tomcat9_9.0.43-2~deb11u6_source.changes ACCEPTED into proposed-updates
Debian FTP Masters
ftpmaster at ftp-master.debian.org
Fri Apr 7 11:02:22 BST 2023
Thank you for your contribution to Debian.
Accepted:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 5 Apr 2023 17:57:36 CEST
Source: tomcat9
Architecture: source
Version: 9.0.43-2~deb11u6
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
Changed-By: Markus Koschany <apo at debian.org>
Checksums-Sha1:
5dcbdb9596463f2b52520b943356f25973924882 2906 tomcat9_9.0.43-2~deb11u6.dsc
c0d398cfb9173c06567e7718c2e537b64bcd3e99 47364 tomcat9_9.0.43-2~deb11u6.debian.tar.xz
5c5a8d647c16d77cc8ed78912b572d540513b38c 13782 tomcat9_9.0.43-2~deb11u6_source.buildinfo
Checksums-Sha256:
343aab34c6e1ca8bb6b7e8bcdbbcc7594a7250288aa59102dd1886666bb9ab31 2906 tomcat9_9.0.43-2~deb11u6.dsc
2ef190ee41f4e7a5442eb049f4e0255a19f42b17ef0e9a339137c536a054ca98 47364 tomcat9_9.0.43-2~deb11u6.debian.tar.xz
320d9d96ed02d79273106c15fafaabb3bc662fbc31a6150af1e7075e5b540d87 13782 tomcat9_9.0.43-2~deb11u6_source.buildinfo
Closes: 1033475
Changes:
tomcat9 (9.0.43-2~deb11u6) bullseye-security; urgency=high
.
* Team upload.
* Fix CVE-2022-42252:
Apache Tomcat was configured to ignore invalid HTTP headers via setting
rejectIllegalHeader to false. Tomcat did not reject a request containing an
invalid Content-Length header making a request smuggling attack possible if
Tomcat was located behind a reverse proxy that also failed to reject the
request with the invalid header.
* Fix CVE-2022-45143:
The JsonErrorReportValve in Apache Tomcat did not escape the type, message
or description values. In some circumstances these are constructed from
user provided data and it was therefore possible for users to supply values
that invalidated or manipulated the JSON output.
* Fix CVE-2023-28708:
When using the RemoteIpFilter with requests received from a reverse proxy
via HTTP that include the X-Forwarded-Proto header set to https, session
cookies created by Apache Tomcat did not include the secure attribute. This
could result in the user agent transmitting the session cookie over an
insecure channel. (Closes: #1033475)
Files:
a0e3763cba0271c6a8a9f8f279668eea 2906 java optional tomcat9_9.0.43-2~deb11u6.dsc
9218f651bb495a397c219d06b3224c36 47364 java optional tomcat9_9.0.43-2~deb11u6.debian.tar.xz
139fc4cbef13d2e160db68d3714f19ab 13782 java optional tomcat9_9.0.43-2~deb11u6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmQtmndfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkUQgP/1KVJTKd9e01/ouH1AYtcIiCuN0od2s5ULvf
bSMdB4Cw2wj9Psj/vJGR2xTSPItfvzomgfHfHoMRWwV6waqV/MKWacVVmlFmiCgm
7koWx2ObIy+/enuRZeOoSPp0f3K1hDA77RCH1Pk5rfJW51DENTkED+kqv4bpirkG
CufCeDrnAOC3cfnA2rVtN/kLPwavML+JPzzO2oWMQHwjY8GehbQ8rVVB6FNX+q6O
NpKvHQqhKk44Ylkjlsx78xNCHV14a9dEzpJ2XGGb5OxJelBs+jIn9RHsC3xPzOL5
ic+Whx5334WjYOlUMCGSVm8K0olcJx/n8FJwHc/7QcKsGPjUQxHyFwFXzI2c2bJc
ZwMoEJgS9Kd1xe9kIsDQwgqvJxoM3DxkPEG6aUmYV3ii6iW76e/VnJVn7kcQlfrP
d5s2NJsBFeeoWDAJTzaF81r2+wnCQm3pbdy3czL0tQlTWQYrVvLQt4WuJIUp2UaF
KaUw4r8HA5Ubz+AzwmcN5t3UsyJLVZQrHCFy+NmcjP/DZUYWI1jQB7GN68PPj5A4
iQdgp7XfqudGf9iE7kZl+PvEJqOhqBLm+AvpAyy4ZPGsWEQvHEFA6OyUAZyk/t+z
iXfqcvmzVRwyZmvAHHXUIEG0WFdxVR26nr5n6ljej4UcKtLWDeqQ5vtxxW0PbuxJ
ERhrc9ek
=Vy1i
-----END PGP SIGNATURE-----
More information about the pkg-java-maintainers
mailing list