Debian 9844 Published by

The following updates has been released for Debian 7 LTS:

[DLA 528-1] libcommons-fileupload-java security update
[DLA 529-1] tomcat7 security update
[DLA 530-1] java-common security update



[DLA 528-1] libcommons-fileupload-java security update

Package : libcommons-fileupload-java
Version : 1.2.2-1+deb7u3
CVE ID : CVE-2016-3092


A denial of service vulnerability was identified in Commons FileUpload
that occurred when the length of the multipart boundary was just below
the size of the buffer (4096 bytes) used to read the uploaded file.
This caused the file upload process to take several orders of
magnitude longer than if the boundary was the typical tens of bytes long.

For Debian 7 "Wheezy", these problems have been fixed in version
1.2.2-1+deb7u3.

We recommend that you upgrade your libcommons-fileupload-java packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 529-1] tomcat7 security update

Package : tomcat7
Version : 7.0.28-4+deb7u5
CVE ID : CVE-2016-3092


A denial of service vulnerability was identified in Commons FileUpload
that occurred when the length of the multipart boundary was just below
the size of the buffer (4096 bytes) used to read the uploaded file.
This caused the file upload process to take several orders of
magnitude longer than if the boundary was the typical tens of bytes long.

Apache Tomcat uses a package renamed copy of Apache Commons FileUpload
to implement the file upload requirements of the Servlet specification
and was therefore also vulnerable to the denial of service vulnerability.

For Debian 7 "Wheezy", these problems have been fixed in version
7.0.28-4+deb7u5.

We recommend that you upgrade your tomcat7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 530-1] java-common security update

Package : java-common
Version : 0.47+deb7u2


As previously announced [1][2], the default Java implementation has
been switched from OpenJDK 6 to OpenJDK 7. We strongly recommend to
remove the unsupported OpenJDK 6 packages which will receive no
further security updates.

[1] https://lists.debian.org/debian-lts-announce/2016/05/msg00007.html
[2] https://www.debian.org/News/2016/20160425

For Debian 7 "Wheezy", these problems have been fixed in version
0.47+deb7u2.

We recommend that you upgrade your java-common packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS