Operating System:

[Debian]

Published:

18 April 2016

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2016.0972 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0972
                          tomcat7 security update
                               18 April 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           tomcat7
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account            
                   Cross-site Request Forgery      -- Remote with User Interaction
                   Denial of Service               -- Existing Account            
                   Access Confidential Data        -- Remote/Unauthenticated      
                   Unauthorised Access             -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-0763 CVE-2016-0714 CVE-2016-0706
                   CVE-2015-5351 CVE-2015-5346 CVE-2015-5345
                   CVE-2015-5174 CVE-2014-0119 CVE-2014-0096

Reference:         ASB-2014.0146
                   ASB-2014.0121
                   ASB-2014.0077
                   ASB-2014.0074
                   ESB-2014.1082
                   ESB-2014.1073
                   ESB-2014.0828

Original Bulletin: 
   http://www.debian.org/security/2016/dsa-3552

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3552-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 17, 2016                        https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : tomcat7
CVE ID         : CVE-2015-5174 CVE-2015-5345 CVE-2015-5346 CVE-2015-5351 
                 CVE-2016-0706 CVE-2016-0714 CVE-2016-0763

Multiple security vulnerabilities have been discovered in the Tomcat
servlet and JSP engine, which may result in information disclosure,
the bypass of CSRF protections and bypass of the SecurityManager.

For the oldstable distribution (wheezy), these problems have been fixed
in version 7.0.28-4+deb7u4. This update also fixes CVE-2014-0119 and
CVE-2014-0096.

For the stable distribution (jessie), these problems have been fixed in
version 7.0.56-3+deb8u2.

For the testing distribution (stretch), these problems have been fixed
in version 7.0.68-1.

For the unstable distribution (sid), these problems have been fixed in
version 7.0.68-1.

We recommend that you upgrade your tomcat7 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXE9lQAAoJEBDCk7bDfE42StsP/jESeUXBDM54ZpOb0kH3C9YF
WAEDRlEtfBIjZW6HvO9aaUQYG/RICw41xTDaMixMZekdQTr3DUxkrdEVoLtjkj7q
UU6DRyDJYhYfsjvKp3GNusOdFm6eYNstkwViYGQCb8WyRb7tME4+J4AO68TzRKNE
BxBC/kPPxTLpt+J46vO9Phb8UlOhmVEM9QmZplsZDr+5KcRJkGFiK0O69GZ26MgT
lS8AxtOOw9vQF6lZWaOLlytGh8o/lhSRUI/vbZqytIAYH3YwS7sGTwtjgi2VFgrO
FVxa6xF98n2kT6RQdXXLWfHxh1gLH/O5NqNs4JGuMlwfXiLgJVWoFUMa9Nk3qXoy
e3xGzCdZizIGl6wlF89+/JL8XXCPZHABaQPGw5ZtILzpsLfdAdrCTcBBqk/t16yc
g33SgWyZva83WDc7S7mEo+CW5SXsbtyX+qT4F4mbWDYWF9JDRG6mnj/LCA/9Zu8z
PRdAFQxaue2tNkjwmlozuK+JPoje4lYJNyKo/Wxx6qNsfDAMcSdelFM4/pol0JPk
dUoUypoe6i2pOOAFX25aCUO3JMyqVKMdi7kheqKbAdCzaPxcCknvpi2fqOFPVVO7
YE0nUuQZpaYv1MWZLo7f+6Y1I3ncnTQFAoGKLaISvd7ghOAk2SpWeGRh7yCybbGw
jaHyZJXTIWz4qCAhpnb0
=GSUh
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVxQwBX6ZAP0PgtI9AQIcdQ//aHAwtmskZ3g7pb6atwQZjfrbZjkeoJqk
HGfjJSsL3yunVJgRq5ZAjDZfTAjvnQzXuCAR4ie2wUKfWfi5BHsEu9Xf1TUb663S
Ts4DYdoHKMr+ORX3o8snbsAcM0+zfLN2ExjeqhByqb4UoM/MKaH5emdT94Rrjupc
uKtbTUkVqCVGTYqw1ASVkTMqeRhKssm48HDrZI9tZ6pPk64BHvhRQbKKuycBoi/L
NmF5wGum2oCaOb6NvOZc5gLx9HzT9nWomBRXUeXS32R7pVP6bzxk++Cam9C24fm7
VCXNpaZ1tK2HmU1c33ukwxt3xOZoxX3Mb+gSaV2T1/z1z+CWsxgabRaXbzqP2Ctt
KVAUUY5zvmQ92GqoKtosgttajhlTOfRsdLFgYqNds89X7iaJLcN+sd1htLQjMDR/
j9zurJliUT0WsTwfVcu7BricKpIwovGQTYqOz+LYom0hfOas64C7WE9NOBYismMJ
yfYeDaXgewQY5R27d/HhSqBO91KblqHHYaZrcHIf6VZuwX2ONNHM48rB3DzLsVHA
56ecuVot07DMFOlAWV0rY4V0bO98Q/IuzRvIry5zPmBkdRfzU9xh562cbWD5ISx9
bJ2NSMiPcLLVeXCpztOHjrhp32U0qmngFAdenvNEoaunFCHuwTxgZK6/vjYkV1q6
wLTbaTN44ng=
=QKd9
-----END PGP SIGNATURE-----