-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 10 Mar 2014 11:29:54 +0100 Source: tomcat7 Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs Architecture: source all Version: 7.0.28-4+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebourg@apache.org> Description: libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation libtomcat7-java - Servlet and JSP engine -- core libraries tomcat7 - Servlet and JSP engine tomcat7-admin - Servlet and JSP engine -- admin web applications tomcat7-common - Servlet and JSP engine -- common files tomcat7-docs - Servlet and JSP engine -- documentation tomcat7-examples - Servlet and JSP engine -- example web applications tomcat7-user - Servlet and JSP engine -- tools to create user instances Closes: 707704 Changes: tomcat7 (7.0.28-4+deb7u1) wheezy-security; urgency=high . * Team upload. * Fix CVE-2014-0050: Multipart requests with a malformed Content-Type header can trigger an infinite loop causing a denial of service. * Fix CVE-2013-2067: FORM authentication associates the most recent request requiring authentication with the current session. By repeatedly sending a request for an authenticated resource while the victim is completing the login form, an attacker could inject a request that would be executed using the victim's credentials. (Closes: #707704) * Fix CVE-2013-2071: A runtime exception in AsyncListener.onComplete() prevents the request from being recycled. This may expose elements of a previous request to a current request. * Fix CVE-2012-3544 and CVE-2013-4322: When processing a request submitted using the chunked transfer encoding, Tomcat ignored but did not limit any extensions that were included. This allows a client to perform a limited denial of service. by streaming an unlimited amount of data to the server. * Fix CVE-2013-4286: Reject requests with multiple content-length headers or with a content-length header when chunked encoding is being used. * Replaced the expired certificates used by the tests (backported from Tomcat 7.0.39) Checksums-Sha1: a49b46a7a267c41bf48802a196213c8cb0248beb 2625 tomcat7_7.0.28-4+deb7u1.dsc 1460bb04578684e4b7ec44a6fb68b1a65421783f 3924077 tomcat7_7.0.28.orig.tar.gz 3123b99072e57afb91828365c86f8d623a85c012 81087 tomcat7_7.0.28-4+deb7u1.debian.tar.gz 6eb2097316ec78364c84dc4fd6589e3471fb4b8c 60574 tomcat7-common_7.0.28-4+deb7u1_all.deb b39f53fb47d1d871c3d28b70e84262b4a25126b8 49530 tomcat7_7.0.28-4+deb7u1_all.deb 2f26f69da4a93abb0d3351298b1ae60435736a73 37104 tomcat7-user_7.0.28-4+deb7u1_all.deb 4d27ad7a3ef0100999fea8e2347d1aa884dbbc80 3508060 libtomcat7-java_7.0.28-4+deb7u1_all.deb 53a62dede0f2f666c7c77b39814c2528e5bb8ee1 304154 libservlet3.0-java_7.0.28-4+deb7u1_all.deb 9f23ce9f4991c42d01fc7ecd0eb03696ac684df2 301854 libservlet3.0-java-doc_7.0.28-4+deb7u1_all.deb 131876f33e873363e69a805a1bbeb2db167f8fda 51266 tomcat7-admin_7.0.28-4+deb7u1_all.deb 80eddc556e2469aa9b602a383c61ef270ec0bac3 202374 tomcat7-examples_7.0.28-4+deb7u1_all.deb 92a1334d7ddaa8ece456a79deb1e53cd64689d79 651222 tomcat7-docs_7.0.28-4+deb7u1_all.deb Checksums-Sha256: 34347e5969b0ffa48ba8912b6850ded9d888ef6eec6ecbee0e19202c12411e0b 