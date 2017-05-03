-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512



- -------------------------------------------------------------------------

Debian Security Advisory DSA-3842-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

May 03, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------



Package : tomcat7

CVE ID : CVE-2017-5647 CVE-2017-5648



Two vulnerabilities were discovered in tomcat7, a servlet and JSP

engine.



CVE-2017-5647



Pipelined requests were processed incorrectly, which could result in

some responses appearing to be sent for the wrong request.



CVE-2017-5648



Some application listeners calls were issued against the wrong

objects, allowing untrusted applications running under a

SecurityManager to bypass that protection mechanism and access or

modify information associated with other web applications.



For the stable distribution (jessie), these problems have been fixed in

version 7.0.56-3+deb8u10.



For the upcoming stable (stretch) and unstable (sid) distributions,

these problems have been fixed in version 7.0.72-3.



We recommend that you upgrade your tomcat7 packages.



Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/



Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----



iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAlkJcg8ACgkQEL6Jg/PV

nWS0cgf/YBOiWydFWg/Aq+DmIYYxvKON9ooMKz1LRZGNaJqdW0jNuEGI8JmpqETo

oAaHMDvTQskuJHKCOkGja+/ibZkhgsvAlazkwI+akrwBra7FXz9NGxi/36NbqVef

EfJIPHdR+UywmBHIjUuowlij072kWS5DIaYYU0XHFkcWWe62UQ3bBNy6yD0v8uQi

vSjgnVE2BDj9euV+WKa/6zhw4qORAw5417z7Yzf7AH9E3eaCv11ivPK4dCMM55k9

LQpIauTbHyktVls3moFHuJUyzoQJ67Mz0Lrmm0EdZqVnfuUwhnMiIujHkrJ2cwGA

TyP3+l/s7lAlDArVGaTxKI9hjPo8/w==

=uYkG

-----END PGP SIGNATURE-----

