Back to tomcat9 PTS page

Accepted tomcat9 9.0.31-1~deb10u9 (source) into oldoldstable

To: dispatch@tracker.debian.org, debian-lts-changes@lists.debian.org
Subject: Accepted tomcat9 9.0.31-1~deb10u9 (source) into oldoldstable
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Fri, 13 Oct 2023 09:50:21 +0000
Debian: DAK
Debian-architecture: source
Debian-archive-action: accept
Debian-changes: tomcat9_9.0.31-1~deb10u9_source.changes
Debian-source: tomcat9
Debian-suite: oldoldstable
Debian-version: 9.0.31-1~deb10u9
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.seger; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=Y1b+ChArYGBkgVLTGpUv/C1CsNs78bKcrVF/JIKbGw0=; b=RmBWeE/r6ShsproK6hXcE3fzSP EAMjiXl58hwgjXkziMqxKjNhi7NCSTtLkQ4e7RpcUV27jISXJccgpoebTCEirYGeQ4Fq9QiUMQ9gJ 0V2/E4ZJDCkqTcl4UviHb6SYKoyfhcCNpZ43/W0sHFC0H5nqJpXdRTwfGO4DlP49GsbW/p1un7XeQ V0lg/taW9FkfW4CKvQhrdnymBPnRcoAzSA3yo+tJRJnaIRmmTKxU/0OvnV66e3H6PiZp5m7GYSr1p zkYtQtyhirsMEJD9H2f6akb1dWHzAnPVKGb8r/dIzJemHJRUqbgr6Ta0KnW547A9oKdc3NQBwQR55 wTJKOpLw==;
Mail-followup-to: debian-lts@lists.debian.org
Message-id: <E1qrEoH-00FxNY-VL@seger.debian.org>
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 11 Oct 2023 17:17:28 +0200
Source: tomcat9
Architecture: source
Version: 9.0.31-1~deb10u9
Distribution: buster-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Changes:
 tomcat9 (9.0.31-1~deb10u9) buster-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2023-45648: Request smuggling. Tomcat did not correctly parse HTTP
     trailer headers. A specially crafted, invalid trailer header could cause
     Tomcat to treat a single request as multiple requests leading to the
     possibility of request smuggling when behind a reverse proxy.
   * Fix CVE-2023-44487: DoS caused by HTTP/2 frame overhead (Rapid Reset Attack)
   * Fix CVE-2023-42795: Information Disclosure. When recycling various internal
     objects, including the request and the response, prior to re-use by the
     next request/response, an error could cause Tomcat to skip some parts of
     the recycling process leading to information leaking from the current
     request/response to the next.
   * Fix CVE-2023-41080: Open redirect. If the ROOT (default) web application
     is configured to use FORM authentication then it is possible that a
     specially crafted URL could be used to trigger a redirect to an URL of the
     attackers choice.
   * Fix CVE-2023-28709: Denial of Service. If non-default HTTP connector
     settings were used such that the maxParameterCount could be reached using
     query string parameters and a request was submitted that supplied exactly
     maxParameterCount parameters in the query string, the limit for uploaded
     request parts could be bypassed with the potential for a denial of service
     to occur.
   * Fix CVE-2023-24998: Denial of service. Tomcat uses a packaged renamed copy
     of Apache Commons FileUpload to provide the file upload functionality
     defined in the Jakarta Servlet specification. Apache Tomcat was, therefore,
     also vulnerable to the Commons FileUpload vulnerability CVE-2023-24998 as
     there was no limit to the number of request parts processed. This resulted
     in the possibility of an attacker triggering a DoS with a malicious upload
     or series of uploads.
Checksums-Sha1:
 be1a91127c925bff9398b028187863142d1c5028 2889 tomcat9_9.0.31-1~deb10u9.dsc
 7acc59a6b065a01a67723034c0f70456e2d497ac 62172 tomcat9_9.0.31-1~deb10u9.debian.tar.xz
 e56bca45da057f26e09edb562eb3885217b9c7a5 13947 tomcat9_9.0.31-1~deb10u9_source.buildinfo
Checksums-Sha256:
 21cdf39eedeb61f5a130ce1574276e585f3aae1997006c48a0238b12fc426e5f 2889 tomcat9_9.0.31-1~deb10u9.dsc
 503843444c894b47be1193c63beb9cdcbcaab5d0188cef4d9db5d30c29a320cd 62172 tomcat9_9.0.31-1~deb10u9.debian.tar.xz
 b6c2c35a3b388028fc3e1c0bc8eb2e3f56d441cf85c76de973e81aa6e61a1d3b 13947 tomcat9_9.0.31-1~deb10u9_source.buildinfo
Files:
 09847a3187230748fd3924f119c1e97b 2889 java optional tomcat9_9.0.31-1~deb10u9.dsc
 11b612d951f3cfc26a864cb7a989ff0f 62172 java optional tomcat9_9.0.31-1~deb10u9.debian.tar.xz
 b71a7e2c32258ef92522fcbf98be3552 13947 java optional tomcat9_9.0.31-1~deb10u9_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUpEGdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HklWsQAMiEyAFQIhg2oW19laH66rkWGPGPIkWVD9N5
7GspU2WFfuvbBYs+iAq5jD/rijKVMoH+dr471h1rOnTWjh+P7f0hJrNnDyLKVAX5
iPqQxqLNxP/blb0U8wg0z/H5rDMhTx/qFVDYeu0VdNIQkO8mF/wXJahDtq2jkTx0
ANVjcJgHTNwdntiNsH0sN+6spxvgK96YptiTMj3l1o9SFQBkXTYkQKepRbPTje4P
C25JqZT6e4p3B0Z+uPaLoAG9vnaoihudl2JHlmL7wH7FcHHPo7LqTXOAAB+RRYrX
hhKCyKUCclVFVVQzK4ApyN6vClcwbS0JdgYeUcBWbLeLmUGLWSAqGlzJEjxd9CW8
f6Aorb0U1Rmd30S9jA7KdTad4RSx95z0zYKRI3ooKkZQSOoApfu2SnTflKonp38C
tAA4nD+wIFC/7qA4Bkxr1wnTVioQr1k5U4E7n3gbTTpJtUojqfO+dQnGAVfWM8CI
2RD5J0Oyb+UOb7qgUuS1FruAQTIykU5EnmjDTo4u0ebpDTLjMNcFv5e4UzKkOmUb
SsAa+VIutbrKihThXPgCJ4aUaIPFW80xhBPne5Ci3QUdf/aKi/E67q2LqFVgTLSr
hbRTZkw0WwEcUwosmkz3Dzuv6Dm/qD9O6eU5zMpe59SJ4vU86R6CkgFX3ovkipkI
ZqEOWE5m
=+lhV
-----END PGP SIGNATURE-----