tomcat9_9.0.43-2~deb11u4_source.changes ACCEPTED into proposed-updates->stable-new
Debian FTP Masters
ftpmaster at ftp-master.debian.org
Sat Oct 29 23:30:52 BST 2022
Mapping stable-security to proposed-updates.
Accepted:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 29 Oct 2022 18:34:02 CEST
Source: tomcat9
Architecture: source
Version: 9.0.43-2~deb11u4
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
Changed-By: Markus Koschany <apo at debian.org>
Checksums-Sha1:
7703abc9efa1d08a67cf47740e448d5a08dfc47c 2906 tomcat9_9.0.43-2~deb11u4.dsc
9f1801599dc7d1bcb46c4774b975ef7a9a00e70b 42928 tomcat9_9.0.43-2~deb11u4.debian.tar.xz
3da251e7d174929d41b164c92dde2713993d62be 14498 tomcat9_9.0.43-2~deb11u4_amd64.buildinfo
Checksums-Sha256:
15bea427541848618dec25a13c95d97d78503bd15f3884c7b6f5f1e59b1eca24 2906 tomcat9_9.0.43-2~deb11u4.dsc
1b88aaabeccedcea5e2999cca72c4a54b39074aba6233e2bbed0d0b7a3e35641 42928 tomcat9_9.0.43-2~deb11u4.debian.tar.xz
1dcd8c790ba6ba1b98fe068f40fe3976c9312fba5fd681f57c2034dc0de7f48a 14498 tomcat9_9.0.43-2~deb11u4_amd64.buildinfo
Changes:
tomcat9 (9.0.43-2~deb11u4) bullseye-security; urgency=high
.
* Team upload.
* Fix CVE-2021-43980:
The simplified implementation of blocking reads and writes introduced in
Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing
(but extremely hard to trigger) concurrency bug that could cause client
connections to share an Http11Processor instance resulting in responses, or
part responses, to be received by the wrong client.
* Fix CVE-2022-23181:
The fix for bug CVE-2020-9484 introduced a time of check, time of use
vulnerability into Apache Tomcat that allowed a local attacker to perform
actions with the privileges of the user that the Tomcat process is using.
This issue is only exploitable when Tomcat is configured to persist sessions
using the FileStore.
* Fix CVE-2022-29885:
The documentation of Apache Tomcat for the EncryptInterceptor incorrectly
stated it enabled Tomcat clustering to run over an untrusted network. This
was not correct. While the EncryptInterceptor does provide confidentiality
and integrity protection, it does not protect against all risks associated
with running over any untrusted network, particularly DoS risks.
Files:
9ec5366aca1444ccaedae67d4e02f8ca 2906 java optional tomcat9_9.0.43-2~deb11u4.dsc
c18a104200c86e53194a610312a7017a 42928 java optional tomcat9_9.0.43-2~deb11u4.debian.tar.xz
d7de40ba8ade64216326af72aa248c68 14498 java optional tomcat9_9.0.43-2~deb11u4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmNdVlxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkBuIP/1DM+oSmkvR6OY3zP/f1/C2ZUEUd7ZgMMZ21
D/zh9qIgBXg8cEf4WOlRP6sTW2jYl5JwwhmWCK5084q2qR4bPEISrbRq+d1qo3az
sARl7XADbcFhPInLdr9mT7xub51eXCplo65HIiO388TlO0cCmF03iKekW5v9NWmq
nY9IxJwnVVDjSn1p55Ol5+pEbeDQyiFn5EHKSEsWd+uvftr1kXkbZHI0L07JuMdf
nU6Vrnub4MC/wVzEPIQkT9ic85WiwB3O96wtaIg4rvSaZKLZXVC2c0W6Tpu1Ihxh
R9E4ttsKHd8b1yU5R+efVjXCgy1HhqnmK7KIxk7X401SzeQoqV80NPby5MP9rKlp
CnSGmz8XafFJgXEPzmBavfwD+IkiqYvMDqGkH5pnau2ssM6Ik0joHv2QCR7uWReD
orQCfBz7B1IwdnAVUnn4o4bQjXdLQfd2q8duB2sUX26p9jMnxfuM+MLUQ6yK+5Zk
xdeoQhgf64wIUht4YvexrWpjiD37cACpUn0zfMqVoJa92l4W9uXJGApdXFwmlWD5
CkQYn03cnJs8Y36P4qFjPnUSvPF3P6mJukSOXuh4pL9OeQhSNwgpnUIJktaEk7Gx
8+IJMX4sVmXyYLdedlJNGXhSRGQvrwmJQ1b+4WdfMtLOV9/HdvZS2aE52V7xhCY4
sf25j1+q
=OmHG
-----END PGP SIGNATURE-----
Thank you for your contribution to Debian.
More information about the pkg-java-maintainers
mailing list