Debian-LTS alert DLA-623-1 (tomcat7)
| From: | Markus Koschany <apo@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 623-1] tomcat7 security update | |
| Date: | Thu, 15 Sep 2016 17:07:58 +0200 | |
| Message-ID: | <3b9f8d32-6f8e-7f76-5da8-391dc873637c@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : tomcat7 Version : 7.0.28-4+deb7u6 CVE ID : CVE-2016-1240 Dawid Golunski from legalhackers.com discovered that Debian's version of Tomcat 7 was vulnerable to a local privilege escalation. Local attackers who have gained access to the server in the context of the tomcat7 user through a vulnerability in a web application were able to replace the file with a symlink to an arbitrary file. The full advisory can be found at http://legalhackers.com/advisories/Tomcat-Debian-based-Ro... In addition this security update also fixes Debian bug #821391. File ownership in /etc/tomcat7 will no longer be unconditionally overridden on upgrade. As another precaution the file permissions of Debian specific configuration files in /etc/tomcat7 were changed to 640 to disallow world readable access. For Debian 7 "Wheezy", these problems have been fixed in version 7.0.28-4+deb7u6. We recommend that you upgrade your tomcat7 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJX2rlNXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1Hkf04P/iOspGbez45ROf2GTfyTzPEp zYDKW+fbMDQw14HVaf8V1FQLXDkFv857dvjbhWIhDfud0fv6iO7ExK2X/etFcM/O kzv55FmaT8TGSqbY6odEWn8/rEN0NRqiLgNSgGHiYeQtpdIcl4otFmX3xCS1T6eK Xm6BnJ7k2m/yT5WndagFkqINKNlRPD6vZ9DZiqeaU1nLRjKhk6cMeYkzKW5ZZw7/ KBHQapnkrj2v8qCQQAyf9bjt3kClTeuxXO1wNUodJg4esYsuhUJWHXcZk+EmJ5lw 0wW82jKiBYSle6OEbzhKFEtIKnhXhvVuwFjFYbHIlHdkWTns+zsYPSl6hBFaNBgb ScTjCsnugdYJE+dst4gRPfzce9FlECCYvrdrJlwmxCkNJFMrXK+y3BsUr6Y1fDmN 8xKFhuM81GWL9CgS/i5jhVjP3P5RzCeLDn8l6gIq5EzHrLcgQRxJnWtpdFDSl2Ip 9JQCaZmUVmjCHVfuPjgWn2xZe1TWX/3SpdHs/nfQow5gXOPkUOuaNEK87B82mAMU R0hRHijFKLOCQece83UGzhOWHycqGgMUHTg0tnLlPIQajheDNUh8dkRcCCrQxD6h 60QDzwXUUpCUwt4qeKgC7luShR+cn81tb8Sj+BitrEkI/TBtMmvaHDc/csSDYITb hDRKVpi82WqXi8STJHsH =Tmqh -----END PGP SIGNATURE-----