTic5mU1qNlJM9wcvSYUEIVOYqmd
6hg7Z9hrdwyWVIfEeE6YM7UEGwSzyt8EXewmU5VwZeFeEquVodKv06MP+WuBVLDs
JITXVqDapvyXd5VCAtIS+KGUPt4azL6fCe1l2utJi6u1l8Icu0koSkcD4sh+keE5
A5gwCaRuBitsc53LVdNLaA0xsu4fifgvcKYoXPUNn/TidWNKGHDEHYXkuJVV1Jkh
6szm9BBloYZOrP8FQKuUK+ckUZPJ+JXaWE2nycSpoyDivxNMzb3vi6l7HyeOnGYE
byhwCRZ2smLTclKKvWLLbee0Bh+Ndxg1rLYaPrH3seATUuSkPWFnwGtGUNURx6or
FTuxprnvfiSN0t3mAc0r0GE6+2q9AF6QTId8i8nMg7mwcJogo59oR29njUGzV6Yn
5wKbLjozv/V03oyY6BQzaD8h1XwKudJ9Snb3Mv0qCzsjfyYJ78JWisDV4ixMwgY0
ypzL3R9nHVeimSUm6MU2ayC1r226mOSn/KsP/HjDy3xW5a+bWsG+xm0JlSwo0XBx
O7Jlr+x7tn4VlsXNjXNwRckVzo0wMEhyNFcmj4ZmHWeC2Fi/8m+TwcVUAvThaJmO
RCa7omDVDAC0k5mVFCTzRRBzNaqc6GUFM8KYpXXM8qejpzy0qF0=
=VMAu
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 728-1] tomcat6 security update
Next by Date: [SECURITY] [DLA 731-1] imagemagick security update
Previous by thread: [SECURITY] [DLA 728-1] tomcat6 security update
Next by thread: [SECURITY] [DLA 731-1] imagemagick security update
Index(es):
- Date
- Thread