[El-errata] ELSA-2016-2599 Moderate: Oracle Linux 7 tomcat security, bug fix, and enhancement update
Errata Announcements for Oracle Linux
el-errata at oss.oracle.com
Thu Nov 10 11:10:03 PST 2016
Oracle Linux Security Advisory ELSA-2016-2599
http://linux.oracle.com/errata/ELSA-2016-2599.html
The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:
x86_64:
tomcat-7.0.69-10.el7.noarch.rpm
tomcat-admin-webapps-7.0.69-10.el7.noarch.rpm
tomcat-docs-webapp-7.0.69-10.el7.noarch.rpm
tomcat-el-2.2-api-7.0.69-10.el7.noarch.rpm
tomcat-javadoc-7.0.69-10.el7.noarch.rpm
tomcat-jsp-2.2-api-7.0.69-10.el7.noarch.rpm
tomcat-jsvc-7.0.69-10.el7.noarch.rpm
tomcat-lib-7.0.69-10.el7.noarch.rpm
tomcat-servlet-3.0-api-7.0.69-10.el7.noarch.rpm
tomcat-webapps-7.0.69-10.el7.noarch.rpm
SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/tomcat-7.0.69-10.el7.src.rpm
Description of changes:
[0:7.0.69-10]
- Related: rhbz#1368122
[0:7.0.69-9]
- Resolves: rhbz#1362213 Tomcat: CGI sets environmental variable based
on user supplied Proxy request header
- Resolves: rhbz#1368122
[0:7.0.69-7]
- Resolves: rhbz#1362545
[0:7.0.69-6]
- Related: rhbz#1201409 Added /etc/sysconfig/tomcat to the systemd unit
for tomcat-jsvc.service
[0:7.0.69-5]
- Resolves: rhbz#1347860 The systemd service unit does not allow tomcat
to shut down gracefully
[0:7.0.69-4]
- Resolves: rhbz#1350438 CVE-2016-3092 tomcat: Usage of vulnerable
FileUpload package can result in denial of service
[0:7.0.69-3]
- Resolves: rhbz#1347774 The security manager doesn't work correctly
(JSPs cannot be compiled)
[0:7.0.69-2]
- Rebase Resolves: rhbz#1311622 Getting NoSuchElementException while
handling attributes with empty string value in tomcat
- Rebase Resolves: rhbz#1320853 Add HSTS support
- Rebase Resolves: rhbz#1293292 CVE-2014-7810 tomcat: Tomcat/JBossWeb:
security manager bypass via EL expressions
- Rebase Resolves: rhbz#1347144 CVE-2016-0706 tomcat: security manager
bypass via StatusManagerServlet
- Rebase Resolves: rhbz#1347139 CVE-2015-5346 tomcat: Session fixation
- Rebase Resolves: rhbz#1347136 CVE-2015-5345 tomcat: directory disclosure
- Rebase Resolves: rhbz#1347129 CVE-2015-5174 tomcat: URL Normalization
issue
- Rebase Resolves: rhbz#1347146 CVE-2016-0763 tomcat: security manager
bypass via setGlobalContext()
- Rebase Resolves: rhbz#1347142 CVE-2016-0714 tomcat: Security Manager
bypass via persistence mechanisms
- Rebase Resolves: rhbz#1347133 CVE-2015-5351 tomcat: CSRF token leak
[0:7.0.69-1]
- Resolves: rhbz#1287928 Rebase to tomcat 7.0.69
- Resolves: rhbz#1327326 rpm -V tomcat fails on /var/log/tomcat/catalina.out
- Resolves: rhbz#1277197 tomcat user has non-existing default shell set
- Resolves: rhbz#1240279 The command tomcat-digest doesn't work with RHEL 7
- Resolves: rhbz#1229476 Tomcat startup ONLY options
- Resolves: rhbz#1133070 Need to include full implementation of
tomcat-juli.jar and tomcat-juli-adapters.jar
- Resolves: rhbz#1201409 Fix the broken tomcat-jsvc service unit
- Resolves: rhbz#1221896 tomcat.service loads /etc/sysconfig/tomcat
without shell expansion
- Resolves: rhbz#1208402 Mark web.xml in tomcat-admin-webapps as config file
More information about the El-errata
mailing list