[SECURITY] [DLA 435-1] tomcat6 security update

Package : tomcat6
Version : 6.0.45-1~deb6u1
CVE ID : CVE-2015-5174 CVE-2015-5345 CVE-2015-5351
CVE-2016-0706 CVE-2016-0714 CVE-2016-0763

Tomcat 6, an implementation of the Java Servlet and the JavaServer
Pages (JSP) specifications and a pure Java web server environment, was
affected by multiple security issues prior version 6.0.45.

CVE-2015-5174
Directory traversal vulnerability in RequestUtil.java in Apache
Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27
allows remote authenticated users to bypass intended SecurityManager
restrictions and list a parent directory via a /… (slash dot dot)
in a pathname used by a web application in a getResource,
getResourceAsStream, or getResourcePaths call, as demonstrated by
the $CATALINA_BASE/webapps directory.

CVE-2015-5345
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before
7.0.67, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes
redirects before considering security constraints and Filters, which
allows remote attackers to determine the existence of a directory
via a URL that lacks a trailing / (slash) character.

CVE-2015-5351
The Manager and Host Manager applications in Apache Tomcat
establish sessions and send CSRF tokens for arbitrary new requests,
which allows remote attackers to bypass a CSRF protection mechanism
by using a token.

CVE-2016-0706
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before
8.0.31, and 9.x before 9.0.0.M2 does not place
org.apache.catalina.manager.StatusManagerServlet on the org/apache
/catalina/core/RestrictedServlets.properties list, which allows
remote authenticated users to bypass intended SecurityManager
restrictions and read arbitrary HTTP requests, and consequently
discover session ID values, via a crafted web application.

CVE-2016-0714
The session-persistence implementation in Apache Tomcat 6.x before
6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before
9.0.0.M2 mishandles session attributes, which allows remote
authenticated users to bypass intended SecurityManager restrictions
and execute arbitrary code in a privileged context via a web
application that places a crafted object in a session.

CVE-2016-0763
The setGlobalContext method in org/apache/naming/factory
/ResourceLinkFactory.java in Apache Tomcat does not consider whether
ResourceLinkFactory.setGlobalContext callers are authorized, which
allows remote authenticated users to bypass intended SecurityManager
restrictions and read or write to arbitrary application data, or
cause a denial of service (application disruption), via a web
application that sets a crafted global context.

For Debian 6 "Squeeze", these problems have been fixed in version
6.0.45-1~deb6u1.

We recommend that you upgrade your tomcat6 packages.