Public bug reported:
Please sync tomcat8 8.0.36-3 (main) from Debian unstable (main)
Explanation of the Ubuntu delta and why it can be dropped:
* SECURITY UPDATE: privilege escalation via insecure init script
- debian/tomcat8.init: don't follow symlinks when handling the
catalina.out file.
- CVE-2016-1240
Fixed in Debian
Changelog entries since current yakkety version 8.0.36-2ubuntu1:
tomcat8 (8.0.36-3) unstable; urgency=high
* Team upload.
* Fixed CVE-2016-1240: A flaw in the init.d startup script allows local
attackers who have gained access to the server in the context of the
tomcat user through a vulnerability in a web application to replace
the catalina.out file with a symlink to an arbitrary file on the system,
potentially leading to a root privilege escalation.
Thanks to Dawid Golunski for the report.
* Removed the default 128M heap limit (LP: #568823)
* Depend on taglibs-standard instead of jakarta-taglibs-standard
-- Emmanuel Bourg <ebo...@apache.org> Wed, 14 Sep 2016 10:20:28 +0200
** Affects: tomcat8 (Ubuntu)
Importance: Wishlist
Status: New
** Changed in: tomcat8 (Ubuntu)
Importance: Undecided => Wishlist
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1624632
Title:
Sync tomcat8 8.0.36-3 (main) from Debian unstable (main)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1624632/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
