tag 864447 + pending

Some bugs in the tomcat7 package are closed in revision
1ebcd5b2c822cf677b59a875172344c80d1d1ee4 in branch '  wheezy' by
Markus Koschany

The full diff can be seen at

Commit message:

    Import Debian changes 7.0.28-4+deb7u14
    tomcat7 (7.0.28-4+deb7u14) wheezy-security; urgency=high
      * Team upload.
      * Fix CVE-2017-5664.
        The error page mechanism of the Java Servlet Specification requires 
        when an error occurs and an error page is configured for the error that
        occurred, the original request and response are forwarded to the error
        page. This means that the request is presented to the error page with 
        original HTTP method. If the error page is a static file, expected
        behaviour is to serve content of the file as if processing a GET 
        regardless of the actual HTTP method. The Default Servlet in Apache 
        did not do this. Depending on the original request this could lead to
        unexpected and undesirable results for static error pages including, if 
        DefaultServlet is configured to permit writes, the replacement or 
        of the custom error page. (Closes: #864447)

This is the maintainer address of Debian's Java team
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to