CVE-2016-6794

Name	CVE-2016-6794
Description	When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-728-1, DLA-729-1, DSA-3720-1, DSA-3721-1
Debian Bugs	842664

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
tomcat6	source	wheezy	6.0.45+dfsg-1~deb7u3		DLA-728-1
tomcat6	source	(unstable)	6.0.41-3	low
tomcat7	source	wheezy	7.0.28-4+deb7u7		DLA-729-1
tomcat7	source	jessie	7.0.56-3+deb8u5		DSA-3721-1
tomcat7	source	(unstable)	7.0.72-1	low		842664
tomcat8	source	jessie	8.0.14-1+deb8u4		DSA-3720-1
tomcat8	source	(unstable)	8.0.37-1	low

Notes

Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie
http://markmail.org/message/zk7w6yly5mviocci?q=list:org.apache.tomcat.announce/
Fixed by: http://svn.apache.org/r1754727 (8.0.x)
Fixed by: http://svn.apache.org/r1754728 (7.0.x)
Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1754733 (6.0.x)