tag 864447 + pending
Some bugs in the tomcat7 package are closed in revision
1ebcd5b2c822cf677b59a875172344c80d1d1ee4 in branch ' wheezy' by
The full diff can be seen at
Import Debian changes 7.0.28-4+deb7u14
tomcat7 (7.0.28-4+deb7u14) wheezy-security; urgency=high
* Team upload.
* Fix CVE-2017-5664.
The error page mechanism of the Java Servlet Specification requires
when an error occurs and an error page is configured for the error that
occurred, the original request and response are forwarded to the error
page. This means that the request is presented to the error page with
original HTTP method. If the error page is a static file, expected
behaviour is to serve content of the file as if processing a GET
regardless of the actual HTTP method. The Default Servlet in Apache
did not do this. Depending on the original request this could lead to
unexpected and undesirable results for static error pages including, if
DefaultServlet is configured to permit writes, the replacement or
of the custom error page. (Closes: #864447)
This is the maintainer address of Debian's Java team
debian-j...@lists.debian.org for discussions and questions.