[SECURITY] [DLA 924-1] tomcat7 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 924-1] tomcat7 security update
From: Markus Koschany <apo@debian.org>
Date: Fri, 28 Apr 2017 23:59:13 +0200
Message-id: <[🔎] d5ce8098-4aa2-2006-4e4b-175a9222ae4c@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : tomcat7
Version        : 7.0.28-4+deb7u12
CVE ID         : CVE-2017-5647 CVE-2017-5648
Debian Bug     : 860068

Two security vulnerabilities have been discovered in the Tomcat
servlet and JSP engine.

CVE-2017-5647
   A bug in the handling of the pipelined requests when send file was
   used resulted in the pipelined request being lost when send file
   processing of the previous request completed. This could result in
   responses appearing to be sent for the wrong request.

CVE-2017-5648
   It was noticed that some calls to application listeners did not use
   the appropriate facade object. When running an untrusted application
   under a SecurityManager, it was therefore possible for that
   untrusted application to retain a reference to the request or
   response object and thereby access and/or modify information
   associated with another web application.

For Debian 7 "Wheezy", these problems have been fixed in version
7.0.28-4+deb7u12.

We recommend that you upgrade your tomcat7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlkDuzBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeS5KhAAu5rLDzL9IxYAizQr6Lfiec4qv26VDs2cI+Y3z6AVvJIUw5nMWct946Ww
f+bDwZ1XpsxRuyGLEKAtieYdZgHpNft39tk5XolGykpkB7iFU9ZXJQmDmJ02NK3H
xVlgZyK13ipJOlIKeQztyymMlPfk+4FQSCNHXMmz4WZvRXu0dzznEHeqPoOukPmd
xpS2sKFXHzplhr3x96O2dLRiLegodX4WeriP/jOFoD5MHppkw/9IukDzt0o85k0O
qswsn6gv/XFkQ5fRc0xtwqoeWWpnqCQ8Ni4uejRf/3LMqlJs2rVUrq0oPZjF+O7t
Ae3Bg8V4mF0lF7g0NZDUNhTSOski4JKCVi70bCt9IKEAJ8/rqxzioCG0Rf0NypO0
zRtFQg9W0vNv1o0ptumLpaSv8zXJJ3ynRnLmCb8yDPzJEPpL8fubCFIt9OHlInjZ
l7p7NuKo/zFmlyB8LkUN9XC90JRUL43p/dw6YUrVf/v3uVOx23tKTGfYu6SL476r
Kz3uQTwJM8xkbrafLR7R0P7w+YriS6jr3gUwRoBQMCSoT8a34+UAPLyddfuk1w/c
8AxRCCObNdT2O91Ie7OqcRLaBjImCq8RL9s0+3ibGXjMkvGfsZsfIU+7iAHvn8/9
zJmRvImg8Lbq5VE+csyxjilvNVLHoeYbzGNJZgrBhc6DQe4JDEQ=
=utMS
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 923-1] partclone security update
Next by Date: [SECURITY] [DLA 926-1] batik security update
Previous by thread: [SECURITY] [DLA 923-1] partclone security update
Next by thread: [SECURITY] [DLA 926-1] batik security update
Index(es):
- Date
- Thread