| Package | tomcat7 |
|---|---|
| Version | 7.0.28-4+deb7u20 |
| Related CVEs | CVE-2018-11784 |
Sergey Bobrov discovered that when the default servlet returned a redirect to a directory (e.g. redirecting to /foo/ when the user requested /foo) a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.
For Debian 7 Wheezy, these problems have been fixed in version 7.0.28-4+deb7u20.
We recommend that you upgrade your tomcat7 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.