Package "tomcat6"
Name: |
tomcat6
|
Description: |
Servlet and JSP engine
|
Latest version: |
6.0.35-1ubuntu3.11 |
Release: |
precise (12.04) |
Level: |
updates |
Repository: |
main |
Homepage: |
http://tomcat.apache.org |
Links
Download "tomcat6"
Other versions of "tomcat6" in Precise
Packages in group
Deleted packages are displayed in grey.
Changelog
tomcat6 (6.0.35-1ubuntu3.6) precise-security; urgency=medium
* SECURITY UPDATE: HTTP request smuggling or denial of service via
streaming with malformed chunked transfer encoding (LP: #1449975)
- debian/patches/CVE-2014-0227.patch: add error flag and improve i18n
in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
java/org/apache/coyote/http11/filters/LocalStrings.properties.
- CVE-2014-0227
* SECURITY UPDATE: denial of service via aborted upload attempts
(LP: #1449975)
- debian/patches/CVE-2014-0230.patch: limit amount of data in
java/org/apache/coyote/Constants.java,
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
java/org/apache/coyote/http11/filters/IdentityInputFilter.java,
java/org/apache/coyote/http11/filters/LocalStrings.properties,
webapps/docs/config/systemprops.xml.
- CVE-2014-0230
* SECURITY UPDATE: SecurityManager bypass via Expression Language
- debian/patches/CVE-2014-7810.patch: handle classes that may not be
accessible but have accessible interfaces in
java/javax/el/BeanELResolver.java, remove unnecessary code in
java/org/apache/jasper/runtime/PageContextImpl.java,
java/org/apache/jasper/security/SecurityClassLoad.java.
- CVE-2014-7810
-- Marc Deslauriers <email address hidden> Mon, 22 Jun 2015 08:16:23 -0400
|
Source diff to previous version |
1449975 |
Outstanding low priority security bugs in the tomcat7 packages |
CVE-2014-0227 |
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not pr |
CVE-2014-0230 |
Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishin |
CVE-2014-7810 |
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider t |
|
tomcat6 (6.0.35-1ubuntu3.5) precise-security; urgency=medium
* SECURITY UPDATE: denial of service via malformed chunk size
- debian/patches/CVE-2014-0075.patch: fix overflow in
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
- CVE-2014-0075
* SECURITY UPDATE: file disclosure via XXE issue
- debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a
relative path in conf/web.xml,
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/catalina/servlets/LocalStrings.properties,
webapps/docs/default-servlet.xml.
- CVE-2014-0096
* SECURITY UPDATE: HTTP request smuggling attack via crafted
Content-Length HTTP header
- debian/patches/CVE-2014-0099.patch: correctly handle long values in
java/org/apache/tomcat/util/buf/Ascii.java.
- CVE-2014-0099
-- Marc Deslauriers <email address hidden> Thu, 24 Jul 2014 15:38:01 -0400
|
Source diff to previous version |
CVE-2014-0075 |
Integer overflow in the parseChunkHeader function in ... |
CVE-2014-0096 |
java/org/apache/catalina/servlets/DefaultServlet.java in the default ... |
CVE-2014-0099 |
Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in ... |
|
tomcat6 (6.0.35-1ubuntu3.4) precise-security; urgency=medium
* SECURITY UPDATE: request smuggling attack via content-length headers
- debian/patches/CVE-2013-4286.patch: handle multiple content lengths
in java/org/apache/coyote/ajp/AbstractAjpProcessor.java,
java/org/apache/coyote/ajp/AjpProcessor.java, handle content length
and chunked encoding being both specified in
java/org/apache/coyote/http11/Http11AprProcessor.java,
java/org/apache/coyote/http11/Http11NioProcessor.java,
java/org/apache/coyote/http11/Http11Processor.java.
- CVE-2013-4286
* SECURITY UPDATE: denial of service via chunked transfer coding
- debian/patches/CVE-2013-4322.patch: limit length of extension data in
java/org/apache/coyote/Constants.java,
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
webapps/docs/config/systemprops.xml.
- CVE-2013-4322
* SECURITY UPDATE: session fixation attack via crafted URL
- debian/patches/CVE-2014-0033.patch: properly handle
disableURLRewriting in
java/org/apache/catalina/connector/CoyoteAdapter.java.
- CVE-2014-0033
-- Marc Deslauriers <email address hidden> Tue, 04 Mar 2014 11:14:51 -0500
|
Source diff to previous version |
CVE-2013-4286 |
Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before ... |
CVE-2013-4322 |
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before ... |
CVE-2014-0033 |
org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat ... |
|
tomcat6 (6.0.35-1ubuntu3.3) precise-security; urgency=low
* SECURITY UPDATE: denial of service via chunked transfer encoding
- debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests
in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
- CVE-2012-3544
* SECURITY UPDATE: FORM authentication request injection
- debian/patches/CVE-2013-2067.patch: properly change session ID
in java/org/apache/catalina/authenticator/FormAuthenticator.java.
- CVE-2013-2067
-- Marc Deslauriers <email address hidden> Tue, 21 May 2013 09:39:22 -0400
|
Source diff to previous version |
|
tomcat6 (6.0.35-1ubuntu3.2) precise-security; urgency=low
* SECURITY UPDATE: security-constraint bypass with FORM auth
- debian/patches/CVE-2012-3546.patch: remove unneeded code in
java/org/apache/catalina/realm/RealmBase.java.
- CVE-2012-3546
* SECURITY UPDATE: CSRF bypass via request with no session identifier
- debian/patches/CVE-2012-4431.patch: check for session identifier in
java/org/apache/catalina/filters/CsrfPreventionFilter.java.
- CVE-2012-4431
* SECURITY UPDATE: denial of service with NIO connector
- debian/patches/CVE-2012-4534.patch: properly handle connection breaks
in java/org/apache/tomcat/util/net/NioEndpoint.java.
- CVE-2012-4534
-- Marc Deslauriers <email address hidden> Thu, 10 Jan 2013 09:51:09 -0500
|
CVE-2012-3546 |
org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote at |
CVE-2012-4431 |
org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the |
CVE-2012-4534 |
org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, when the NIO connector is used in conjunction w |
|
About
-
Send Feedback to @ubuntu_updates