tomcat6 - security update

Tomcat 6, an implementation of the Java Servlet and the JavaServer
Pages (JSP) specifications and a pure Java web server environment, was
affected by multiple security issues prior version 6.0.45.

• CVE-2015-5174
  Directory traversal vulnerability in RequestUtil.java in Apache
  Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27
  allows remote authenticated users to bypass intended SecurityManager
  restrictions and list a parent directory via a /… (slash dot dot)
  in a pathname used by a web application in a getResource,
  getResourceAsStream, or getResourcePaths call, as demonstrated by
  the $CATALINA_BASE/webapps directory.
• CVE-2015-5345
  The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before
  7.0.67, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes
  redirects before considering security constraints and Filters, which
  allows remote attackers to determine the existence of a directory
  via a URL that lacks a trailing / (slash) character.
• CVE-2015-5351
  The Manager and Host Manager applications in Apache Tomcat
  establish sessions and send CSRF tokens for arbitrary new requests,
  which allows remote attackers to bypass a CSRF protection mechanism
  by using a token.
• CVE-2016-0706
  Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before
  8.0.31, and 9.x before 9.0.0.M2 does not place
  org.apache.catalina.manager.StatusManagerServlet on the org/apache
  /catalina/core/RestrictedServlets.properties list, which allows
  remote authenticated users to bypass intended SecurityManager
  restrictions and read arbitrary HTTP requests, and consequently
  discover session ID values, via a crafted web application.
• CVE-2016-0714
  The session-persistence implementation in Apache Tomcat 6.x before
  6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before
  9.0.0.M2 mishandles session attributes, which allows remote
  authenticated users to bypass intended SecurityManager restrictions
  and execute arbitrary code in a privileged context via a web
  application that places a crafted object in a session.
• CVE-2016-0763
  The setGlobalContext method in org/apache/naming/factory
  /ResourceLinkFactory.java in Apache Tomcat does not consider whether
  ResourceLinkFactory.setGlobalContext callers are authorized, which
  allows remote authenticated users to bypass intended SecurityManager
  restrictions and read or write to arbitrary application data, or
  cause a denial of service (application disruption), via a web
  application that sets a crafted global context.

For Debian 6 Squeeze, these problems have been fixed in version
6.0.45-1~deb6u1.

We recommend that you upgrade your tomcat6 packages.