[Git][java-team/tomcat9][buster] 2 commits: Add NEWS

Bastien Roucariès (@rouca) gitlab at salsa.debian.org
Sat Oct 25 21:11:53 BST 2025 


Bastien Roucariès pushed to branch buster at Debian Java Maintainers / tomcat9


Commits:
40f6520a by Bastien Roucariès at 2025-10-25T22:08:47+02:00
Add NEWS

- - - - -
0c151baa by Bastien Roucariès at 2025-10-25T22:11:21+02:00
Add changelog

- - - - -


2 changed files:

- + debian/NEWS
- debian/changelog


Changes:

=====================================
debian/NEWS
=====================================
@@ -0,0 +1,15 @@
+tomcat9 (9.0.107-0+deb10u1) buster-security; urgency=medium
+
+  To remediate vulnerabilities in the Tomcat 9 server stack,
+  an upgrade was performed instead of applying minimal patching.
+  .
+  The following notworthy changes where identified:
+  - Tomcat 9.0.33, Hardened AJP connector: secretRequired
+    defaults to true. A workarround is to requires explicit config:
+    secretRequired="false" or set a secret
+  - Tomcat 9.0.65, Deprecated RemoteAddrFilter and RemoteHostFilter.
+    You may migrate to RemoteCIDRFilter and RemoteCIDRValve
+  - Tomcat 9.0.69, fix Session ID propagation for SSO Valve.
+    This may break SSO.
+
+ -- Bastien Roucariès <rouca at debian.org>  Sat, 25 Oct 2025 22:08:32 +0200


=====================================
debian/changelog
=====================================
@@ -1,6 +1,14 @@
 tomcat9 (9.0.107-0+deb10u1) buster-security; urgency=medium
 
-  * 
+  * Non Maintainer Upload by ELTS team
+  * New upstream version
+  * Fix CVE-2024-34750, CVE-2024-54677, CVE-2025-31650, CVE-2025-31651,
+    CVE-2025-46701, CVE-2025-48976, CVE-2025-48988, CVE-2025-49125,
+    CVE-2025-52434, CVE-2025-52520, CVE-2025-53506, CVE-2025-55668
+    Several security vulnerabilities have been found in Tomcat 9, a Java
+    web server and servlet engine. Most notably the update improves the
+    handling of HTTP/2 connections and corrects various flaws which can lead to
+    uncontrolled resource consumption and a denial of service.
 
  -- Markus Koschany <apo at debian.org>  Thu, 10 Jul 2025 10:15:42 +0200
 



View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/compare/7856ca5d620ab513c949b2d87b6fbb10bfc0ac41...0c151baa805220cd15a0f89c82f4bcbd2df93d2f

-- 
View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/compare/7856ca5d620ab513c949b2d87b6fbb10bfc0ac41...0c151baa805220cd15a0f89c82f4bcbd2df93d2f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20251025/a0243024/attachment.htm>

More information about the pkg-java-commits mailing list