[ubuntu/xenial-updates] tomcat6 6.0.45+dfsg-1ubuntu0.1 (Accepted)
Ubuntu Archive Robot
cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk
Wed Sep 30 00:58:07 UTC 2020
tomcat6 (6.0.45+dfsg-1ubuntu0.1) xenial-security; urgency=medium
* Merge patches from Debian.
* SECURITY UPDATE: Timing attack.
- debian/patches/CVE-2016-0762.patch: Make timing attacks against the
Realm implementations harder.
- CVE-2016-0762
* SECURITY UPDATE: SecurityManager bypass.
- debian/patches/CVE-2016-5018.patch: Remove unnecessary code.
- debian/patches/CVE-2016-5018-part2.patch: Fix regression.
- debian/patches/CVE-2016-6794.patch: Provide a mechanism that enables
the container to check if a component has been granted a given
permission when running under a SecurityManager.
- debian/patches/CVE-2016-6796.patch: Ignore some JSP options when
running under a SecurityManager.
- CVE-2016-5018
- CVE-2016-6794
- CVE-2016-6796
* SECURITY UPDATE: Limited resources bypass.
- debian/patches/CVE-2016-6797.patch: When adding and removing
ResourceLinks dynamically, ensure that the global resource is only
visible via the ResourceLinkFactory when it is meant to be.
- debian/patches/CVE-2016-6797-part2.patch: Fix regression.
- CVE-2016-6797
* SECURITY UPDATE: Data injection in HTTP requests.
- debian/patches/CVE-2016-6816.patch: Add additional checks for valid
characters to the HTTP request line parsing so invalid request lines
are rejected sooner.
- CVE-2016-6816
* SECURITY UPDATE: Remote code execution.
- debian/patches/CVE-2016-8735.patch: Explicitly configure allowed
credential types.
- CVE-2016-8735
Date: 2020-09-29 18:17:14.801567+00:00
Changed-By: Eduardo Barretto <eduardo.barretto at canonical.com>
Signed-By: Ubuntu Archive Robot <cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk>
https://launchpad.net/ubuntu/+source/tomcat6/6.0.45+dfsg-1ubuntu0.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the Xenial-changes
mailing list