Hi,
http://layer-acht.org/tomcat6/ has updated tomcat6 6.0.41-2+squeeze5 packages
for amd64, I'd be glad to see more testing. I'll add i386 .debs shortly.
Closes: 299635 608286 654136 659748 664072 665393 666256 668761 671373 677912
682955 687818 692440 695250 713796 717279
tomcat6 (6.0.41-2+squeeze5) squeeze-lts; urgency=medium
.
* Security upload by the Debian LTS team.
* The full list of changes between 6.0.35 (the version previously available
in squeeze) and 6.0.41 can be see in the upstream changelog, which is
available online at http://tomcat.apache.org/tomcat-6.0-
doc/changelog.html
* This update fixes the following security issues:
- CVE-2014-0033: prevent remote attackers from conducting session
fixation attacks via crafted URLs.
- CVE-2013-4590: prevent "Tomcat internals" information leaks.
- CVE-2013-4322: prevent remote attackers from doing denial of service
attacks.
- CVE-2013-4286: reject requests with multiple content-length headers or
with a content-length header when chunked encoding is being used.
- Avoid CVE-2013-1571 when generating Javadoc.
- CVE-2012-3439: various improvements to the DIGEST authenticator.
* Thanks to Tony Mancill for doing the vast amount of the work for this
update!
* Downgrade debian/compat to 8 and reduce build-dependency do debhelper 8
to match the squeeze squeeze version
cheers,
Holger
Attachment:
signature.asc
Description: This is a digitally signed message part.