[SECURITY] [DSA 2897-1] tomcat7 security update

2014-04-0818:25:14

lists.debian.org

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.932 High

EPSS

Percentile

99.0%

JSON

Debian Security Advisory DSA-2897-1 [email protected]
http://www.debian.org/security/ Moritz Muehlenhoff
April 08, 2014 http://www.debian.org/security/faq

Package : tomcat7
CVE ID : CVE-2013-2067 CVE-2013-2071 CVE-2013-4286 CVE-2013-4322
CVE-2014-0050

Multiple security issues were found in the Tomcat servlet and JSP engine:

CVE-2013-2067

FORM authentication associates the most recent request requiring 
authentication with the current session. By repeatedly sending a request 
for an authenticated resource while the victim is completing the login 
form, an attacker could inject a request that would be executed using the 
victim&#x27;s credentials.

CVE-2013-2071

A runtime exception in AsyncListener.onComplete() prevents the request from 
being recycled. This may expose elements of a previous request to a current 
request.

CVE-2013-4286

Reject requests with multiple content-length headers or with a content-length 
header when chunked encoding is being used.

CVE-2013-4322

When processing a request submitted using the chunked transfer encoding, 
Tomcat ignored but did not limit any extensions that were included. This allows 
a client to perform a limited denial of service. by streaming an unlimited amount 
of data to the server.

CVE-2014-0050

Multipart requests with a malformed Content-Type header could trigger an 
infinite loop causing a denial of service.

For the stable distribution (wheezy), these problems have been fixed in
version 7.0.28-4+deb7u1.

For the testing distribution (jessie), these problems have been fixed in
version 7.0.52-1.

For the unstable distribution (sid), these problems have been fixed in
version 7.0.52-1.

We recommend that you upgrade your tomcat7 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian7alltomcat7-common< 7.0.28-4+deb7u1tomcat7-common_7.0.28-4+deb7u1_all.deb
Debian7alltomcat6-admin< 6.0.45+dfsg-1~deb7u1tomcat6-admin_6.0.45+dfsg-1~deb7u1_all.deb
Debian7alllibservlet2.5-java< 6.0.45+dfsg-1~deb7u1libservlet2.5-java_6.0.45+dfsg-1~deb7u1_all.deb
Debian7alltomcat7-admin< 7.0.28-4+deb7u1tomcat7-admin_7.0.28-4+deb7u1_all.deb
Debian7alltomcat7< 7.0.28-4+deb7u1tomcat7_7.0.28-4+deb7u1_all.deb
Debian7alltomcat7-examples< 7.0.28-4+deb7u1tomcat7-examples_7.0.28-4+deb7u1_all.deb
Debian7alltomcat6-extras< 6.0.45+dfsg-1~deb7u1tomcat6-extras_6.0.45+dfsg-1~deb7u1_all.deb
Debian6alltomcat6-common< 6.0.41-2+squeeze5tomcat6-common_6.0.41-2+squeeze5_all.deb
Debian6alltomcat6< 6.0.41-2+squeeze5tomcat6_6.0.41-2+squeeze5_all.deb
Debian6alltomcat6-examples< 6.0.41-2+squeeze5tomcat6-examples_6.0.41-2+squeeze5_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	all	tomcat7-common	< 7.0.28-4+deb7u1	tomcat7-common_7.0.28-4+deb7u1_all.deb
Debian	7	all	tomcat6-admin	< 6.0.45+dfsg-1~deb7u1	tomcat6-admin_6.0.45+dfsg-1~deb7u1_all.deb
Debian	7	all	libservlet2.5-java	< 6.0.45+dfsg-1~deb7u1	libservlet2.5-java_6.0.45+dfsg-1~deb7u1_all.deb
Debian	7	all	tomcat7-admin	< 7.0.28-4+deb7u1	tomcat7-admin_7.0.28-4+deb7u1_all.deb
Debian	7	all	tomcat7	< 7.0.28-4+deb7u1	tomcat7_7.0.28-4+deb7u1_all.deb
Debian	7	all	tomcat7-examples	< 7.0.28-4+deb7u1	tomcat7-examples_7.0.28-4+deb7u1_all.deb
Debian	7	all	tomcat6-extras	< 6.0.45+dfsg-1~deb7u1	tomcat6-extras_6.0.45+dfsg-1~deb7u1_all.deb
Debian	6	all	tomcat6-common	< 6.0.41-2+squeeze5	tomcat6-common_6.0.41-2+squeeze5_all.deb
Debian	6	all	tomcat6	< 6.0.41-2+squeeze5	tomcat6_6.0.41-2+squeeze5_all.deb
Debian	6	all	tomcat6-examples	< 6.0.41-2+squeeze5	tomcat6-examples_6.0.41-2+squeeze5_all.deb