Debian 10232 Published by

A tomcat7 security update has been released for Debian GNU/Linux 8 Extended LTS to address a flaw where session cookies created by Apache Tomcat did not include the secure attribute.



ELA-827-1 tomcat7 security update

Package : tomcat7
Version : 7.0.56-3+really7.0.109-1+deb8u3 (jessie)

Related CVEs :
CVE-2023-28708

A flaw has been found in the Tomcat servlet and JSP engine. When using the
RemoteIpFilter with requests received from a reverse proxy via HTTP that
include the X-Forwarded-Proto header set to https, session cookies created by
Apache Tomcat did not include the secure attribute. This could result in the
user agent transmitting the session cookie over an insecure channel.

  ELA-827-1 tomcat7 security update