tomcat6-6.0.24-98.AXS4

Tomcat is the servlet container that is used in the official Reference
Implementation for the Java Servlet and JavaServer Pages technologies.
The Java Servlet and JavaServer Pages specifications are developed by
Sun under the Java Community Process.

Tomcat is developed in an open and participatory environment and
released under the Apache Software License version 2.0. Tomcat is intended
to be a collaboration of the best-of-breed developers from around the world.

Security issues fixed with this release:

CVE-2015-5174
Directory traversal vulnerability in RequestUtil.java in Apache Tomcat
6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows
remote authenticated users to bypass intended SecurityManager
restrictions and list a parent directory via a /.. (slash dot dot) in
a pathname used by a web application in a getResource,
getResourceAsStream, or getResourcePaths call, as demonstrated by the
$CATALINA_BASE/webapps directory.
CVE-2015-5345
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before
7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects
before considering security constraints and Filters, which allows
remote attackers to determine the existence of a directory via a URL
that lacks a trailing / (slash) character.
CVE-2016-0706
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31,
and 9.x before 9.0.0.M2 does not place
org.apache.catalina.manager.StatusManagerServlet on the
org/apache/catalina/core/RestrictedServlets.properties list, which
allows remote authenticated users to bypass intended SecurityManager
restrictions and read arbitrary HTTP requests, and consequently
discover session ID values, via a crafted web application.
CVE-2016-0714
The session-persistence implementation in Apache Tomcat 6.x before
6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2
mishandles session attributes, which allows remote authenticated users
to bypass intended SecurityManager restrictions and execute arbitrary
code in a privileged context via a web application that places a
crafted object in a session.
CVE-2016-5388
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows
RFC 3875 section 4.1.18 and therefore does not protect applications
from the presence of untrusted client data in the HTTP_PROXY
environment variable, which might allow remote attackers to redirect
an application's outbound HTTP traffic to an arbitrary proxy server
via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
NOTE: the vendor states "A mitigation is planned for future releases
of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a
CVE ID for a vulnerability.
CVE-2016-6325
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.

Fixed bugs:

* Due to a bug in the tomcat6 spec file, the catalina.out file's md5sum, size, and mtime attributes were compared to the file's attributes at installation time. Because these attributes change after the service is started, the "rpm -V" command previously failed. With this update, the attributes mentioned above are ignored in the RPM verification and the catalina.out file now passes the verification check.