Debian Security Advisory
DLA-91-1 tomcat6 -- LTS security update
- Date Reported:
- 23 Nov 2014
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 299635, Bug 608286, Bug 654136, Bug 659748, Bug 664072, Bug 665393, Bug 666256, Bug 668761.
In Mitre's CVE dictionary: CVE-2012-3439, CVE-2013-1571, CVE-2013-4286, CVE-2013-4322, CVE-2013-4590, CVE-2014-0033.
- More information:
This is an upgrade from tomcat 6.0.35 (the version previously available in squeeze) to 6.0.41, the full list of changes between these versions can be see in the upstream changelog, which is available online at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html
This update fixes the following security issues previously not available for squeeze:
Prevent remote attackers from conducting session fixation attacks via crafted URLs.
Tomcat internalsinformation leaks.
Prevent remote attackers from doing denial of service attacks.
Reject requests with multiple content-length headers or with a content-length header when chunked encoding is being used.
Avoid CVE-2013-1571 when generating Javadoc.
Various improvements to the DIGEST authenticator.
For Debian 6
Squeeze, these issues have been fixed in tomcat6 version 6.0.41-2+squeeze5
Thanks to Tony Mancill for doing the vast amount of the work for this update!