Path: csiph.com!news.freedyn.net!aioe.org!bofh.it!news.nic.it!robomod From: Florian Weimer Newsgroups: linux.debian.maint.java Subject: Re: Tomcat 7 security update Date: Sat, 16 Apr 2016 16:50:02 +0200 Message-ID: References: X-Original-To: Markus Koschany X-Mailbox-Line: From debian-java-request@lists.debian.org Sat Apr 16 14:43:02 2016 Old-Return-Path: X-Amavis-Spam-Status: No, score=-7.996 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, LDO_WHITELIST=-5, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.996] autolearn=ham autolearn_force=no X-Policyd-Weight: using cached result; rate: -6.1 X-Greylist: delayed 1714 seconds by postgrey-1.35 at bendel; Sat, 16 Apr 2016 14:42:49 UTC MIME-Version: 1.0 Content-Type: text/plain X-Mailing-List: archive/latest/19360 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/87bn59r68b.fsf@mid.deneb.enyo.de Approved: robomod@news.nic.it Lines: 39 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Cc: "team\@security.debian.org" , debian-java@lists.debian.org X-Original-Date: Sat, 16 Apr 2016 16:14:12 +0200 X-Original-Message-ID: <87bn59r68b.fsf@mid.deneb.enyo.de> X-Original-References: <56F956D4.1000503@gambaru.de> <5712369C.2030408@debian.org> Xref: csiph.com linux.debian.maint.java:9033 * Markus Koschany: > Am 28.03.2016 um 18:07 schrieb Markus Koschany: >> [first e-mail failed, attachment is compressed now] >> >> Hello Security Team, hello Java Team >> >> I have prepared security updates for Tomcat 7 fixing 9 CVEs in Wheezy >> and 7 CVEs in Jessie. > > Hi, > > since I haven't heard anything negative about the security update for > Tomcat7 so far, I'm hereby sending you the final debdiffs for Wheezy and > Jessie. > > After further investigation into the test failures I'm convinced now > that they are unrelated to the update because they also occur with the > current version and it seems they can be traced back to an update of > OpenJDK 7. According to [1] the error is caused by stricter checking of > values in cookie names. The error message is: > > Illegal character(s) in message header field: Cookie: Yes, the test appears to be broken. I found this upstream commit: ------------------------------------------------------------------------ r1715547 | fschumacher | 2015-11-21 18:54:14 +0100 (Sat, 21 Nov 2015) | 4 lines Don't add ":" to cookie name. It is illegal in newer jre. Merge from r1715544 /tomcat/tc8.0.x/trunk Packaging-wise, the changes look okay. Could you please upload? Thanks, Florian