Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #9033

Re: Tomcat 7 security update

Show all headers | View raw

* Markus Koschany:

> Am 28.03.2016 um 18:07 schrieb Markus Koschany:
>> [first e-mail failed, attachment is compressed now]
>> 
>> Hello Security Team, hello Java Team
>> 
>> I have prepared security updates for Tomcat 7 fixing 9 CVEs in Wheezy
>> and 7 CVEs in Jessie.
>
> Hi,
>
> since I haven't heard anything negative about the security update for
> Tomcat7 so far, I'm hereby sending you the final debdiffs for Wheezy and
> Jessie.
>
> After further investigation into the test failures I'm convinced now
> that they are unrelated to the update because they also occur with the
> current version and it seems they can be traced back to an update of
> OpenJDK 7. According to [1] the error is caused by stricter checking of
> values in cookie names. The error message is:
>
> Illegal character(s) in message header field: Cookie:

Yes, the test appears to be broken.

I found this upstream commit:

------------------------------------------------------------------------
r1715547 | fschumacher | 2015-11-21 18:54:14 +0100 (Sat, 21 Nov 2015) | 4 lines

Don't add ":" to cookie name. It is illegal in newer jre.

Merge from r1715544 /tomcat/tc8.0.x/trunk

Packaging-wise, the changes look okay.  Could you please upload?

Thanks,
Florian

Back to linux.debian.maint.java | Previous | Next — Previous in thread | Find similar | Unroll thread

Thread

Tomcat 7 security update Markus Koschany <apo@gambaru.de> - 2016-03-28 18:10 +0200
  Re: Tomcat 7 security update Markus Koschany <apo@debian.org> - 2016-04-16 16:40 +0200
    Re: Tomcat 7 security update Florian Weimer <fw@deneb.enyo.de> - 2016-04-16 20:00 +0200
      Re: Tomcat 7 security update Markus Koschany <apo@debian.org> - 2016-04-17 14:50 +0200
  Re: Tomcat 7 security update Florian Weimer <fw@deneb.enyo.de> - 2016-04-16 16:50 +0200

csiph-web