<div dir="ltr">Hi Emmanuel<div>Last night, I re-enabled HTTP2 with the new (9.0.43-2~deb11u8) build.</div><div>Unfortunately, it did not fix my problem.</div><div>I am going to rummage with tcpdump and a purpose-installed debian VM to investigate further. </div><div>Hopefully I can either track the problem down myself (not very likely), or at least offer you a better quality bug report.</div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 16 Oct 2023 at 10:51, Sam Lander <<a href="mailto:sam.lander@gmail.com">sam.lander@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">---------- Forwarded message ---------<br>From: <b class="gmail_sendername" dir="auto">Debian Bug Tracking System</b> <span dir="auto"><<a href="mailto:owner@bugs.debian.org" target="_blank">owner@bugs.debian.org</a>></span><br>Date: Sun, 15 Oct 2023 at 23:51<br>Subject: Bug#1053820 closed by Debian FTP Masters <<a href="mailto:ftpmaster@ftp-master.debian.org" target="_blank">ftpmaster@ftp-master.debian.org</a>> (reply to Emmanuel Bourg <<a href="mailto:ebourg@apache.org" target="_blank">ebourg@apache.org</a>>) (Bug#1053820: fixed in tomcat9 9.0.43-2~deb11u8)<br>To: Sam Lander <<a href="mailto:sam.lander@gmail.com" target="_blank">sam.lander@gmail.com</a>><br></div><br><br>This is an automatic notification regarding your Bug report<br>
which was filed against the libtomcat9-java package:<br>
<br>
#1053820: libtomcat9-java: ERR_HTTP2_PROTOCOL_ERROR in browsers after upgrade 9.0.43-2~deb11u7 over u6<br>
<br>
It has been closed by Debian FTP Masters <<a href="mailto:ftpmaster@ftp-master.debian.org" target="_blank">ftpmaster@ftp-master.debian.org</a>> (reply to Emmanuel Bourg <<a href="mailto:ebourg@apache.org" target="_blank">ebourg@apache.org</a>>).<br>
<br>
Their explanation is attached below along with your original report.<br>
If this explanation is unsatisfactory and you have not received a<br>
better one in a separate message then please contact Debian FTP Masters <<a href="mailto:ftpmaster@ftp-master.debian.org" target="_blank">ftpmaster@ftp-master.debian.org</a>> (reply to Emmanuel Bourg <<a href="mailto:ebourg@apache.org" target="_blank">ebourg@apache.org</a>>) by<br>
replying to this email.<br>
<br>
<br>
-- <br>
1053820: <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053820" rel="noreferrer" target="_blank">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053820</a><br>
Debian Bug Tracking System<br>
Contact <a href="mailto:owner@bugs.debian.org" target="_blank">owner@bugs.debian.org</a> with problems<br>
<br><br><br>---------- Forwarded message ----------<br>From: Debian FTP Masters <<a href="mailto:ftpmaster@ftp-master.debian.org" target="_blank">ftpmaster@ftp-master.debian.org</a>><br>To: <a href="mailto:1053820-close@bugs.debian.org" target="_blank">1053820-close@bugs.debian.org</a><br>Cc: <br>Bcc: <br>Date: Sun, 15 Oct 2023 12:47:25 +0000<br>Subject: Bug#1053820: fixed in tomcat9 9.0.43-2~deb11u8<br>Source: tomcat9<br>
Source-Version: 9.0.43-2~deb11u8<br>
Done: Emmanuel Bourg <<a href="mailto:ebourg@apache.org" target="_blank">ebourg@apache.org</a>><br>
<br>
We believe that the bug you reported is fixed in the latest version of<br>
tomcat9, which is due to be installed in the Debian FTP archive.<br>
<br>
A summary of the changes between this version and the previous one is<br>
attached.<br>
<br>
Thank you for reporting the bug, which will now be closed. If you<br>
have further comments please address them to <a href="mailto:1053820@bugs.debian.org" target="_blank">1053820@bugs.debian.org</a>,<br>
and the maintainer will reopen the bug report if appropriate.<br>
<br>
Debian distribution maintenance software<br>
pp.<br>
Emmanuel Bourg <<a href="mailto:ebourg@apache.org" target="_blank">ebourg@apache.org</a>> (supplier of updated tomcat9 package)<br>
<br>
