ELA-51-1 tomcat7 security update

Open Redirect

Packagetomcat7
Version7.0.28-4+deb7u20
Related CVE CVE-2018-11784

Sergey Bobrov discovered that when the default servlet returned a redirect to a directory (e.g. redirecting to /foo/ when the user requested /foo) a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.

For Debian 7 Wheezy, these problems have been fixed in version 7.0.28-4+deb7u20.

We recommend that you upgrade your tomcat7 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/