Hi, http://layer-acht.org/tomcat6/ has updated tomcat6 6.0.41-2+squeeze5 packages for amd64, I'd be glad to see more testing. I'll add i386 .debs shortly. Closes: 299635 608286 654136 659748 664072 665393 666256 668761 671373 677912 682955 687818 692440 695250 713796 717279 tomcat6 (6.0.41-2+squeeze5) squeeze-lts; urgency=medium . * Security upload by the Debian LTS team. * The full list of changes between 6.0.35 (the version previously available in squeeze) and 6.0.41 can be see in the upstream changelog, which is available online at http://tomcat.apache.org/tomcat-6.0- doc/changelog.html * This update fixes the following security issues: - CVE-2014-0033: prevent remote attackers from conducting session fixation attacks via crafted URLs. - CVE-2013-4590: prevent "Tomcat internals" information leaks. - CVE-2013-4322: prevent remote attackers from doing denial of service attacks. - CVE-2013-4286: reject requests with multiple content-length headers or with a content-length header when chunked encoding is being used. - Avoid CVE-2013-1571 when generating Javadoc. - CVE-2012-3439: various improvements to the DIGEST authenticator. * Thanks to Tony Mancill for doing the vast amount of the work for this update! * Downgrade debian/compat to 8 and reduce build-dependency do debhelper 8 to match the squeeze squeeze version cheers, Holger
Attachment:
signature.asc
Description: This is a digitally signed message part.