(This message was generated automatically at their request; if you<br>
believe that there is a problem with it please contact the archive<br>
administrators by mailing <a href="mailto:ftpmaster@ftp-master.debian.org" target="_blank">ftpmaster@ftp-master.debian.org</a>)<br>
<br>
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA512<br>
<br>
Format: 1.8<br>
Date: Thu, 12 Oct 2023 17:32:21 +0200<br>
Source: tomcat9<br>
Architecture: source<br>
Version: 9.0.43-2~deb11u8<br>
Distribution: bullseye-security<br>
Urgency: high<br>
Maintainer: Debian Java Maintainers <<a href="mailto:pkg-java-maintainers@lists.alioth.debian.org" target="_blank">pkg-java-maintainers@lists.alioth.debian.org</a>><br>
Changed-By: Emmanuel Bourg <<a href="mailto:ebourg@apache.org" target="_blank">ebourg@apache.org</a>><br>
Closes: 1053820<br>
Changes:<br>
tomcat9 (9.0.43-2~deb11u8) bullseye-security; urgency=high<br>
.<br>
* Fixed the HTTP/2 overhead protection triggered on data frames.<br>
(Closes: #1053820<br>
Checksums-Sha1:<br>
21c4c651b718b1c50136aa05a5156f1a75dbc9c5 2906 tomcat9_9.0.43-2~deb11u8.dsc<br>
5f703f84f09b2c86ed304929671c1daae78043de 56720 tomcat9_9.0.43-2~deb11u8.debian.tar.xz<br>
be48ce5a115787000c58f9c28af980446ebe44d0 12156 tomcat9_9.0.43-2~deb11u8_source.buildinfo<br>
Checksums-Sha256:<br>
046e5f28d4a9722132d59ac5954de69f94f9833f919df745b1ceefb13079e8d5 2906 tomcat9_9.0.43-2~deb11u8.dsc<br>
f85edc77eb8e5e816a926c9ac80f666382e7574290868ea321526a570667cc2c 56720 tomcat9_9.0.43-2~deb11u8.debian.tar.xz<br>
a252f14c178f86754f387e48ccea8f45aa527bca941c3fcd55215cf770808c7a 12156 tomcat9_9.0.43-2~deb11u8_source.buildinfo<br>
Files:<br>
6f79c8ab4b2cc2c0473d51c18fa75768 2906 java optional tomcat9_9.0.43-2~deb11u8.dsc<br>
ee10311fa63eb9fa1ac9c613d46b0f13 56720 java optional tomcat9_9.0.43-2~deb11u8.debian.tar.xz<br>
bcb2b809f03c62b09a60d659f1aee53f 12156 java optional tomcat9_9.0.43-2~deb11u8_source.buildinfo<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
<br>
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUoM9dfFIAAAAAALgAo<br>
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD<br>
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp<br>
YW4ub3JnAAoJENmtFLlRO1HkqrcQAMxtrdP7vSR0qXnQkAUjHbMb9zMlmwSzfC+M<br>
D8GQNXF3i7tJZRA3Op7/nAI0eemTLCmPrDGwwZUsaGeCKtU3SqzDD70FcDZANf60<br>
yS8Pu0TfmOeTisGodwc0zjWLlg/OxSHLL8oPDExj9RDdDeNkArwZ+VQ0OIDD5ZEh<br>
PTl6hKo7bwYnfzo/xuEZwXJuNYFIJtk11ea3uvhsfEQw3jEZkb9cFeJ9RukkZsi5<br>
BPJ4xcQs48ca13vtkxc4g/bNORtye1GL3oeA9HTCD7Gm+st4svI1YyBbuxnsg5KM<br>
5pChx7k5HeL6dX9F9OE5pd/tJdWGapyyo9xiDUk5gJlgxUOImT2eij8tyBbfpniV<br>
L8ANb+6QjQq7btf/yVUu6IsP36PvnLMspdQq7zkneQp28Fcvlwmhw79iZ8IvuDdz<br>
2fGpEsZRCpSxXadPAQfx/7XXuzU/rWVTlRt+JB965vYLaZOvdQ0/HyW4RlNm9tOd<br>
PRoqsJA5MA59PtYP+VUN/Ut4YmNkBFf4IBwYughbLuCSnAJFvhOwh9XnXGDylopp<br>
XvK46BpO+KSAJ71rGa8jxZJ0sKXuJZrTUAX/YsyvvaQVY7802gCrr3cW2FlxWcyT<br>
IhcdaCc7IwmJw20HxwChzGJ+9uWR5f927/PK9vQeCtuXHaOb3pqD2gi8HYRI0Edu<br>
7vb16qek<br>
=DwpG<br>
-----END PGP SIGNATURE-----<br><br><br>---------- Forwarded message ----------<br>From: Sam Lander <<a href="mailto:sam.lander@gmail.com" target="_blank">sam.lander@gmail.com</a>><br>To: Debian Bug Tracking System <<a href="mailto:submit@bugs.debian.org" target="_blank">submit@bugs.debian.org</a>><br>Cc: <br>Bcc: <br>Date: Thu, 12 Oct 2023 10:43:42 +1100<br>Subject: libtomcat9-java: ERR_HTTP2_PROTOCOL_ERROR in browsers after upgrade 9.0.43-2~deb11u7 over u6<br>Package: libtomcat9-java<br>
Version: 9.0.43-2~deb11u7<br>
Severity: important<br>
X-Debbugs-Cc: <a href="mailto:sam.lander@gmail.com" target="_blank">sam.lander@gmail.com</a><br>
<br>
Dear Maintainer,<br>
<br>
I let unattended-upgrades handle the HTTP2 vulnerability.<br>
It installed thusly:<br>
<br>
> Log started: 2023-10-12 06:34:35<br>
> (Reading database <snip...><br>