2625 tomcat7_7.0.28-4+deb7u1.dsc 11ed46d3dbe1dd67c404788feac3d37aa06ed7e7262fa6010c1611898af80fce 3924077 tomcat7_7.0.28.orig.tar.gz 511b7ceb3601da671636033cead11785089e1765f24c124cc9109c3b777aae2b 81087 tomcat7_7.0.28-4+deb7u1.debian.tar.gz 28f2f54c7081b0b08ad271035f92c4c283538ab5a8c3835d98820969e1a28177 60574 tomcat7-common_7.0.28-4+deb7u1_all.deb f804f73201d0d2bab77e2593489c06c4584ecce689ddb82d77db7222be0a2100 49530 tomcat7_7.0.28-4+deb7u1_all.deb ee56dfa7361295db4f4cb3f1fa86a895a655a463d3a7f89627bd1f7fc0011c35 37104 tomcat7-user_7.0.28-4+deb7u1_all.deb e5d49e7fbead85a78cdb7d360f9f98509ae384aca8effd2a64e9bc37f750d9a7 3508060 libtomcat7-java_7.0.28-4+deb7u1_all.deb 219c3fdb354cd2e546761a0849e91193b2041b526245134500d0ba739646929f 304154 libservlet3.0-java_7.0.28-4+deb7u1_all.deb 735f82476e7876e98843335031c738266563f2ee1245d17e69b0d22e8e57a2ac 301854 libservlet3.0-java-doc_7.0.28-4+deb7u1_all.deb b43e097ee34c103b7d138585fd11220f5a7043488fa0d5ba1727d7a5a0d57a2b 51266 tomcat7-admin_7.0.28-4+deb7u1_all.deb 55380166313a39bdeac63538967161ac82ebee6dca1fe8b2fd7888ad4e66b672 202374 tomcat7-examples_7.0.28-4+deb7u1_all.deb 857d7b4c4ac1aab796ec5802678eb70c9513edf299affdadf7a384d2c46f2ff7 651222 tomcat7-docs_7.0.28-4+deb7u1_all.deb Files: d0abbfb78436db161973794b29ff947f 2625 java optional tomcat7_7.0.28-4+deb7u1.dsc c33dcbc69a1877d41b4ca4ae7a7c621b 3924077 java optional tomcat7_7.0.28.orig.tar.gz 4c4ef3dbd21a077246b07eb8bd109772 81087 java optional tomcat7_7.0.28-4+deb7u1.debian.tar.gz 50005b4326a067238994809c52af7df6 60574 java optional tomcat7-common_7.0.28-4+deb7u1_all.deb ee6430c9e81d287f0417b965ea7bb533 49530 java optional tomcat7_7.0.28-4+deb7u1_all.deb f1edd85b0efca839ab99c4c7ce714f91 37104 java optional tomcat7-user_7.0.28-4+deb7u1_all.deb 62600e50aab0c1fdcb47eaa657ecfc07 3508060 java optional libtomcat7-java_7.0.28-4+deb7u1_all.deb 39592d84790610caa5ab14d5be6564be 304154 java optional libservlet3.0-java_7.0.28-4+deb7u1_all.deb 7fdc9063009e892a361642ca025f9856 301854 doc optional libservlet3.0-java-doc_7.0.28-4+deb7u1_all.deb 1d80380c713b1bb1ae0b2253cf55d307 51266 java optional tomcat7-admin_7.0.28-4+deb7u1_all.deb 8c0a1d42bd73c55f947513c36b67e9bc 202374 java optional tomcat7-examples_7.0.28-4+deb7u1_all.deb 1cad8586894cc0429a325f9af887e483 651222 doc optional tomcat7-docs_7.0.28-4+deb7u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTQ8rrAAoJEBDCk7bDfE42w9wP/Azp4MnH8PzeBaM/F62HfToX gbDMNJyhnMZi8C97t0uJ8u9dpCGJMHOze0O5uC3F+k5vW0VS9GmcOoKe6bGVam92 wxPn2qL7c1n6HnZDLgjJAZf2O9FbrnOkQxqrcP04j6lLjyfcIYZygTpasCNDXUpI nUiCl9EexY/qxo9t/yJA58MRZQqRShU4A3/8YTSYmbBf/PNC3vm0IHqWUZXo35eh TbgkDnnd/LI2jtQteMtCa//RNTV1dEEOpC1ItXH2xqgLfdg6KRRDIxyb5fSfQkpM h/Ek+G6VG6bRXJYL6M8fT1FiZ6sCGumh3Oh6tBqcZTk0ROxnw1o5qOjYdU6bBQe3 P6LSaQQ6qrEJWByipAzSeVMJx4nMkU5BRmayJwsEevC3oDRABg5Ke6bcFVVKr339 aLR7DuEf+dAsxze6J/yVokVLBF9pvhnEE3L0Srf7RMkI8vRO77IjNtLJ8TsFtVZB CBDp8P7wGQhAaH77mT/ff6WLCgAyw7wvYjjQ39Gk4KFBl/oqK6gDFlW97+iAJw46 wuKrYsdlk06kHQ8Vyczh0rof/ha7NI+X+kPHNr/bsrq9w/Xg8XMLEeTDTuysHPLi ijtwVIbN8nqOkG0ZP5N1LBNAU++LcsQZQ5ytTyPqGyS+rmF+sF+BDQlUSkyXYz8j +kqM3wNOegvziMPjjdWR =QiCt -----END PGP SIGNATURE-----
