Debian Security Advisory

DLA-91-1 tomcat6 -- LTS security update

Date Reported:
23 Nov 2014
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 299635, Bug 608286, Bug 654136, Bug 659748, Bug 664072, Bug 665393, Bug 666256, Bug 668761.
In Mitre's CVE dictionary: CVE-2012-3439, CVE-2013-1571, CVE-2013-4286, CVE-2013-4322, CVE-2013-4590, CVE-2014-0033.
More information:

This is an upgrade from tomcat 6.0.35 (the version previously available in squeeze) to 6.0.41, the full list of changes between these versions can be see in the upstream changelog, which is available online at

This update fixes the following security issues previously not available for squeeze:

  • CVE-2014-0033

    Prevent remote attackers from conducting session fixation attacks via crafted URLs.

  • CVE-2013-4590

    Prevent Tomcat internals information leaks.

  • CVE-2013-4322

    Prevent remote attackers from doing denial of service attacks.

  • CVE-2013-4286

    Reject requests with multiple content-length headers or with a content-length header when chunked encoding is being used.

  • CVE-2013-1571

    Avoid CVE-2013-1571 when generating Javadoc.

  • CVE-2012-3439

    Various improvements to the DIGEST authenticator.

For Debian 6 Squeeze, these issues have been fixed in tomcat6 version 6.0.41-2+squeeze5

Thanks to Tony Mancill for doing the vast amount of the work for this update!