Synopsis
Important: Red Hat JBoss Web Server security and enhancement update
Type/Severity
Security Advisory: Important
Topic
An update is now available for Red Hat JBoss Web ServerRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System ...
Multiple security vulnerabilities have been discovered in the Tomcat
servlet and JSP engine, which may result in possible timing attacks to
determine valid user names, bypass of the SecurityManager, disclosure of
system properties, unrestricted access to global resources, arbitrary
file overwrites, and potentially escalation of privileges
For the ...
USN-3177-1 introduced a regression in Tomcat ...
Several security issues were fixed in Tomcat ...
It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges (CVE-2016-6325)
A malicious web application was able to bypass a configu ...
Debian Bug report logs -
#842663
CVE-2016-5018: Apache Tomcat Security Manager Bypass
Package:
tomcat7;
Maintainer for tomcat7 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for tomcat7 is src:tomcat7 (PTS, buildd, popcon)
Reported by: Guido Günther <agx@sigxcpuorg>
Date: Mon, 31 ...
Debian Bug report logs -
#842665
CVE-2016-6796: Apache Tomcat Security Manager Bypass
Package:
tomcat7;
Maintainer for tomcat7 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for tomcat7 is src:tomcat7 (PTS, buildd, popcon)
Reported by: Guido Günther <agx@sigxcpuorg>
Date: Mon, 31 ...
Debian Bug report logs -
#840685
TOCTOU race condition in initscript on chown'ing JVM_TMP temporary directory
Package:
src:tomcat8;
Maintainer for src:tomcat8 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>;
Reported by: Paul Szabo <paulszabo@sydneyeduau>
Date: Thu, 13 Oct 2016 20:30:02 UT ...
Debian Bug report logs -
#842664
CVE-2016-6794: Apache Tomcat System Property Disclosure
Package:
tomcat7;
Maintainer for tomcat7 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for tomcat7 is src:tomcat7 (PTS, buildd, popcon)
Reported by: Guido Günther <agx@sigxcpuorg>
Date: Mon, ...
Debian Bug report logs -
#842666
CVE-2016-6797: Apache Tomcat Unrestricted Access to Global Resources
Package:
tomcat7;
Maintainer for tomcat7 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for tomcat7 is src:tomcat7 (PTS, buildd, popcon)
Reported by: Guido Günther <agx@sigxcpuorg>
...
Debian Bug report logs -
#842662
CVE-2016-0762: Apache Tomcat Realm Timing Attack
Package:
tomcat7;
Maintainer for tomcat7 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for tomcat7 is src:tomcat7 (PTS, buildd, popcon)
Reported by: Guido Günther <agx@sigxcpuorg>
Date: Mon, 31 Oct ...
The Realm implementations did not process the supplied password if the supplied user name did not exist This made a timing attack possible to determine valid user names Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder ...
Vulmon