tomcat security, bug fix, and enhancement update

2017-08-07T00:00:00
ID ELSA-2017-2247
Type oraclelinux
Reporter Oracle
Modified 2017-08-07T00:00:00

Description

[0:7.0.76-2] - Resolves: rhbz#1459747 CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism - Resolves: rhbz#1441481 CVE-2017-5647 tomcat: Incorrect handling of pipelined requests when send file was used [0:7.0.76-1] - Resolves: rhbz#1414895 Rebase tomcat to the current release [0:7.0.69-10] - Related: rhbz#1368122 [0:7.0.69-9] - Resolves: rhbz#1362213 Tomcat: CGI sets environmental variable based on user supplied Proxy request header - Resolves: rhbz#1368122 [0:7.0.69-7] - Resolves: rhbz#1362545 [0:7.0.69-6] - Related: rhbz#1201409 Added /etc/sysconfig/tomcat to the systemd unit for tomcat-jsvc.service [0:7.0.69-5] - Resolves: rhbz#1347860 The systemd service unit does not allow tomcat to shut down gracefully [0:7.0.69-4] - Resolves: rhbz#1350438 CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service [0:7.0.69-3] - Resolves: rhbz#1347774 The security manager doesn't work correctly (JSPs cannot be compiled) [0:7.0.69-2] - Rebase Resolves: rhbz#1311622 Getting NoSuchElementException while handling attributes with empty string value in tomcat - Rebase Resolves: rhbz#1320853 Add HSTS support - Rebase Resolves: rhbz#1293292 CVE-2014-7810 tomcat: Tomcat/JBossWeb: security manager bypass via EL expressions - Rebase Resolves: rhbz#1347144 CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet - Rebase Resolves: rhbz#1347139 CVE-2015-5346 tomcat: Session fixation - Rebase Resolves: rhbz#1347136 CVE-2015-5345 tomcat: directory disclosure - Rebase Resolves: rhbz#1347129 CVE-2015-5174 tomcat: URL Normalization issue - Rebase Resolves: rhbz#1347146 CVE-2016-0763 tomcat: security manager bypass via setGlobalContext() - Rebase Resolves: rhbz#1347142 CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms - Rebase Resolves: rhbz#1347133 CVE-2015-5351 tomcat: CSRF token leak [0:7.0.69-1] - Resolves: rhbz#1287928 Rebase to tomcat 7.0.69 - Resolves: rhbz#1327326 rpm -V tomcat fails on /var/log/tomcat/catalina.out - Resolves: rhbz#1277197 tomcat user has non-existing default shell set - Resolves: rhbz#1240279 The command tomcat-digest doesn't work with RHEL 7 - Resolves: rhbz#1229476 Tomcat startup ONLY options - Resolves: rhbz#1133070 Need to include full implementation of tomcat-juli.jar and tomcat-juli-adapters.jar - Resolves: rhbz#1201409 Fix the broken tomcat-jsvc service unit - Resolves: rhbz#1221896 tomcat.service loads /etc/sysconfig/tomcat without shell expansion - Resolves: rhbz#1208402 Mark web.xml in tomcat-admin-webapps as config file [0:7.0.54-2] - Resolves: CVE-2014-0227 [0:7.0.54-1] - Resolves: rhbz#1141372 - Remove systemv artifacts. Add new systemd - artifacts. Rebase on 7.0.54. [0:7.0.43-6] - Resolves: CVE-2014-0099 - Resolves: CVE-2014-0096 - Resolves: CVE-2014-0075 [0:7.0.42-5] - Related: CVE-2013-4286 - Related: CVE-2013-4322 - Related: CVE-2014-0050 - revisit patches for above. [0:7.0.42-4] - Related: rhbz#1056696 correct packaging for sbin tomcat [0:7.0.42-3] - Related: CVE-2013-4286. increment build number. missed doing - it. - Resolves: rhbz#1038183 remove BR for ant-nodeps. it's - no long used. [0:7.0.42-2] - Resolves: rhbz#1056673 Invocation of useradd with shell - other than sbin nologin - Resolves: rhbz#1056677 preun systemv scriptlet unconditionally - stops service - Resolves: rhbz#1056696 init.d tomcat does not conform to RHEL7 - systemd rules. systemv subpackage is removed. - Resolves: CVE-2013-4286 - Resolves: CVE-2013-4322 - Resolves: CVE-2014-0050 - Built for rhel-7 RC [0:7.0.42-1] - Resolves: rhbz#1051657 update to 7.0.42. Ant-nodeps is - deprecated. [07.0.40-3] - Mass rebuild 2013-12-27 [0:7.0.40-1] - Updated to 7.0.40 - Resolves: rhbz 956569 added missing commons-pool link [0:7.0.37-2] - Add depmaps for org.eclipse.jetty.orbit - Resolves: rhbz#917626 [0:7.0.39-1] - Updated to 7.0.39 [0:7.0.37-1] - Updated to 7.0.37 [0:7.0.35-1] - Updated to 7.0.35 - systemd SuccessExitStatus=143 for proper stop exit code processing [0:7.0.34-1] - Updated to 7.0.34 - ecj >= 4.2.1 now required - Resolves: rhbz 889395 concat classpath correctly; chdir to [0:7.0.33-2] - Resolves: rhbz 883806 refix logdir ownership [0:7.0.33-1] - Updated to 7.0.33 - Resolves: rhbz 873620 need chkconfig for update-alternatives [0:7.0.32-1] - Updated to 7.0.32 - Resolves: rhbz 842620 symlinks to taglibs [0:7.0.29-1] - Updated to 7.0.29 - Add pidfile as tmpfile - Use systemd for running as unprivileged user - Resolves: rhbz 847751 upgrade path was broken - Resolves: rhbz 850343 use new systemd-rpm macros [0:7.0.28-2] - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild [0:7.0.28-1] - Updated to 7.0.28 - Resolves: rhbz 820119 Remove bundled apache-commons-dbcp - Resolves: rhbz 814900 Added tomcat-coyote POM - Resolves: rhbz 810775 Remove systemv stuff from %post scriptlet - Remove redhat-lsb R [0:7.0.27-2] - Fixed native download hack [0:7.0.27-1] - Updated to 7.0.27 - Fixed jakarta-taglibs-standard BR and R [0:7.0.26-2] - Add more depmaps to J2EE apis to help jetty/glassfish updates [0:7.0.26-2] - Added the POM files for tomcat-api and tomcat-util (#803495) [0:7.0.26-1] - Updated to 7.0.26 - Bug 790334: Change ownership of logdir for logrotate [0:7.0.25-4] - Bug 790694: Priorities of jsp, servlet and el packages updated. [0:7.0.25-3] - Dropped indirect dependecy to tomcat 5 [0:7.0.25-2] - Added hack for maven depmap of tomcat-juli absolute link [ -f ] pass correctly [0:7.0.25-1] - Updated to 7.0.25 - Removed EntityResolver patch (changes already in upstream sources) - Place poms and depmaps in the same package as jars - Added javax.servlet.descriptor to export-package of servlet-api - Move several chkconfig actions and reqs to systemv subpackage - New maven depmaps generation method - Add patch to support java7. (patch sent upstream). - Require java >= 1:1.6.0 [0:7.0.23-5] - Exported javax.servlet. packages in version 3.0 as 2.6 to make servlet-api compatible with Eclipse. [0:7.0.23-4] - Move jsvc support to subpackage [0:7.0.23-2] - Add EntityResolver setter patch to jasper for jetty's need. (patch sent upstream). [0:7.0.23-3] - Added support to /usr/sbin/tomcat-sysd and /usr/sbin/tomcat for starting tomcat with jsvc, which allows tomcat to perform some privileged operations (e.g. bind to a port < 1024) and then switch identity to a non-privileged user. Must add USE_JSVC='true' to /etc/tomcat/tomcat.conf or /etc/sysconfig/tomcat. [0:7.0.23-1] - Updated to 7.0.23 [0:7.0.22-2] - Move tomcat-juli.jar to lib package - Drop %update_maven_depmap as in tomcat6 - Provide native systemd unit file ported from tomcat6 [0:7.0.22-1] - Updated to 7.0.22 [0:7.0.21-3.1] - rebuild (java), rel-eng#4932 [0:7.0.21-3] - Fix basedir mode [0:7.0.21-2] - Add manifests for el-api, jasper-el, jasper, tomcat, and tomcat-juli. [0:7.0.21-1] - Updated to 7.0.21 [0:7.0.20-3] - Require java = 1:1.6.0 [0:7.0.20-2] - Require java < 1.7.0 [0:7.0.20-1] - Updated to 7.0.20 [0:7.0.19-1] - Updated to 7.0.19 [0:7.0.16-1] - Updated to 7.0.16 [0:7.0.14-3] - Added initial systemd service - Fix some paths [0:7.0.14-2] - Fixed http source link - Securify some permissions - Added licenses for el-api and servlet-api - Added dependency on jpackage-utils for the javadoc subpackage [0:7.0.14-1] - Updated to 7.0.14 [0:7.0.12-4] - Provided local paths for libs - Fixed dependencies - Fixed update temp/work cleanup [0:7.0.12-3] - Fixed package groups - Fixed some permissions - Fixed some links - Removed old tomcat6 crap [0:7.0.12-2] - Package now named just tomcat instead of tomcat7 - Removed Provides: tomcat-log4j - Switched to apache-commons- names instead of jakarta-commons-* . - Remove the old changelog - BR/R java >= 1:1.6.0 , same for java-devel - Removed old tomcat6 crap [0:7.0.12-1] - Tomcat7