{"id":"MGASA-2016-0090","summary":"Updated tomcat packages fix security vulnerabilities","details":"Updated tomcat packages fix security vulnerabilities:\n\nDirectory traversal vulnerability in RequestUtil.java in Apache Tomcat 7.x\nbefore 7.0.65 allows remote authenticated users to bypass intended\nSecurityManager restrictions and list a parent directory via a /.. (slash dot\ndot) in a pathname used by a web application in a getResource,\ngetResourceAsStream, or getResourcePaths call, as demonstrated by the\n$CATALINA_BASE/webapps directory (CVE-2015-5174).\n\nThe Mapper component in 7.x before 7.0.67 processes redirects before\nconsidering security constraints and Filters, which allows remote attackers\nto determine the existence of a directory via a URL that lacks a trailing /\n(slash) character (CVE-2015-5345).\n\nSession fixation vulnerability in Apache Tomcat 7.x before 7.0.66, when\ndifferent session settings are used for deployments of multiple versions of\nthe same web application, might allow remote attackers to hijack web sessions\nby leveraging use of a requestedSessionSSL field for an unintended request,\nrelated to CoyoteAdapter.java and Request.java (CVE-2015-5346).\n\nThe Manager and Host Manager applications in Apache Tomcat 7.x before 7.0.68\nestablish sessions and send CSRF tokens for arbitrary new requests, which\nallows remote attackers to bypass a CSRF protection mechanism by using a\ntoken (CVE-2015-5351).\n\nApache Tomcat 7.x before 7.0.68 does not place\norg.apache.catalina.manager.StatusManagerServlet on the\norg/apache/catalina/core/RestrictedServlets.properties list, which allows\nremote authenticated users to bypass intended SecurityManager restrictions\nand read arbitrary HTTP requests, and consequently discover session ID\nvalues, via a crafted web application (CVE-2016-0706).\n\nThe session-persistence implementation in Apache Tomcat 7.x before 7.0.68\nmishandles session attributes, which allows remote authenticated users to\nbypass intended SecurityManager restrictions and execute arbitrary code in a\nprivileged context via a web application that places a crafted object in a\nsession (CVE-2016-0714).\n\nThe setGlobalContext method in\norg/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x\nbefore 7.0.68 does not consider whether ResourceLinkFactory.setGlobalContext\ncallers are authorized, which allows remote authenticated users to bypass\nintended SecurityManager restrictions and read or write to arbitrary\napplication data, or cause a denial of service (application disruption), via\na web application that sets a crafted global context (CVE-2016-0763).\n\nThe tomcat package has been updated to version 7.0.68 to fix these issues.\nThe tomcat-native package has also been updated to version 1.1.34 for\ncompatibility with the updated tomcat.\n","modified":"2026-04-16T06:26:27.268569259Z","published":"2016-03-02T18:28:46Z","upstream":["CVE-2015-5174","CVE-2015-5345","CVE-2015-5346","CVE-2015-5351","CVE-2016-0706","CVE-2016-0714","CVE-2016-0763"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2016-0090.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=17847"},{"type":"WEB","url":"http://tomcat.apache.org/security-7.html"}],"affected":[{"package":{"name":"tomcat","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/tomcat?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.0.68-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0090.json"}},{"package":{"name":"tomcat-native","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/tomcat-native?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.1.34-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0090.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}