Debian Security Advisory
DLA-91-1 tomcat6 -- LTS security update
- Date Reported:
- 23 Nov 2014
- Affected Packages:
- tomcat6
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 299635, Bug 608286, Bug 654136, Bug 659748, Bug 664072, Bug 665393, Bug 666256, Bug 668761.
In Mitre's CVE dictionary: CVE-2012-3439, CVE-2013-1571, CVE-2013-4286, CVE-2013-4322, CVE-2013-4590, CVE-2014-0033. - More information:
-
This is an upgrade from tomcat 6.0.35 (the version previously available in squeeze) to 6.0.41, the full list of changes between these versions can be see in the upstream changelog, which is available online at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html
This update fixes the following security issues previously not available for squeeze:
- CVE-2014-0033
Prevent remote attackers from conducting session fixation attacks via crafted URLs.
- CVE-2013-4590
Prevent
Tomcat internals
information leaks. - CVE-2013-4322
Prevent remote attackers from doing denial of service attacks.
- CVE-2013-4286
Reject requests with multiple content-length headers or with a content-length header when chunked encoding is being used.
- CVE-2013-1571
Avoid CVE-2013-1571 when generating Javadoc.
- CVE-2012-3439
Various improvements to the DIGEST authenticator.
For Debian 6
Squeeze
, these issues have been fixed in tomcat6 version 6.0.41-2+squeeze5Thanks to Tony Mancill for doing the vast amount of the work for this update!
- CVE-2014-0033