Re: Tomcat 7 security update
* Markus Koschany:
> Am 28.03.2016 um 18:07 schrieb Markus Koschany:
>> [first e-mail failed, attachment is compressed now]
>>
>> Hello Security Team, hello Java Team
>>
>> I have prepared security updates for Tomcat 7 fixing 9 CVEs in Wheezy
>> and 7 CVEs in Jessie.
>
> Hi,
>
> since I haven't heard anything negative about the security update for
> Tomcat7 so far, I'm hereby sending you the final debdiffs for Wheezy and
> Jessie.
>
> After further investigation into the test failures I'm convinced now
> that they are unrelated to the update because they also occur with the
> current version and it seems they can be traced back to an update of
> OpenJDK 7. According to [1] the error is caused by stricter checking of
> values in cookie names. The error message is:
>
> Illegal character(s) in message header field: Cookie:
Yes, the test appears to be broken.
I found this upstream commit:
------------------------------------------------------------------------
r1715547 | fschumacher | 2015-11-21 18:54:14 +0100 (Sat, 21 Nov 2015) | 4 lines
Don't add ":" to cookie name. It is illegal in newer jre.
Merge from r1715544 /tomcat/tc8.0.x/trunk
Packaging-wise, the changes look okay. Could you please upload?
Thanks,
Florian
Reply to: