Univention Bugzilla – Bug 35058
tomcat6: Multiple issues (3.2)
Last modified: 2016-06-08 14:01:16 CEST
Information disclosure when parsing content length headers (CVE-2014-0099) Information disclosure in XSLT/XML parsers (CVE-2014-0096, CVE-2014-0119) Denial of service in chunked header parsing (CVE-2014-0075)
Session fixation (CVE-2014-0033) Information disclosure (CVE-2013-4286) Denial of service in handling chunked extensions (CVE-2013-4322) Information disclosure / XEE (CVE-2013-4590)
It was possible to craft a malformed chunk as part of a chunked request that caused Tomcat to read part of the request body as a new request (CVE-2014-0227)
Non-persistent DoS attack by feeding data by aborting an upload (CVE-2014-0230)
One more: security manager bypass via expression language (EL) expressions (CVE-2014-7810) This and CVE-2014-0227 and CVE-2014-0230 have been fixed in 6.0.41-2+squeeze7. The version in UCS 3.2-x is 6.0.35-1+squeeze4 and it looks like all other listed CVEs have been fixed in the upstream version by now as well.
Upstream Debian package version 6.0.45-1~deb6u1 fixes the following issues: * Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. (CVE-2015-5174) * The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.67, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. (CVE-2015-5345) * The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. (CVE-2015-5351) * Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. (CVE-2016-0706) * The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. (CVE-2016-0714) * The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. (CVE-2016-0763)
Wheezy package version 6.0.45+dfsg-1~deb7u1 fixes additional issues, either we can get patches from that or we should import that package version. We have to solve the versioning issue with respect to the UCS 4.0 update path anyway.
repo_admin.py --cherrypick -r 3.3 --releasedest 3.2 --dest errata3.2-8 -p tomcat6 find -type f | grep -F -f <(cd source && dcmd tomcat6_6.0.45+dfsg-1.52.201604191550_i386.changes) | cpio -p --link ../ucs_3.2-0-errata3.2-8/ repo-apt-ftparchive --release ucs_3.2-0-errata3.2-8 QA: univention-install tomcat6 elinks http://localhost:8080/ $EDITOR /etc/apt/sources.list apt-get -qq update apt-get upgrade apt-get install tomcat6-examples elinks http://localhost:8080/examples/ dpkg-query -W tomcat6 # 6.0.45+dfsg-1.52.201604191550 univention-upgrade --ignoressh --ignoreterm --noninteractive </dev/null r69552 | Bug #35058,Bug #37004: tomcat6 YAML tomcat6.xml
/etc/init.d/tomcat6 in find_openjdks does for jvmdir in '/usr/lib/jvm/java-6-openjdk-* which does not find /usr/lib/jvm/java-6-openjdk/ thus complaining with # invoke-rc.d tomcat6 restart no JDK found - please set JAVA_HOME ... failed! Proposed change is -for jvmdir in '/usr/lib/jvm/java-6-openjdk-* +for jvmdir in '/usr/lib/jvm/java-6-openjdk*
(In reply to Janek Walkenhorst from comment #8) > for jvmdir in '/usr/lib/jvm/java-6-openjdk-* r16552 | Bug #35058: Undo multi-arch Strictly speaking this isn't necessary as /usr/lib/jvm/default-java/ is set. Package: tomcat6 Version: 6.0.45+dfsg-1.51.201606010944 Branch: ucs_3.2-0 Scope: errata3.2-8 r69683 | Bug #37004: tomcat6 YAML tomcat6.yaml
Changes: OK Tests: OK Advisory: OK
<http://errata.software-univention.de/ucs/3.2/432.html>