Bug#864447: Pending fixes for bugs in the tomcat7 package
pkg-java-maintainers at lists.alioth.debian.org
pkg-java-maintainers at lists.alioth.debian.org
Tue Jun 20 22:04:26 UTC 2017
tag 864447 + pending
thanks
Some bugs in the tomcat7 package are closed in revision
1ebcd5b2c822cf677b59a875172344c80d1d1ee4 in branch ' wheezy' by
Markus Koschany
The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/tomcat7.git/commit/?id=1ebcd5b
Commit message:
Import Debian changes 7.0.28-4+deb7u14
tomcat7 (7.0.28-4+deb7u14) wheezy-security; urgency=high
* Team upload.
* Fix CVE-2017-5664.
The error page mechanism of the Java Servlet Specification requires that,
when an error occurs and an error page is configured for the error that
occurred, the original request and response are forwarded to the error
page. This means that the request is presented to the error page with the
original HTTP method. If the error page is a static file, expected
behaviour is to serve content of the file as if processing a GET request,
regardless of the actual HTTP method. The Default Servlet in Apache Tomcat
did not do this. Depending on the original request this could lead to
unexpected and undesirable results for static error pages including, if the
DefaultServlet is configured to permit writes, the replacement or removal
of the custom error page. (Closes: #864447)
More information about the pkg-java-maintainers
mailing list