Jump to content
Compatible Support Forums
Sign in to follow this  
news

[SECURITY] [DLA 91-1] tomcat6 security update

Recommended Posts

Package : tomcat6

Version : 6.0.41-2+squeeze5

CVE ID : CVE-2012-3439 CVE-2013-1571 CVE-2013-4286 CVE-2013-4322

CVE-2013-4590 CVE-2014-0033

Debian Bugs : 299635 608286 654136 659748 664072 665393 666256 668761

671373 677912 682955 687818 692440 695250 713796 717279

 

This is an upgrade from tomcat 6.0.35 (the version previously available

in squeeze) to 6.0.41, the full list of changes between these versions

can be see in the upstream changelog, which is available online at

http://tomcat.apache.org/tomcat-6.0-doc/changelog.html

 

This update fixes the following security issues previously not available

for squeeze:

 

CVE-2014-0033

 

Prevent remote attackers from conducting session fixation attacks via crafted

URLs.

 

CVE-2013-4590

 

Prevent "Tomcat internals" information leaks.

 

CVE-2013-4322

 

Prevent remote attackers from doing denial of service attacks.

 

CVE-2013-4286

 

Reject requests with multiple content-length headers or with a content-length

header when chunked encoding is being used.

 

CVE-2013-1571

 

Avoid CVE-2013-1571 when generating Javadoc.

 

CVE-2012-3439

 

Various improvements to the DIGEST authenticator.

 

 

Thanks to Tony Mancill for doing the vast amount of the work for this update!

 

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×