tomcat6 - Servlet and JSP engine

Property Value
Distribution Debian 7 (Wheezy)
Repository Debian Main i386
Package name tomcat6
Package version 6.0.45+dfsg
Package release 1~deb7u1
Package architecture all
Package type deb
Installed size 364 B
Download size 49.94 KB
Official Mirror
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Sun Microsystems, and provides a "pure Java" HTTP web
server environment for Java code to run.
This package contains only the startup scripts for the system-wide daemon.
No documentation or web applications are included here, please install
the tomcat6-docs and tomcat6-examples packages if you want them.
Install the authbind package if you need to use Tomcat on ports 1-1023.
Install tomcat6-user instead of this package if you don't want Tomcat to
start as a service.


Package Version Architecture Repository
tomcat6_6.0.45+dfsg-1~deb7u5_all.deb 6.0.45+dfsg all Debian Security Updates Main
tomcat6_6.0.45+dfsg-1~deb7u5_all.deb 6.0.45+dfsg all Debian Security Updates Main
tomcat6_6.0.45+dfsg-1~deb7u1_all.deb 6.0.45+dfsg all Debian Main
tomcat6 - - -


Name Value
adduser -
debconf >= 0.5
debconf-2.0 -
tomcat6-common >= 6.0.45+dfsg-1~deb7u1
ucf -


Type URL
Binary Package tomcat6_6.0.45+dfsg-1~deb7u1_all.deb
Source Package tomcat6

Install Howto

  1. Update the package index:
    # sudo apt-get update
  2. Install tomcat6 deb package:
    # sudo apt-get install tomcat6




2016-03-16 - Markus Koschany <>
tomcat6 (6.0.45+dfsg-1~deb7u1) wheezy-security; urgency=high
* Team upload.
* The full list of changes between 6.0.35 (the version previously available
in Wheezy) and 6.0.45 can be seen in the upstream changelog, which is
available online at
* This update fixes the following security issues:
- CVE-2014-0033: prevent remote attackers from conducting session
fixation attacks via crafted URLs.
- CVE-2014-0119: Fix not properly constraining class loader that accesses
the XML parser used with an XSLT stylesheet which allowed remote
attackers to read arbitrary files via crafted web applications.
- CVE-2014-0099: Fix integer overflow in
- CVE-2014-0096: Properly restrict XSLT stylesheets that allowed remote
attackers to bypass security-manager restrictions.
- CVE-2014-0075: Fix integer overflow in the parseChunkHeader function in
- CVE-2013-4590: prevent "Tomcat internals" information leaks.
- CVE-2013-4322: prevent remote attackers from doing denial of service
- CVE-2013-4286: reject requests with multiple content-length headers or
with a content-length header when chunked encoding is being used.
- Avoid CVE-2013-1571 when generating Javadoc.
* CVE-2014-0227.patch:
- Add error flag to allow subsequent attempts at reading after an error to
fail fast.
* CVE-2014-0230: Add support for maxSwallowSize.
* CVE-2014-7810:
- Fix potential BeanELResolver issue when running under a security manager.
Some classes may not be accessible but may have accessible interfaces.
* CVE-2015-5174: Directory traversal vulnerability in
* CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
processes redirects before considering security constraints and Filters.
* CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
org.apache.catalina.manager.StatusManagerServlet on the
org/apache/catalina/core/ list which allows
remote authenticated users to bypass intended SecurityManager
* CVE-2016-0714: The session-persistence implementation in Apache Tomcat
before 6.0.45 mishandles session attributes, which allows remote
authenticated users to bypass intended SecurityManager restrictions.
* CVE-2016-0763: The setGlobalContext method in
org/apache/naming/factory/ in Apache Tomcat does
not consider whether ResourceLinkFactory.setGlobalContext callers are
authorized, which allows remote authenticated users to bypass intended
SecurityManager restrictions and read or write to arbitrary application
data, or cause a denial of service (application disruption), via a web
application that sets a crafted global context.
* CVE-2015-5351: The Manager and Host Manager applications in
Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
requests, which allows remote attackers to bypass a CSRF protection
mechanism by using a token.
* Drop the following patches. Applied upstream.
- 0011-CVE-2012-0022-regression-fix.patch
- 0012-CVE-2012-3544.patch
- 0014-CVE-2012-4534.patch
- 0015-CVE-2012-4431.patch
- 0016-CVE-2012-3546.patch
- 0017-CVE-2013-2067.patch
- cve-2012-2733.patch
- cve-2012-3439.patch
- CVE-2014-0227.patch
- CVE-2014-0230.patch
- CVE-2014-7810-1.patch
- CVE-2014-7810-2.patch
- 0011-Fix-for-NoSuchElementException-when-an-attribute-has.patch
2013-07-18 - Moritz Mühlenhoff <>
tomcat6 (6.0.35-6+deb7u1) stable-security; urgency=low
* CVE-2012-3544, CVE-2013-2067

See Also

Package Description
tomcat7-admin_7.0.28-4+deb7u4_all.deb Servlet and JSP engine -- admin web applications
tomcat7-common_7.0.28-4+deb7u4_all.deb Servlet and JSP engine -- common files
tomcat7-docs_7.0.28-4+deb7u4_all.deb Servlet and JSP engine -- documentation
tomcat7-examples_7.0.28-4+deb7u4_all.deb Servlet and JSP engine -- example web applications
tomcat7-user_7.0.28-4+deb7u4_all.deb Servlet and JSP engine -- tools to create user instances
tomcat7_7.0.28-4+deb7u4_all.deb Servlet and JSP engine
tomoe-doc_0.6.0-1.3_all.deb Handwriting recognition engine (documentation)
tomoyo-tools_2.5.0-20120414-2_i386.deb Lightweight and easy-use Mandatory Access Control for Linux
toonloop_2.2.0-1+b1_i386.deb live animation editor
topal_75-1_i386.deb Links Pine and GnuPG together
topgit_0.8-1.1_all.deb a Git patch queue manager
toppler_1.1.5-2_i386.deb clone of the "Nebulus" game on old 8 and 16 bit machines
tor-arm_1.4.5.0-1_all.deb terminal status monitor for tor
tor-geoipdb_0.2.4.27-1_all.deb GeoIP database for Tor
tor_0.2.4.27-1_i386.deb anonymizing overlay network for TCP