* SECURITY UPDATE: denial of service via malformed chunk size
  - debian/patches/CVE-2014-0075.patch: fix overflow in
    java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
  - CVE-2014-0075
* SECURITY UPDATE: file disclosure via XXE issue
  - debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a
    relative path in conf/web.xml,
    java/org/apache/catalina/servlets/DefaultServlet.java,
    java/org/apache/catalina/servlets/LocalStrings.properties,
    webapps/docs/default-servlet.xml.
  - CVE-2014-0096
* SECURITY UPDATE: HTTP request smuggling attack via crafted
  Content-Length HTTP header
  - debian/patches/CVE-2014-0099.patch: correctly handle long values in
    java/org/apache/tomcat/util/buf/Ascii.java.
  - CVE-2014-0099