news 28 Posted November 23, 2014 Package : tomcat6 Version : 6.0.41-2+squeeze5 CVE ID : CVE-2012-3439 CVE-2013-1571 CVE-2013-4286 CVE-2013-4322 CVE-2013-4590 CVE-2014-0033 Debian Bugs : 299635 608286 654136 659748 664072 665393 666256 668761 671373 677912 682955 687818 692440 695250 713796 717279 This is an upgrade from tomcat 6.0.35 (the version previously available in squeeze) to 6.0.41, the full list of changes between these versions can be see in the upstream changelog, which is available online at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html This update fixes the following security issues previously not available for squeeze: CVE-2014-0033 Prevent remote attackers from conducting session fixation attacks via crafted URLs. CVE-2013-4590 Prevent "Tomcat internals" information leaks. CVE-2013-4322 Prevent remote attackers from doing denial of service attacks. CVE-2013-4286 Reject requests with multiple content-length headers or with a content-length header when chunked encoding is being used. CVE-2013-1571 Avoid CVE-2013-1571 when generating Javadoc. CVE-2012-3439 Various improvements to the DIGEST authenticator. Thanks to Tony Mancill for doing the vast amount of the work for this update! Share this post Link to post