Operating System:

[Debian]

Published:

18 January 2016

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2016.0124 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0124
                          tomcat7 security update
                              18 January 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           tomcat7
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Denial of Service               -- Remote/Unauthenticated      
                   Cross-site Scripting            -- Remote with User Interaction
                   Provide Misleading Information  -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote/Unauthenticated      
                   Unauthorised Access             -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-7810 CVE-2014-0230 CVE-2014-0227
                   CVE-2014-0099 CVE-2014-0075 CVE-2013-4444

Reference:         ASB-2015.0070
                   ASB-2014.0121
                   ASB-2014.0077
                   ESB-2015.3177
                   ESB-2014.0828

Original Bulletin: 
   http://www.debian.org/security/2016/dsa-3447

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3447-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
January 17, 2016                      https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : tomcat7
CVE ID         : CVE-2014-7810

It was discovered that malicious web applications could use the
Expression Language to bypass protections of a Security Manager as
expressions were evaluated within a privileged code section.

For the oldstable distribution (wheezy), this problem has been fixed
in version 7.0.28-4+deb7u3. This update also provides fixes for
CVE-2013-4444, CVE-2014-0075, CVE-2014-0099, CVE-2014-0227 and
CVE-2014-0230, which were all fixed for the stable distribution (jessie)
already.

For the stable distribution (jessie), this problem has been fixed in
version 7.0.56-3+deb8u1.

For the testing distribution (stretch), this problem has been fixed
in version 7.0.61-1.

For the unstable distribution (sid), this problem has been fixed in
version 7.0.61-1.

We recommend that you upgrade your tomcat7 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWm7S6AAoJEAVMuPMTQ89Ebm0P/1+Y6sr5nI047SzWuDFKKBwx
g9+06/4kE/Dh7a6yIyAttK2TdVa4XDutfuBFEyVhnE4f7AWaXwIb3lxFkhz2/Qbg
Zp/VnYirBBHkAknb5f12OOJjCAw0/7W6vbr2IW7h1gdp+xy0G/lg2S5hVXx+kqX5
cZeSPRNhKBwBrsV+Xqy0vuKk7+U8oXoqFI0Olvm5lPY6RMLWevyz3emT5zQrH4RV
GDSzHBj0gmenWKs/0aRRiQLEDVeQ9nQBfX7EYFUPwAIey1EdZ4UGX64l6iLJeEc1
02DjEuALvFb9Jc4XlyvBI62MtxWbnxN2M45Suz2WH7jJlOMgdI6wckgjlKJ88R+S
MYCypVEslizdPmyh1gmNKwypd/SBo0qksWWTH4rENu/fNGOTCg+DRxbKneOH0YnN
X6R8ZIrnZpPiaSoct5MAYR64ezoN/eG+tT937chN6yXU0Y1Jl3nnQarwq8zszfZD
JrJsiK+mU+WJ0daQI1QRrZ6OUcHWlwZjaJHhYuS/YblVHKw+vbbROrCh72XDXGGE
RrsUAjr3FHJg7GlfHDPNsmA/5V3IDByZoGh5dIRDmBeAboLbLqr/dWxnICc+iTOQ
+NyTq4Dtiwpfd4TTUKkWfV/pTvWyIVehG5QUzupjOLLj9Eq1dTY9G4JYC70ubOHj
OR/mkXtGwcfLKv8+7n2X
=wSYl
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVpxYg36ZAP0PgtI9AQJjOxAAqpnA8FfOc0eeGVCQiJPd+mTRMiTmatXh
NJIs2UCSzEIf9rG2RREuiUnyLh7NjRmHh40/TwrBX3izkaXxT+gpZv8mcsNMlb2n
s8wKbuA5bN8+k3/ipsTXo3EDfPyu+vZqT1eK+XkL9olLPLJDv0LP9BP7juU46KnT
nQmUXuMyLKMlgwE2e+t+tZZlHPQHWMOFSjYeXzMlmb0i0f0hVyabNbpsrjV0L+KC
dPNjCAI0xUiaFoWoVgWia/p147mEpuKREFB6uwKQ+1qECfGjpTrIrxFxL6wMEFtd
0OqonB5K2onBcTmhY9mriISe+hXt0GqE4dvWKnNbHuKj215tHRNhyWR4mDyhVPqN
OSgtl0kc1HZbxB/J/BZpciEVxf79h5YiW2fc1Nqrs+xySrV09jlMZkt4I39p2YPv
Ku7nvuD36ndrDVWLTsfPkSa3NbGnYWuaFITkwS8XdJ72jI5H09Qu9UvBKmsqhaqZ
oXAKYrVfNaRTdG3km6R+5Po8zpMVxxzkMJzrl9lkdl5/tNQWA5rAwJS5UzqfB3eA
LHQ9gR1Kw9XAYnzbCcZMSypJ5szsKHii5k6D7YHSpKDEahWB143I67vT/QhlG8Wg
cbtHe2kcrPbouArPcjH9QE6aE0VwnYDOZTKTXpl2XKCD6dtdDNBeZBHEJ5qN9DPi
8RsBrx8B2sM=
=AOZa
-----END PGP SIGNATURE-----