[ubuntu/xenial-security] tomcat6 6.0.45+dfsg-1ubuntu0.1 (Accepted)

Eduardo Barretto eduardo.barretto at canonical.com
Tue Sep 29 20:04:05 UTC 2020

tomcat6 (6.0.45+dfsg-1ubuntu0.1) xenial-security; urgency=medium

  * Merge patches from Debian.
  * SECURITY UPDATE: Timing attack.
    - debian/patches/CVE-2016-0762.patch: Make timing attacks against the
      Realm implementations harder.
    - CVE-2016-0762
  * SECURITY UPDATE: SecurityManager bypass.
    - debian/patches/CVE-2016-5018.patch: Remove unnecessary code.
    - debian/patches/CVE-2016-5018-part2.patch: Fix regression.
    - debian/patches/CVE-2016-6794.patch: Provide a mechanism that enables
      the container to check if a component has been granted a given
      permission when running under a SecurityManager.
    - debian/patches/CVE-2016-6796.patch: Ignore some JSP options when
      running under a SecurityManager.
    - CVE-2016-5018
    - CVE-2016-6794
    - CVE-2016-6796
  * SECURITY UPDATE: Limited resources bypass.
    - debian/patches/CVE-2016-6797.patch: When adding and removing
      ResourceLinks dynamically, ensure that the global resource is only
      visible via the ResourceLinkFactory when it is meant to be.
    - debian/patches/CVE-2016-6797-part2.patch: Fix regression.
    - CVE-2016-6797
  * SECURITY UPDATE: Data injection in HTTP requests.
    - debian/patches/CVE-2016-6816.patch: Add additional checks for valid
      characters to the HTTP request line parsing so invalid request lines
      are rejected sooner.
    - CVE-2016-6816
  * SECURITY UPDATE: Remote code execution.
    - debian/patches/CVE-2016-8735.patch: Explicitly configure allowed
      credential types.
    - CVE-2016-8735

Date: 2020-09-29 18:17:14.801567+00:00
Changed-By: Eduardo Barretto <eduardo.barretto at canonical.com>
-------------- next part --------------
Sorry, changesfile not available.

More information about the Xenial-changes mailing list