ELA-153-1 tomcat7 security update

CGI outbound HTTP traffic redirection

Related CVE CVE-2016-5388

An outbound HTTP traffic redirection issue was found in tomcat7, a Java Servlet and JSP engine.

Apache Tomcat, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application’s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an “httpoxy” issue.

The ‘cgi’ servlet now has a ‘envHttpHeaders’ parameter to filter environment variables.

For Debian 7 Wheezy, these problems have been fixed in version 7.0.28-4+deb7u22.

We recommend that you upgrade your tomcat7 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/