[SECURITY] [DLA 1108-1] tomcat7 security update

2017-09-2416:53:09

lists.debian.org

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.926 High

EPSS

Percentile

99.0%

JSON

Package : tomcat7
Version : 7.0.28-4+deb7u15
CVE ID : CVE-2017-12616

The Tomcat security team discovered that when using a
VirtualDirContext it was possible to bypass security constraints
and/or view the source code of JSPs for resources served by the
VirtualDirContext using a specially crafted request.

For Debian 7 "Wheezy", these problems have been fixed in version
7.0.28-4+deb7u15.

We recommend that you upgrade your tomcat7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8alltomcat7-common< 7.0.56-3+really7.0.88-1tomcat7-common_7.0.56-3+really7.0.88-1_all.deb
Debian7alllibservlet3.0-java-doc< 7.0.28-4+deb7u15libservlet3.0-java-doc_7.0.28-4+deb7u15_all.deb
Debian8alltomcat7-docs< 7.0.56-3+really7.0.88-1tomcat7-docs_7.0.56-3+really7.0.88-1_all.deb
Debian8alltomcat7-user< 7.0.56-3+really7.0.88-1tomcat7-user_7.0.56-3+really7.0.88-1_all.deb
Debian7alllibservlet3.0-java< 7.0.28-4+deb7u15libservlet3.0-java_7.0.28-4+deb7u15_all.deb
Debian7alltomcat7-docs< 7.0.28-4+deb7u15tomcat7-docs_7.0.28-4+deb7u15_all.deb
Debian7alltomcat7-admin< 7.0.28-4+deb7u15tomcat7-admin_7.0.28-4+deb7u15_all.deb
Debian7alllibtomcat7-java< 7.0.28-4+deb7u15libtomcat7-java_7.0.28-4+deb7u15_all.deb
Debian8alllibtomcat7-java< 7.0.56-3+really7.0.88-1libtomcat7-java_7.0.56-3+really7.0.88-1_all.deb
Debian7alltomcat7< 7.0.28-4+deb7u15tomcat7_7.0.28-4+deb7u15_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	all	tomcat7-common	< 7.0.56-3+really7.0.88-1	tomcat7-common_7.0.56-3+really7.0.88-1_all.deb
Debian	7	all	libservlet3.0-java-doc	< 7.0.28-4+deb7u15	libservlet3.0-java-doc_7.0.28-4+deb7u15_all.deb
Debian	8	all	tomcat7-docs	< 7.0.56-3+really7.0.88-1	tomcat7-docs_7.0.56-3+really7.0.88-1_all.deb
Debian	8	all	tomcat7-user	< 7.0.56-3+really7.0.88-1	tomcat7-user_7.0.56-3+really7.0.88-1_all.deb
Debian	7	all	libservlet3.0-java	< 7.0.28-4+deb7u15	libservlet3.0-java_7.0.28-4+deb7u15_all.deb
Debian	7	all	tomcat7-docs	< 7.0.28-4+deb7u15	tomcat7-docs_7.0.28-4+deb7u15_all.deb
Debian	7	all	tomcat7-admin	< 7.0.28-4+deb7u15	tomcat7-admin_7.0.28-4+deb7u15_all.deb
Debian	7	all	libtomcat7-java	< 7.0.28-4+deb7u15	libtomcat7-java_7.0.28-4+deb7u15_all.deb
Debian	8	all	libtomcat7-java	< 7.0.56-3+really7.0.88-1	libtomcat7-java_7.0.56-3+really7.0.88-1_all.deb
Debian	7	all	tomcat7	< 7.0.28-4+deb7u15	tomcat7_7.0.28-4+deb7u15_all.deb