File _patchinfo of Package patchinfo.2901

<patchinfo incident="2901">
  <issue id="986359" tracker="bnc">VUL-0: CVE-2016-3092: tomcat6,tomcat5,tomcat: Usage of vulnerable FileUpload package can result in denial of service</issue>
  <issue id="988489" tracker="bnc">VUL-0: CVE-2016-5388: tomcat: Setting HTTP_PROXY environment variable via Proxy header (httpoxy)</issue>
  <issue id="1033447" tracker="bnc">VUL-0: CVE-2017-5648: tomcat: [SECURITY] CVE-2017-5648 Apache Tomcat Information Disclosure</issue>
  <issue id="1033448" tracker="bnc">VUL-0: CVE-2017-5647: tomcat: [SECURITY] CVE-2017-5647 Apache Tomcat Information Disclosure</issue>
  <issue id="1007854" tracker="bnc">VUL-1: CVE-2016-0762: tomcat: Realm Timing Attack</issue>
  <issue id="1007855" tracker="bnc">VUL-1: CVE-2016-5018: tomcat: Security Manager Bypass</issue>
  <issue id="1007857" tracker="bnc">VUL-0: CVE-2016-6794: tomcat: System Property Disclosure</issue>
  <issue id="1007858" tracker="bnc">VUL-1: CVE-2016-6796: tomcat: Security Manager Bypass</issue>
  <issue id="1007853" tracker="bnc">VUL-1: CVE-2016-6797: tomcat: Unrestricted Access to Global Resources</issue>
  <issue id="1011812" tracker="bnc">VUL-0: CVE-2016-6816: tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests</issue>
  <issue id="1011805" tracker="bnc">VUL-0: CVE-2016-8735: tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener</issue>
  <issue id="1015119" tracker="bnc">VUL-0: CVE-2016-8745: tomcat: Apache Tomcat Information Disclosure</issue>
  <issue id="2016-0762" tracker="cve" />
  <issue id="2016-3092" tracker="cve" />
  <issue id="2016-5018" tracker="cve" />
  <issue id="2016-5388" tracker="cve" />
  <issue id="2016-6794" tracker="cve" />
  <issue id="2016-6796" tracker="cve" />
  <issue id="2016-6797" tracker="cve" />
  <issue id="2016-6816" tracker="cve" />
  <issue id="2016-8735" tracker="cve" />
  <issue id="2016-8745" tracker="cve" />
  <issue id="2017-5647" tracker="cve" />
  <issue id="2017-5648" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>malbu</packager>
  <description>
Tomcat was updated to version 7.0.78, fixing various bugs and security issues.

For full details see https://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Security issues fixed:

- CVE-2016-0762: A realm timing attack in tomcat was fixed which could disclose existence of users (bsc#1007854)
- CVE-2016-3092: Usage of vulnerable FileUpload package could have resulted in denial of service (bsc#986359) 
- CVE-2016-5018: A security manager bypass via a Tomcat utility method that was accessible to web applications was fixed. (bsc#1007855)
- CVE-2016-5388: Setting HTTP_PROXY environment variable via Proxy header (bsc#988489)
- CVE-2016-6794: A tomcat system property disclosure was fixed. (bsc#1007857)
- CVE-2016-6796: A tomcat security manager bypass via manipulation of the configuration parameters for the JSP Servlet. (bsc#1007858)
- CVE-2016-6797: A tomcat unrestricted access to global resources via ResourceLinkFactory was fixed. (bsc#1007853)
- CVE-2016-6816: A HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests was fixed. (bsc#1011812)
- CVE-2016-8735: A Remote code execution vulnerability in JmxRemoteLifecycleListener was fixed (bsc#1011805)
- CVE-2016-8745: A Tomcat Information Disclosure in the error handling of send file code for the NIO HTTP connector was fixed. (bsc#1015119)
- CVE-2017-5647: A tomcat information disclosure in pipelined request processing was fixed. (bsc#1033448)
- CVE-2017-5648: A tomcat information disclosure due to using incorrect facade objects was fixed (bsc#1033447)
</description>
  <summary>Security update for tomcat</summary>
</patchinfo>