ubuntu/+source/tomcat7:applied/debian/wheezy

Last commit made on 2016-06-05
Get this branch:
git clone -b applied/debian/wheezy https://git.launchpad.net/ubuntu/+source/tomcat7
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
applied/debian/wheezy
Repository:
lp:ubuntu/+source/tomcat7

Recent commits

8c38c3d... by Markus Koschany <email address hidden> on 2016-04-16

Import patches-applied version 7.0.28-4+deb7u4 to applied/debian/wheezy

Imported using git-ubuntu import.

Changelog parent: e5dd3da09a8adec53d1072fc9ba3c0207d641d96
Unapplied parent: 94c75717e1abb28595553db6c750f15c2ca90304

New changelog entries:
  * Fix CVE-2014-0096:
    java/org/apache/catalina/servlets/DefaultServlet.java in the default
    servlet in Apache Tomcat does not properly restrict XSLT stylesheets, which
    allows remote attackers to bypass security-manager restrictions and read
    arbitrary files via a crafted web application that provides an XML external
    entity declaration in conjunction with an entity reference, related to an
    XML External Entity (XXE) issue.
  * Fix CVE-2014-0119:
    It was found that in limited circumstances it was possible for a malicious
    web application to replace the XML parsers used by Tomcat to process XSLTs
    for the default servlet, JSP documents, tag library descriptors (TLDs) and
    tag plugin configuration files. The injected XML parser(s) could then
    bypass the limits imposed on XML external entities and/or have visibility
    of the XML files processed for other web applications deployed on the same
    Tomcat instance.
  * Fix CVE-2015-5174:
    Directory traversal vulnerability in RequestUtil.java allows remote
    authenticated users to bypass intended SecurityManager restrictions and
    list a parent directory via a /.. (slash dot dot) in a pathname used by a
    web application in a getResource, getResourceAsStream, or getResourcePaths
    call, as demonstrated by the $CATALINA_BASE/webapps directory.
  * Fix CVE-2015-5345:
    The Mapper component in Apache Tomcat processes redirects before
    considering security constraints and Filters, which allows remote attackers
    to determine the existence of a directory via a URL that lacks a trailing /
    (slash) character.
  * Fix CVE-2015-5346:
    Session fixation vulnerability in Apache Tomcat when different session
    settings are used for deployments of multiple versions of the same web
    application, might allow remote attackers to hijack web sessions by
    leveraging use of a requestedSessionSSL field for an unintended request,
    related to CoyoteAdapter.java and Request.java.
  * Fix CVE-2015-5351:
    The Manager and Host Manager applications in Apache Tomcat establish
    sessions and send CSRF tokens for arbitrary new requests, which allows
    remote attackers to bypass a CSRF protection mechanism by using a token.
  * Fix CVE-2016-0706:
    Apache Tomcat does not place
    org.apache.catalina.manager.StatusManagerServlet on the
    org/apache/catalina/core/RestrictedServlets.properties list, which allows
    remote authenticated users to bypass intended SecurityManager restrictions
    and read arbitrary HTTP requests, and consequently discover session ID
    values, via a crafted web application.
  * Fix CVE-2016-0714:
    The session-persistence implementation in Apache Tomcat mishandles session
    attributes, which allows remote authenticated users to bypass intended
    SecurityManager restrictions and execute arbitrary code in a privileged
    context via a web application that places a crafted object in a session.
  * Fix CVE-2016-0763:
    The setGlobalContext method in
    org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
    not consider whether ResourceLinkFactory.setGlobalContext callers are
    authorized, which allows remote authenticated users to bypass intended
    SecurityManager restrictions and read or write to arbitrary application
    data, or cause a denial of service (application disruption), via a web
    application that sets a crafted global context.

94c7571... by Markus Koschany <email address hidden> on 2016-04-16

CVE-2016-0763

Gbp-Pq: CVE-2016-0763.patch.

76895aa... by Markus Koschany <email address hidden> on 2016-04-16

CVE-2016-0714

Gbp-Pq: CVE-2016-0714.patch.

d627f02... by Markus Koschany <email address hidden> on 2016-04-16

CVE-2016-0706

Gbp-Pq: CVE-2016-0706.patch.

09a9dad... by Markus Koschany <email address hidden> on 2016-04-16

CVE-2015-5351

Gbp-Pq: CVE-2015-5351.patch.

74b8c45... by Markus Koschany <email address hidden> on 2016-04-16

CVE-2015-5346

Gbp-Pq: CVE-2015-5346.patch.

f699337... by Markus Koschany <email address hidden> on 2016-04-16

CVE-2015-5345

Gbp-Pq: CVE-2015-5345.patch.

f74b130... by Markus Koschany <email address hidden> on 2016-04-16

CVE-2015-5174

Gbp-Pq: CVE-2015-5174.patch.

f33f52c... by Markus Koschany <email address hidden> on 2016-04-16

CVE-2014-0119

Gbp-Pq: CVE-2014-0119.patch.

586d108... by Markus Koschany <email address hidden> on 2016-04-16

CVE-2014-0096

Gbp-Pq: CVE-2014-0096.patch.