> Preparing to unpack .../libtomcat9-java_9.0.43-2~deb11u7_all.deb ...<br>
> Unpacking libtomcat9-java (9.0.43-2~deb11u7) over (9.0.43-2~deb11u6) ...<br>
> Preparing to unpack .../tomcat9-common_9.0.43-2~deb11u7_all.deb ...<br>
> Unpacking tomcat9-common (9.0.43-2~deb11u7) over (9.0.43-2~deb11u6) ...<br>
> Preparing to unpack .../tomcat9_9.0.43-2~deb11u7_all.deb ...<br>
> Unpacking tomcat9 (9.0.43-2~deb11u7) over (9.0.43-2~deb11u6) ...<br>
> Setting up libtomcat9-java (9.0.43-2~deb11u7) ...<br>
> Setting up tomcat9-common (9.0.43-2~deb11u7) ...<br>
> Setting up tomcat9 (9.0.43-2~deb11u7) ...<br>
> Processing triggers for rsyslog (8.2102.0-2+deb11u1) ...<br>
> <br>
> Pending kernel upgrade!<br>
> <br>
> Running kernel version:<br>
> 5.10.0-19-amd64<br>
> <br>
> Diagnostics:<br>
> The currently running kernel version is not the expected kernel version 5.10.0-26-amd64.<br>
<br>
I did not reboot, and all lclients (Firefox, Safari, Chrome reported<br>
similar errors. No certificate available, security problem and <br>
ERR_HTTP2_PROTOCOL_ERROR<br>
<br>
A reboot to enable the new kernel produced the same results.<br>
<br>
I have commented-out HTTP2 and restarted Tomcat9, and the error is gone,<br>
(but so is HTTP2)<br>
> <Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"<br>
> maxThreads="150" SSLEnabled="true" ><br>
> <!-- sam 20231012 <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> --><br>
> <SSLHostConfig><br>
> <Certificate certificateKeyFile="/etc/letsencrypt/live/<a href="http://puppy.ccoz.org.au/privkey.pem" rel="noreferrer" target="_blank">puppy.ccoz.org.au/privkey.pem</a>"<br>
> certificateFile="/etc/letsencrypt/live/xxxxxxxxxxxxxxxxx/cert.pem"<br>
> certificateChainFile="/etc/letsencrypt/live/xxxxxxxxxxxxxxxxx/chain.pem"<br>
> type="RSA" /><br>
> </SSLHostConfig><br>
> </Connector><br>
<br>
<br>
-- System Information:<br>
_,met$$$$$gg. root@xxxxx<br>
,g$$$$$$$$$$$$$$$P. ----------<br>
,g$$P" """Y$$.". OS: Debian GNU/Linux 11 (bullseye) x86_64<br>
,$$P' `$$$. Host: HVM domU 4.7<br>
',$$P ,ggs. `$$b: Kernel: 5.10.0-26-amd64<br>
`d$$' ,$P"' . $$$ Uptime: 1 hour, 43 mins<br>
$$P d$' , $$P Packages: 799 (dpkg)<br>
$$: $$. - ,d$$' Shell: bash 5.1.4<br>
$$; Y$b._ _,d$P' Resolution: 1024x768<br>
Y$$. `.`"Y$$$$P"' CPU: AMD Opteron 4170 HE (4) @ 2.100GHz<br>
`$$b "-.__ GPU: 00:02.0 Cirrus Logic GD 5446<br>
`Y$$ Memory: 1349MiB / 7938MiB<br>
`Y$$.<br>
`$$b.<br>
`Y$$b.<br>
`"Y$b._<br>
`"""<br>
</div><br clear="all"><br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><font size="1" face="courier new, monospace"><span>Sam Lander<br></span></font></div><div><font size="1"><font face="courier new, monospace">0414 626 080</font><br></font></div><div><font size="1"><br></font></div></div></div></div>
</blockquote></div><br clear="all"><div><br></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div dir="ltr"><div></div><div><font face="monospace" size="1">Sam Lander</font></div><div><font face="monospace" size="1">Community Connections Australia</font></div><div><span style="font-family:monospace;font-size:x-small">( 1300 36 46 88 M: 0414 626 080</span><br></div><div><font face="monospace" size="1"><div>+ PO Box 253 Parramatta 2124</div><div>+ L1 90 Phillip St Parramatta 2150</div><div>: <a href="http://www.ccoz.org.au" target="_blank">www.ccoz.org.au</a></div><div><br></div><div><div>The content of this email is confidential and intended for the recipient</div><div>specified in the message only. It is strictly forbidden to share any</div><div>part of this message with any third party, without a written consent of </div><div>the sender. If you received this message by mistake, please reply to</div><div>this message and follow with its deletion, so that we can ensure such a</div><div>mistake does not occur in the future.</div></div><div><br></div></font></div></div></div></div>