This update for tomcat6 fixes the following issues:
The version was updated from 6.0.41 to 6.0.45.
Security issues fixed:
- CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java in
Apache Tomcat allowed remote authenticated users to bypass intended
SecurityManager restrictions and list a parent directory via a /…
(slash dot dot) in a pathname used by a web application in a
getResource, getResourceAsStream, or getResourcePaths call, as
demonstrated by the $CATALINA_BASE/webapps directory. (bsc#967967)
- CVE-2015-5345: The Mapper component in Apache Tomcat processes redirects
before considering security constraints and Filters, which allowed
remote attackers to determine the existence of a directory via a URL
that lacks a trailing / (slash) character. (bsc#967965)
- CVE-2016-0706: Apache Tomcat did not place
org.apache.catalina.manager.StatusManagerServlet on the
org/apache/catalina/core/RestrictedServlets.properties list, which
allowed remote authenticated users to bypass intended SecurityManager
restrictions and read arbitrary HTTP requests, and consequently
discover session ID values, via a crafted web application. (bsc#967815)
- CVE-2016-0714: The session-persistence implementation in Apache Tomcat
mishandled session attributes, which allowed remote authenticated users
to bypass intended SecurityManager restrictions and execute arbitrary
code in a privileged context via a web application that places a crafted
object in a session. (bsc#967964)