Debian Security Advisory
DLA-232-1 tomcat6 -- LTS security update
- Date Reported:
- 28 May 2015
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 787010, Bug 785312, Bug 785316.
In Mitre's CVE dictionary: CVE-2014-0227, CVE-2014-0230, CVE-2014-7810.
- More information:
The following vulnerabilities were found in Apache Tomcat 6:
The Tomcat security team identified that it was possible to conduct HTTP request smuggling attacks or cause a DoS by streaming malformed data.
AntBean@secdig, from the Baidu Security Team, disclosed that it was possible to cause a limited DoS attack by feeding data by aborting an upload.
The Tomcat security team identified that malicious web applications could bypass the Security Manager by the use of expression language.
For Debian 6
Squeeze, these issues have been fixed in tomcat6 version 6.0.41-2+squeeze7.