Bug#864447: Pending fixes for bugs in the tomcat7 package

pkg-java-maintainers at lists.alioth.debian.org pkg-java-maintainers at lists.alioth.debian.org
Tue Jun 20 22:04:26 UTC 2017


tag 864447 + pending
thanks

Some bugs in the tomcat7 package are closed in revision
1ebcd5b2c822cf677b59a875172344c80d1d1ee4 in branch '  wheezy' by
Markus Koschany

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/tomcat7.git/commit/?id=1ebcd5b

Commit message:

    Import Debian changes 7.0.28-4+deb7u14
    
    tomcat7 (7.0.28-4+deb7u14) wheezy-security; urgency=high
    
      * Team upload.
      * Fix CVE-2017-5664.
        The error page mechanism of the Java Servlet Specification requires that,
        when an error occurs and an error page is configured for the error that
        occurred, the original request and response are forwarded to the error
        page. This means that the request is presented to the error page with the
        original HTTP method. If the error page is a static file, expected
        behaviour is to serve content of the file as if processing a GET request,
        regardless of the actual HTTP method. The Default Servlet in Apache Tomcat
        did not do this. Depending on the original request this could lead to
        unexpected and undesirable results for static error pages including, if the
        DefaultServlet is configured to permit writes, the replacement or removal
        of the custom error page. (Closes: #864447)



More information about the pkg-java-maintainers mailing list