CVE-2016-6816

Name	CVE-2016-6816
Description	The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-728-1, DLA-729-1, DSA-3738-1, DSA-3739-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
tomcat9 (PTS)	buster	9.0.31-1~deb10u6	fixed
	buster (security)	9.0.31-1~deb10u12	fixed
	bullseye	9.0.43-2~deb11u9	fixed
	bullseye (security)	9.0.43-2~deb11u10	fixed
	bookworm, sid, trixie	9.0.70-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin
tomcat6	source	wheezy	6.0.45+dfsg-1~deb7u3		DLA-728-1
tomcat6	source	(unstable)	6.0.41-3	low
tomcat7	source	wheezy	7.0.28-4+deb7u7		DLA-729-1
tomcat7	source	jessie	7.0.56-3+deb8u6		DSA-3738-1
tomcat7	source	(unstable)	7.0.72-3
tomcat8	source	jessie	8.0.14-1+deb8u5		DSA-3739-1
tomcat8	source	(unstable)	8.0.39-1
tomcat9	source	(unstable)	(not affected)

Notes

- tomcat9 <not-affected> (Fixed before initial upload to Debian)
Since 7.0.72-3, src:tomcat7 only builds the Servlet API
Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie
Fixed by: http://svn.apache.org/r1767653 (8.0.x)
Fixed by: http://svn.apache.org/r1767675 (7.0.x)
Fixed by: http://svn.apache.org/r1767683 (6.0.x)