Debian 10037 Published by

A tomcat7 security update has been released for Debian GNU/Linux 8 Extended LTS to address several security vulnerabilities.

ELA-735-1 tomcat7 security update

Package : tomcat7
Version : 7.0.56-3+really7.0.109-1+deb8u1 (jessie)

Related CVEs :

Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.

If Apache Tomcat was configured to ignore invalid HTTP headers via setting
rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not
reject a request containing an invalid Content-Length header making a
request smuggling attack possible if Tomcat was located behind a reverse
proxy that also failed to reject the request with the invalid header.

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to
authenticate using variations of a valid user name and/or to bypass some of
the protection provided by the LockOut Realm. This update fixes a
regression due to the fix for CVE-2021-30640.

  ELA-735-1 tomcat7 security update