tomcat6 - security update


Multiple security vulnerabilities have been discovered in the Tomcat servlet and JSP engine, which may result in possible timing attacks to determine valid user names, bypass of the SecurityManager, disclosure of system properties, unrestricted access to global resources, arbitrary file overwrites, and potentially escalation of privileges. In addition this update further hardens Tomcat's init and maintainer scripts to prevent possible privilege escalations. Thanks to Paul Szabo for the report. This is probably the last security update of Tomcat 6 which will reach its end-of-life exactly in one month. We strongly recommend to switch to another supported version such as Tomcat 7 at your earliest convenience. For Debian 7 Wheezy, these problems have been fixed in version 6.0.45+dfsg-1~deb7u3. We recommend that you upgrade your tomcat6 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: <https://wiki.debian.org/LTS>

Affected Software

CPE Name Name Version
tomcat6 6.0.35-6
tomcat6 6.0.45-1~deb6u1
tomcat6 6.0.41-3
tomcat6 6.0.41-2
tomcat6 6.0.41-2+squeeze7
tomcat6 6.0.41-1
tomcat6 6.0.41-4
tomcat6 6.0.41-2+squeeze6
tomcat6 6.0.45+dfsg-1~deb7u1
tomcat6 6.0.35-7
tomcat6 6.0.45+dfsg-1~deb7u2
tomcat6 6.0.39-1
tomcat6 6.0.41-2+squeeze5
tomcat6 6.0.35-6+deb7u1
tomcat6 6.0.37-1