Debian Security Advisory

DLA-232-1 tomcat6 -- LTS security update

Date Reported:
28 May 2015
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 787010, Bug 785312, Bug 785316.
In Mitre's CVE dictionary: CVE-2014-0227, CVE-2014-0230, CVE-2014-7810.
More information:

The following vulnerabilities were found in Apache Tomcat 6:

  • CVE-2014-0227

    The Tomcat security team identified that it was possible to conduct HTTP request smuggling attacks or cause a DoS by streaming malformed data.

  • CVE-2014-0230

    AntBean@secdig, from the Baidu Security Team, disclosed that it was possible to cause a limited DoS attack by feeding data by aborting an upload.

  • CVE-2014-7810

    The Tomcat security team identified that malicious web applications could bypass the Security Manager by the use of expression language.

For Debian 6 Squeeze, these issues have been fixed in tomcat6 version 6.0.41-2+squeeze7.