Sergey Bobrov discovered that when the default servlet returned a redirect to a directory (e.g. redirecting to /foo/ when the user requested /foo) a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.
For Debian 7 Wheezy, these problems have been fixed in version 7.0.28-4+deb7u20.
We recommend that you upgrade your tomcat7 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.