Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2187
tomcat7 and tomcat8 security updates
16 September 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: tomcat7
tomcat8
Publisher: Debian
Operating System: Debian GNU/Linux 8
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Increased Privileges -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2016-1240
Original Bulletin:
http://www.debian.org/security/2016/dsa-3669
http://www.debian.org/security/2016/dsa-3670
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running tomcat7 or tomcat8 check for an updated version of the
software for their operating system.
This bulletin contains two (2) Debian security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3669-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 15, 2016 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : tomcat7
CVE ID : CVE-2016-1240
Dawid Golunski of LegalHackers discovered that the Tomcat init script
performed unsafe file handling, which could result in local privilege
escalation.
For the stable distribution (jessie), this problem has been fixed in
version 7.0.56-3+deb8u4.
We recommend that you upgrade your tomcat7 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJX2tmaAAoJEBDCk7bDfE42DpQP/RkxwGV4Ba6NeuL7OuttEOJG
FZui69MkIZeZ00SiIQ/bhFSIYEMsQy3Do836P4VM1evtwsdXEGBS+Ljuudqdiiiv
SJVdLEgJYgMDRxRC2xNXCFpyfJuyNd7RDjuOurg6kWULUb2ySToAL87SgUXcAlle
LP7fJmVyZYRw8ce0M7eVXW/JtEUb0YdDiSHQso6eXnLOzduozKmVP9QOtx6XmLpG
5jVUjU01AZpJGFdH2pQqpi84DGdkYPcLCEeA5WpPmSpaAqo9Y8/cB1nXeXGG1S7T
d8Cv3//7V3yexorT7orEZtTe/qFlVvITMcHyZO/Y1zrPtOBbFxrJ5PChAK24MXeF
RerzJHf3ynPA4jMeMm4jwL/43GREkoBPyFsa4FqqjtRKgpk7q3u/UaHAR7FkHTYj
w17aqZ9Sc8pVSojE51yE7togVrRL3LjQEUmRzXRpYqpWHkY1snlKgxGAxZ7VznAU
ZIh2gEyOWPgreVjhYKnvRq4QQkErSgHiCxDbXHvtLQ0nQTe/vQflCUrgZJ5M7IcN
amXrio/PV9RdHnaiG6Y8ewcfBBurcHD3qbXZcuFzlJxeGjATAzKoG21M3P8QZ5x7
dRvHcL6bnICloFIFhMHgj4UxNCkmR2EWaFIJ3p60eTgFE8NPA/9tvvDDqM1tROZV
H75JDuIVeXA4oAS5G0il
=l0Dd
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3670-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 15, 2016 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : tomcat8
CVE ID : CVE-2016-1240
Dawid Golunski of LegalHackers discovered that the Tomcat init script
performed unsafe file handling, which could result in local privilege
escalation.
For the stable distribution (jessie), this problem has been fixed in
version 8.0.14-1+deb8u3.
For the unstable distribution (sid), this problem will be fixed soon.
We recommend that you upgrade your tomcat8 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJX2tmhAAoJEBDCk7bDfE42U14QAJJOSC4b8vtDESjIjSWxODg5
H8CI7SkATzcDlIfPTNCxX4Gn9iAWS8uxjJP7FaUjpsBmzkB1omdzmr6SgCw9mlM0
b0sZXRGRbKDRnXzN0IwTuKI/tuV1s7c5KWfjhGTAJ1SL7foKlwaKXXQemeztouiv
yRmczPp9NlqrifyXGNIqsF47QNbGiJIM5S+N99/u1YHMO1akm4i2f5cKtfIXokU4
7tpY8UoxAqmWJ4u1p9PxmtA71vuP8gsXoN836iM/OtrY9IZlpArzF6qANhOtj85o
ynd7MiPURLutw6Xmp6ZGOpx6or8g4prmjLubsg1tekoQsFI2BJy93oxNj+Wyo7dp
4CG3XF9aM4QAv7JkuRY6vQIeOcN04h48/MPgY2VR8gykh1v+IFj2+dxTBRVeMcm8
Tu5NLwi83iHaqxxM4h49baQiCwnSimTSd9Bbji060jybWQbtSGoY0zW970z7+uP7
reUu50rI8Hl/Ie8pB13S6kzmvIrGUQpCbIjv01LMO014rYMKfQtCfD/j/8gKikrq
6ofo42Xb7D0MfiUn1xy9yAl+wwcer1yaG1MbUCerhWWRMkr0w17etkiCZcSiskeB
LuZ5a+bExkpnMr8RhErnSHTOEqvW+8djQEkN2fXEUv5pUHww55I+tcf8QfqCV6a4
BPq31eJnhbkhvROQIv8E
=Fhnw
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV9tHWIx+lLeg9Ub1AQgetw/9EanergAD6UC6pljf1dON3SsX3tPb/Bom
89UkGX5uE6GqF4+ziQSXc+Mp7aG6K6SHP61pTa5zuUi9ag+v5bx130ZOPVxYq/Jq
yto/1P3jVy8VhWtFV3XdD6Bs7NxffyfpP+MPQRKlMTT+NXp7u1brN4RbVlhxTP0+
pFFB+JVXat+kfYBbRdjTzoUH/uFcyUnkGikdghGGiJRPWf/tnrExFG2C7PvPJeCn
hZtjI+r1WkIWGod8+g9T6eh2DHtX2NV799fB6ucneu/emoh7vcNBxE7Zz+kepmXQ
1IXw/i9rcZUWGRnC4/YUOhnoKARS0jfoNxmOSm8lc6xIdcp/B9bAdyrwi8G4IZKH
nqbln8cyZM0R7wfk+HjCoUXiim1cs5s1F1YTIr7voc+IQmYUl/h28ik9V6S53B7i
ccxmKnFzjW6ty8Q2o0U6+eN9UJAymiFur9xRjCgVCO6r6/sBNUfePZpVEPsPNQ9c
3W7FCwlc6ZHgZQXL2nBGIYP7gsGeD7hJOReptEfZroI04i5bZqG/yRQDVdJWaBuu
+qdVucd8Bnru36YPn30XWFqVBVXF6hExav00jq7EF5+NVyxweh4pC7JjaeNw78tP
kHp2PVYhIhLyekAPgq2szhcNjjDcDmQshygqARZsl0O6voPS+epWpBdVThh9N7JE
PtnWkiGAIzM=
=6F5d
-----END PGP SIGNATURE-----