← Back to branch summary

~ubuntu-branches/ubuntu/precise/tomcat6/precise-updates

Viewing all changes in revision 49.

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2014-03-04 11:14:51 UTC
  • Revision ID: package-import@ubuntu.com-20140304111451-m9t371yt0rdmity1
Tags: 6.0.35-1ubuntu3.4
* SECURITY UPDATE: request smuggling attack via content-length headers
  - debian/patches/CVE-2013-4286.patch: handle multiple content lengths
    in java/org/apache/coyote/ajp/AbstractAjpProcessor.java, 
    java/org/apache/coyote/ajp/AjpProcessor.java, handle content length
    and chunked encoding being both specified in
    java/org/apache/coyote/http11/Http11AprProcessor.java,
    java/org/apache/coyote/http11/Http11NioProcessor.java,
    java/org/apache/coyote/http11/Http11Processor.java.
  - CVE-2013-4286
* SECURITY UPDATE: denial of service via chunked transfer coding
  - debian/patches/CVE-2013-4322.patch: limit length of extension data in
    java/org/apache/coyote/Constants.java,
    java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
    webapps/docs/config/systemprops.xml.
  - CVE-2013-4322
* SECURITY UPDATE: session fixation attack via crafted URL
  - debian/patches/CVE-2014-0033.patch: properly handle
    disableURLRewriting in
    java/org/apache/catalina/connector/CoyoteAdapter.java.
  - CVE-2014-0033

expand all expand all

Show diffs side-by-side

added added

removed removed

Lines of Context: