This update for tomcat fixes the following issues: Feature changes: The embedded Apache Commons DBCP component was updated to version 2.0. Security fixes: - CVE-2016-0762: Realm Timing Attack - CVE-2016-5018: Security Manager Bypass - CVE-2016-6794: System Property Disclosure - CVE-2016-6796: Security Manager Bypass - CVE-2016-6797: Unrestricted Access to Global Resources - CVE-2016-8735: Remote code execution vulnerability in JmxRemoteLifecycleListener - CVE-2016-6816: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests Bug fixes: - Enabled optional setenv.sh script