On Wed, Nov 08, 2017 at 03:03:06PM +0100, Markus Koschany wrote: > Thank you for the report. There was a recent security update of Tomcat 7 > which is the likely cause for this issue. > > Roberto can you take a look please? > Hi Markus & others,
I was able to identify the cause of the regression that I introduced. There are updated packages here: https://people.debian.org/~roberto/ My testing this time around was more thorough and I believe that this update properly addresses the CVE without introducing a regression. If some intrepid souls could test these packages and give a thumbs up, I will upload the packages in the next 12-18 hours and then release an updated advisory. Here is my proposed advisory text: ==================== The update for tomcat7 issued as DLA-1166-1 caused a regressions whereby every request, including for the root document (/), returned HTTP status 404. Updated packages are now available to address this problem. For reference, the original advisory text follows. When HTTP PUT was enabled (e.g., via setting the readonly initialization parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. For Debian 7 "Wheezy", these problems have been fixed in version 7.0.28-4+deb7u17. ==================== For those who are interested, the regression resulted from a combination of two factors. - When incorporating one of the upstream change sets, an unclean patch application produced a .rej rejection file which I overlooked - When incorporating another upstream changeset, my attempt to integrate the minimal change was too minimal and left out an important additional change These problems did not manifest themselves in my initial testing of the 7.0.28-4+deb7u16 packages because of browser caching. I offer my apologies for causing this problem and my thanks for your help in resolving it. Regards, -Roberto -- Roberto C. Sánchez
Description: PGP signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.