Publishing details

Changelog

tomcat6 (6.0.35-1ubuntu3.6) precise-security; urgency=medium

  * SECURITY UPDATE: HTTP request smuggling or denial of service via
    streaming with malformed chunked transfer encoding (LP: #1449975)
    - debian/patches/CVE-2014-0227.patch: add error flag and improve i18n
      in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
      java/org/apache/coyote/http11/filters/LocalStrings.properties.
    - CVE-2014-0227
  * SECURITY UPDATE: denial of service via aborted upload attempts
    (LP: #1449975)
    - debian/patches/CVE-2014-0230.patch: limit amount of data in
      java/org/apache/coyote/Constants.java,
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
      java/org/apache/coyote/http11/filters/IdentityInputFilter.java,
      java/org/apache/coyote/http11/filters/LocalStrings.properties,
      webapps/docs/config/systemprops.xml.
    - CVE-2014-0230
  * SECURITY UPDATE: SecurityManager bypass via Expression Language
    - debian/patches/CVE-2014-7810.patch: handle classes that may not be
      accessible but have accessible interfaces in
      java/javax/el/BeanELResolver.java, remove unnecessary code in
      java/org/apache/jasper/runtime/PageContextImpl.java,
      java/org/apache/jasper/security/SecurityClassLoad.java.
    - CVE-2014-7810

 -- Marc Deslauriers <email address hidden>  Mon, 22 Jun 2015 08:16:23 -0400

Available diffs

Builds

Package files