[SECURITY] [DSA 3670-1] tomcat8 security update

2016-09-1517:27:51

lists.debian.org

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.0004 Low

EPSS

Percentile

9.1%

JSON

Debian Security Advisory DSA-3670-1 [email protected]
https://www.debian.org/security/ Moritz Muehlenhoff
September 15, 2016 https://www.debian.org/security/faq

Package : tomcat8
CVE ID : CVE-2016-1240

Dawid Golunski of LegalHackers discovered that the Tomcat init script
performed unsafe file handling, which could result in local privilege
escalation.

For the stable distribution (jessie), this problem has been fixed in
version 8.0.14-1+deb8u3.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your tomcat8 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian7alllibservlet3.0-java-doc< 7.0.28-4+deb7u6libservlet3.0-java-doc_7.0.28-4+deb7u6_all.deb
Debian7alltomcat7-examples< 7.0.28-4+deb7u6tomcat7-examples_7.0.28-4+deb7u6_all.deb
Debian8alltomcat7< 7.0.56-3+deb8u4tomcat7_7.0.56-3+deb8u4_all.deb
Debian8alltomcat7-admin< 7.0.56-3+deb8u4tomcat7-admin_7.0.56-3+deb8u4_all.deb
Debian8alllibservlet3.0-java-doc< 7.0.56-3+deb8u4libservlet3.0-java-doc_7.0.56-3+deb8u4_all.deb
Debian8alltomcat8-docs< 8.0.14-1+deb8u3tomcat8-docs_8.0.14-1+deb8u3_all.deb
Debian7alllibservlet2.5-java< 6.0.45+dfsg-1~deb7u2libservlet2.5-java_6.0.45+dfsg-1~deb7u2_all.deb
Debian8alllibservlet3.1-java-doc< 8.0.14-1+deb8u3libservlet3.1-java-doc_8.0.14-1+deb8u3_all.deb
Debian8alltomcat8-common< 8.0.14-1+deb8u3tomcat8-common_8.0.14-1+deb8u3_all.deb
Debian7alltomcat6-user< 6.0.45+dfsg-1~deb7u2tomcat6-user_6.0.45+dfsg-1~deb7u2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	all	libservlet3.0-java-doc	< 7.0.28-4+deb7u6	libservlet3.0-java-doc_7.0.28-4+deb7u6_all.deb
Debian	7	all	tomcat7-examples	< 7.0.28-4+deb7u6	tomcat7-examples_7.0.28-4+deb7u6_all.deb
Debian	8	all	tomcat7	< 7.0.56-3+deb8u4	tomcat7_7.0.56-3+deb8u4_all.deb
Debian	8	all	tomcat7-admin	< 7.0.56-3+deb8u4	tomcat7-admin_7.0.56-3+deb8u4_all.deb
Debian	8	all	libservlet3.0-java-doc	< 7.0.56-3+deb8u4	libservlet3.0-java-doc_7.0.56-3+deb8u4_all.deb
Debian	8	all	tomcat8-docs	< 8.0.14-1+deb8u3	tomcat8-docs_8.0.14-1+deb8u3_all.deb
Debian	7	all	libservlet2.5-java	< 6.0.45+dfsg-1~deb7u2	libservlet2.5-java_6.0.45+dfsg-1~deb7u2_all.deb
Debian	8	all	libservlet3.1-java-doc	< 8.0.14-1+deb8u3	libservlet3.1-java-doc_8.0.14-1+deb8u3_all.deb
Debian	8	all	tomcat8-common	< 8.0.14-1+deb8u3	tomcat8-common_8.0.14-1+deb8u3_all.deb
Debian	7	all	tomcat6-user	< 6.0.45+dfsg-1~deb7u2	tomcat6-user_6.0.45+dfsg-1~deb7u2_all.deb