CVE-2016-6797

Name	CVE-2016-6797
Description	The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-728-1, DLA-729-1, DSA-3720-1, DSA-3721-1
Debian Bugs	842666

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
tomcat6	source	wheezy	6.0.45+dfsg-1~deb7u3		DLA-728-1
tomcat6	source	(unstable)	6.0.41-3	low
tomcat7	source	wheezy	7.0.28-4+deb7u7		DLA-729-1
tomcat7	source	jessie	7.0.56-3+deb8u5		DSA-3721-1
tomcat7	source	(unstable)	7.0.72-1	low		842666
tomcat8	source	jessie	8.0.14-1+deb8u4		DSA-3720-1
tomcat8	source	(unstable)	8.0.37-1	low

Notes

Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie
http://markmail.org/message/wrku5orwxfpt5mzl?q=list:org.apache.tomcat.announce/
Fixed by: http://svn.apache.org/r1757273 (8.0.x)
Fixed by: http://svn.apache.org/r1757275 (7.0.x)
Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1757285 (6.0.x)