tomcat7 precise package missing security fixes and/or updates
Vincent schurink
admin at acio.nl
Tue Dec 9 14:01:07 UTC 2014
Hi Ubuntu Devel list,
I don't really know where to ask this question so I'm email you guys hoping
that you can help point me in the right direction.
We've recently had an security audit done on one of our business
applications and one of the issues discovered was that the ubuntu tomcat7
package that we were using contained several exploits. I did some checking
and it appears that apache has already implemented all these fixes in the
official tomcat7 package but they do not appear to be backported in the
tomcat 7 precise package that is currently available.
It appears that the last security / bugfix update on the precise package was
the first of April 2013.
In particular our application was found vulnerable to the following CVE's:
Important: Session fixation
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2067> CVE-2013-2067
/ Information disclosure
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4286> CVE-2013-4286
which can also be found on the apache website:
http://tomcat.apache.org/security-7.html
Are there any plans to update the current Ubuntu Tomcat 7 precise package to
contain all the latest vulnerability fixes? If so could any of you give me a
clue as to what the timeline would be for this update?
Thanks in advance.
Regards,
V. Schurink
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20141209/a3141a40/attachment.html>
More information about the Ubuntu-devel-discuss
mailing list