Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-232-1 tomcat6

Debian Security Advisory

DLA-232-1 tomcat6 -- LTS security update

Date Reported:

28 May 2015

Affected Packages:

tomcat6

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 787010, Bug 785312, Bug 785316.
In Mitre's CVE dictionary: CVE-2014-0227, CVE-2014-0230, CVE-2014-7810.

More information:

The following vulnerabilities were found in Apache Tomcat 6:

• CVE-2014-0227

  The Tomcat security team identified that it was possible to conduct HTTP request smuggling attacks or cause a DoS by streaming malformed data.

• CVE-2014-0230

  AntBean@secdig, from the Baidu Security Team, disclosed that it was possible to cause a limited DoS attack by feeding data by aborting an upload.

• CVE-2014-7810

  The Tomcat security team identified that malicious web applications could bypass the Security Manager by the use of expression language.

For Debian 6 Squeeze, these issues have been fixed in tomcat6 version 6.0.41-2+squeeze7.