Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.0124 tomcat7 security update 18 January 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: tomcat7 Publisher: Debian Operating System: Debian GNU/Linux 7 Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-7810 CVE-2014-0230 CVE-2014-0227 CVE-2014-0099 CVE-2014-0075 CVE-2013-4444 Reference: ASB-2015.0070 ASB-2014.0121 ASB-2014.0077 ESB-2015.3177 ESB-2014.0828 Original Bulletin: http://www.debian.org/security/2016/dsa-3447 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3447-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 17, 2016 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : tomcat7 CVE ID : CVE-2014-7810 It was discovered that malicious web applications could use the Expression Language to bypass protections of a Security Manager as expressions were evaluated within a privileged code section. For the oldstable distribution (wheezy), this problem has been fixed in version 7.0.28-4+deb7u3. This update also provides fixes for CVE-2013-4444, CVE-2014-0075, CVE-2014-0099, CVE-2014-0227 and CVE-2014-0230, which were all fixed for the stable distribution (jessie) already. For the stable distribution (jessie), this problem has been fixed in version 7.0.56-3+deb8u1. For the testing distribution (stretch), this problem has been fixed in version 7.0.61-1. For the unstable distribution (sid), this problem has been fixed in version 7.0.61-1. We recommend that you upgrade your tomcat7 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWm7S6AAoJEAVMuPMTQ89Ebm0P/1+Y6sr5nI047SzWuDFKKBwx g9+06/4kE/Dh7a6yIyAttK2TdVa4XDutfuBFEyVhnE4f7AWaXwIb3lxFkhz2/Qbg Zp/VnYirBBHkAknb5f12OOJjCAw0/7W6vbr2IW7h1gdp+xy0G/lg2S5hVXx+kqX5 cZeSPRNhKBwBrsV+Xqy0vuKk7+U8oXoqFI0Olvm5lPY6RMLWevyz3emT5zQrH4RV GDSzHBj0gmenWKs/0aRRiQLEDVeQ9nQBfX7EYFUPwAIey1EdZ4UGX64l6iLJeEc1 02DjEuALvFb9Jc4XlyvBI62MtxWbnxN2M45Suz2WH7jJlOMgdI6wckgjlKJ88R+S MYCypVEslizdPmyh1gmNKwypd/SBo0qksWWTH4rENu/fNGOTCg+DRxbKneOH0YnN X6R8ZIrnZpPiaSoct5MAYR64ezoN/eG+tT937chN6yXU0Y1Jl3nnQarwq8zszfZD JrJsiK+mU+WJ0daQI1QRrZ6OUcHWlwZjaJHhYuS/YblVHKw+vbbROrCh72XDXGGE RrsUAjr3FHJg7GlfHDPNsmA/5V3IDByZoGh5dIRDmBeAboLbLqr/dWxnICc+iTOQ +NyTq4Dtiwpfd4TTUKkWfV/pTvWyIVehG5QUzupjOLLj9Eq1dTY9G4JYC70ubOHj OR/mkXtGwcfLKv8+7n2X =wSYl - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVpxYg36ZAP0PgtI9AQJjOxAAqpnA8FfOc0eeGVCQiJPd+mTRMiTmatXh NJIs2UCSzEIf9rG2RREuiUnyLh7NjRmHh40/TwrBX3izkaXxT+gpZv8mcsNMlb2n s8wKbuA5bN8+k3/ipsTXo3EDfPyu+vZqT1eK+XkL9olLPLJDv0LP9BP7juU46KnT nQmUXuMyLKMlgwE2e+t+tZZlHPQHWMOFSjYeXzMlmb0i0f0hVyabNbpsrjV0L+KC dPNjCAI0xUiaFoWoVgWia/p147mEpuKREFB6uwKQ+1qECfGjpTrIrxFxL6wMEFtd 0OqonB5K2onBcTmhY9mriISe+hXt0GqE4dvWKnNbHuKj215tHRNhyWR4mDyhVPqN OSgtl0kc1HZbxB/J/BZpciEVxf79h5YiW2fc1Nqrs+xySrV09jlMZkt4I39p2YPv Ku7nvuD36ndrDVWLTsfPkSa3NbGnYWuaFITkwS8XdJ72jI5H09Qu9UvBKmsqhaqZ oXAKYrVfNaRTdG3km6R+5Po8zpMVxxzkMJzrl9lkdl5/tNQWA5rAwJS5UzqfB3eA LHQ9gR1Kw9XAYnzbCcZMSypJ5szsKHii5k6D7YHSpKDEahWB143I67vT/QhlG8Wg cbtHe2kcrPbouArPcjH9QE6aE0VwnYDOZTKTXpl2XKCD6dtdDNBeZBHEJ5qN9DPi 8RsBrx8B2sM= =AOZa -----END PGP SIGNATURE-----