Skip to content
Commit 1ebcd5b2 authored by Markus Koschany's avatar Markus Koschany
Browse files

Import Debian changes 7.0.28-4+deb7u14 

tomcat7 (7.0.28-4+deb7u14) wheezy-security; urgency=high

  * Team upload.
  * Fix CVE-2017-5664.
    The error page mechanism of the Java Servlet Specification requires that,
    when an error occurs and an error page is configured for the error that
    occurred, the original request and response are forwarded to the error
    page. This means that the request is presented to the error page with the
    original HTTP method. If the error page is a static file, expected
    behaviour is to serve content of the file as if processing a GET request,
    regardless of the actual HTTP method. The Default Servlet in Apache Tomcat
    did not do this. Depending on the original request this could lead to
    unexpected and undesirable results for static error pages including, if the
    DefaultServlet is configured to permit writes, the replacement or removal
    of the custom error page. (Closes: #864447)
parent ff3b886e
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment