Overview

File _patchinfo of Package patchinfo.3377

<patchinfo incident="3377">
  <issue id="974407" tracker="bnc">tomcat upstream bug 58999 StringIndexOutOfBoundsException WebAppClassLoaderBase.filter()</issue>
  <issue id="1002639" tracker="bnc">Tomcat Lacks "setenv.sh" Implementation</issue>
  <issue id="1004728" tracker="bnc">Tomcat-apache Servlet and JSP Examples application cannot be accessed</issue>
  <issue id="1010893" tracker="bnc"> [TRACKERBUG] FATE#321029 [ECO] Update jakarta-commons-dbcp to 2.0</issue>
  <issue id="321029" tracker="fate"> [TRACKERBUG] FATE#321029 [ECO] Update jakarta-commons-dbcp to 2.0</issue>
  <issue id="1007854" tracker="bnc">VUL-1: CVE-2016-0762: tomcat:  Realm Timing Attack</issue>
  <issue id="1007855" tracker="bnc">VUL-1: CVE-2016-5018: tomcat:  Security Manager Bypass</issue>
  <issue id="1007857" tracker="bnc">VUL-0: CVE-2016-6794: tomcat:  System Property Disclosure</issue>
  <issue id="1007858" tracker="bnc">VUL-1: CVE-2016-6796: tomcat: Security Manager Bypass</issue>
  <issue id="1007853" tracker="bnc">VUL-1: CVE-2016-6797: tomcat:  Unrestricted Access to Global Resources</issue>
  <issue id="1011805" tracker="bnc">VUL-0: CVE-2016-8735: tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener</issue>
  <issue id="1011812" tracker="bnc">VUL-0: CVE-2016-6816: tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests</issue>
  <issue id="2016-0762" tracker="cve" />
  <issue id="2016-5018" tracker="cve" />
  <issue id="2016-6794" tracker="cve" />
  <issue id="2016-6796" tracker="cve" />
  <issue id="2016-6797" tracker="cve" />
  <issue id="2016-8735" tracker="cve" />
  <issue id="2016-6816" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>mateialbu</packager>
  <description>
This update for Tomcat provides the following fixes:

Feature changes:

The embedded Apache Commons DBCP component was updated to version 2.0. (bsc#1010893 fate#321029)

Security fixes:
- CVE-2016-0762: Realm Timing Attack (bsc#1007854)
- CVE-2016-5018: Security Manager Bypass (bsc#1007855)
- CVE-2016-6794: System Property Disclosure (bsc#1007857)
- CVE-2016-6796: Manager Bypass (bsc#1007858)
- CVE-2016-6797: Unrestricted Access to Global Resources (bsc#1007853)
- CVE-2016-8735: Remote code execution vulnerability in JmxRemoteLifecycleListener (bsc#1011805)
- CVE-2016-6816: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests (bsc#1011812)

Bugs fixed:
- Fixed StringIndexOutOfBoundsException in WebAppClassLoaderBase.filter().
  (bsc#974407)
- Fixed a deployment error in the examples webapp by changing the context.xml
  format to the new one introduced by Tomcat 8. (bsc#1004728)
- Enabled optional setenv.sh script. See section '(3.4) Using the "setenv" script'
  in http://tomcat.apache.org/tomcat-8.0-doc/RUNNING.txt. (bsc#1002639)
- Fixed regression caused by CVE-2016-6816.
</description>
  <summary>Security update for tomcat</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places