[SECURITY] [DLA 746-2] tomcat6 regression update

2016-12-1722:08:55

lists.debian.org

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

9.1

Confidence

High

EPSS

0.001

Percentile

49.0%

JSON

Package : tomcat6
Version : 6.0.45+dfsg-1~deb7u5
Debian Bug : 848492

The last security update introduced a regression due to the use of
StringManager in the ResourceLinkFactory class. The code was removed
again since it is not strictly required to resolve CVE-2016-6797.

For Debian 7 "Wheezy", these problems have been fixed in version
6.0.45+dfsg-1~deb7u5.

We recommend that you upgrade your tomcat6 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian7alltomcat7< 7.0.28-4+deb7u7tomcat7_7.0.28-4+deb7u7_all.deb
Debian8alltomcat7< 7.0.56-3+deb8u5tomcat7_7.0.56-3+deb8u5_all.deb
Debian7alltomcat6< 6.0.45+dfsg-1~deb7u3tomcat6_6.0.45+dfsg-1~deb7u3_all.deb
Debian8alltomcat8< 8.0.14-1+deb8u4tomcat8_8.0.14-1+deb8u4_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	all	tomcat7	< 7.0.28-4+deb7u7	tomcat7_7.0.28-4+deb7u7_all.deb
Debian	8	all	tomcat7	< 7.0.56-3+deb8u5	tomcat7_7.0.56-3+deb8u5_all.deb
Debian	7	all	tomcat6	< 6.0.45+dfsg-1~deb7u3	tomcat6_6.0.45+dfsg-1~deb7u3_all.deb
Debian	8	all	tomcat8	< 8.0.14-1+deb8u4	tomcat8_8.0.14-1+deb8u4_all.deb