Back to tomcat9 PTS page

Accepted tomcat9 9.0.43-2~deb11u7 (source) into oldstable-proposed-updates

To: debian-changes@lists.debian.org
Subject: Accepted tomcat9 9.0.43-2~deb11u7 (source) into oldstable-proposed-updates
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Thu, 12 Oct 2023 06:33:19 +0000
Debian: DAK
Debian-architecture: source
Debian-archive-action: accept
Debian-changes: tomcat9_9.0.43-2~deb11u7_source.changes
Debian-source: tomcat9
Debian-suite: oldstable-proposed-updates
Debian-version: 9.0.43-2~deb11u7
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=Dc8zGwkqiSI9wKyEytb4sNXF6STuyZ5omd4kbUxdBKI=; b=sLMyveQI/g/tFmybNZxPuDGeiN oWOYpy6+/4Up2HC2kjedd53MLKrEo+lNccpsyfIR6ZfH9K9/kfkoArY/uCkIg8WWEzYV7sNjOVvoW W2LVQkwvLc9UygWOniSVqPO4QOZ4GnhBfnDY7w2jP6w0VvuvgC2lAdx+//jNiQKaCCTPSJKb6L8SP BWar3dHTbKlHt6MU25XbOcS46wPn5oNTEByHbNdJJPELYyQav5vcalIPjXL3jx0bdnpdxy5RNG+9Y p7X5eet1p0nJY2w0r21vlQOqPWUMpCCUWzXEGPEj+47Ay5NESyQrW/rhnjgxEM4kpTQ66KXK6UZTJ ejxVApZg==;
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1qqpG3-002XlR-8f@fasolo.debian.org>
Reply-to: debian-devel@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 10 Oct 2023 18:20:19 +0200
Source: tomcat9
Architecture: source
Version: 9.0.43-2~deb11u7
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Changes:
 tomcat9 (9.0.43-2~deb11u7) bullseye-security; urgency=high
 .
   * Fix CVE-2023-45648: Request smuggling. Tomcat did not correctly parse HTTP
     trailer headers. A specially crafted, invalid trailer header could cause
     Tomcat to treat a single request as multiple requests leading to the
     possibility of request smuggling when behind a reverse proxy.
   * Fix CVE-2023-44487: DoS caused by HTTP/2 frame overhead (Rapid Reset Attack)
   * Fix CVE-2023-42795: Information Disclosure. When recycling various internal
     objects, including the request and the response, prior to re-use by the next
     request/response, an error could cause Tomcat to skip some parts of the
     recycling process leading to information leaking from the current
     request/response to the next.
   * Fix CVE-2023-41080: Open redirect. If the ROOT (default) web application
     is configured to use FORM authentication then it is possible that a
     specially crafted URL could be used to trigger a redirect to an URL of
     the attackers choice.
   * Fix CVE-2023-28709: Denial of Service. If non-default HTTP connector
     settings were used such that the maxParameterCount could be reached using
     query string parameters and a request was submitted that supplied exactly
     maxParameterCount parameters in the query string, the limit for uploaded
     request parts could be bypassed with the potential for a denial of service
     to occur.
   * Fix CVE-2023-24998: Denial of service. Tomcat uses a packaged renamed copy
     of Apache Commons FileUpload to provide the file upload functionality
     defined in the Jakarta Servlet specification. Apache Tomcat was, therefore,
     also vulnerable to the Commons FileUpload vulnerability CVE-2023-24998 as
     there was no limit to the number of request parts processed. This resulted
     in the possibility of an attacker triggering a DoS with a malicious upload
     or series of uploads.
Checksums-Sha1:
 2a0945b83bfac8887eb5c55149afd28d21cfc948 2780 tomcat9_9.0.43-2~deb11u7.dsc
 9abf966cb62d37cf28aed8898167811f7f45595f 56628 tomcat9_9.0.43-2~deb11u7.debian.tar.xz
 b5aea0387d6ff9043e01ac97bf15de80bda4e1bb 15720 tomcat9_9.0.43-2~deb11u7_source.buildinfo
Checksums-Sha256:
 983195283b8588257c8efad58ebb1e20acbf97ed120d387e477b086aec6acff1 2780 tomcat9_9.0.43-2~deb11u7.dsc
 d066ae60e841ef1cf686317ccad7d171359b2b134ab371c74c28d8e4eaec903b 56628 tomcat9_9.0.43-2~deb11u7.debian.tar.xz
 2cf86b131c8fd4e8f2d7d2b3cca28525c94849b03ed673427eb30eebb8944747 15720 tomcat9_9.0.43-2~deb11u7_source.buildinfo
Files:
 6c4be1fcce11600400f3d4d75c1cbb01 2780 java optional tomcat9_9.0.43-2~deb11u7.dsc
 93ec085de9049bc31df355a261bc661c 56628 java optional tomcat9_9.0.43-2~deb11u7.debian.tar.xz
 9f172aa457f0338b4f3552b206ca6fdf 15720 java optional tomcat9_9.0.43-2~deb11u7_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAmUlkK0SHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCs3LIP/jPdw5+JGsJyR/7jofrZ4Kb1mRByNBxF
Z7JwJZh3s99VYpgLRBS3/B1xHFwYHlP1fsx3HYUYX+0ZLBXZn9dV4lWDkVqBWMSM
d6JkWcEYkPv1Vt/+8Wh+jC6m2yEOzHTc+j4/g+0rNT8eYOgC3KydRy0jYoCiyJ+t
zN82eCUbs3uKAfEl8g+doZXSi9coVDx0IDr4gj1UIl3149SNPI5HlEbc/hl6uNRJ
Pt56LmKWn/M/jsrL5e4l3CdRwVq9PlwnNp554KZzKgouFbu3n/6CKq5iHjZSn5RU
lvqGwBgBTbgzBkoORAUb2+s+/V5GbYQZs96hiD2NERmnK9NCBdpQI+oUdZTHVt9L
TgJmhNTYrKxDtPYOZhPnujq2SI+tqxLUOBHok64fe6WBpT1MwZ9Fh4Nh6UYZdY1T
z2r7ZskXxiGOzED4zCkdGZU60KSkNB1ADHm1CJTd5nFl4Vpg4IDJMgndcuXVpcTm
eyfkEqo0adPYvqNyYLzxLjKATJUVNi5w1siPEjRU+TLQW+EA659hDzOi43k/0ZMh
t8gcY80/CSFkLrZ2I+HS9pnq5MMKGhAZALCP1x4cXMIvtcxdDk5Ntd9q4/30MCHG
wp0IBfkL2Pw8wCOU3CznrL1DOt+mLC/9H4sZEksgXcc2aU+0al1JvYPJ08ok4Mgm
IqIJFb8iWlU9
=KHJE
-----END PGP SIGNATURE-----