• [SECURITY] [DSA 5665-1] tomcat10 security update

    From Markus Koschany@21:1/5 to All on Thu Apr 18 00:10:02 2024
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-5665-1 security@debian.org https://www.debian.org/security/ Markus Koschany
    April 17, 2024 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : tomcat10
    CVE ID : CVE-2023-46589 CVE-2024-23672 CVE-2024-24549
    Debian Bug : 1057082 1066877 1066878

    Several security vulnerabilities have been discovered in the Tomcat
    servlet and JSP engine.

    CVE-2023-46589

    Tomcat 10 did not correctly parse HTTP trailer headers. A trailer header
    that exceeded the header size limit could cause Tomcat to treat a single
    request as multiple requests leading to the possibility of request
    smuggling when behind a reverse proxy.

    CVE-2024-24549

    Denial of Service due to improper input validation vulnerability for
    HTTP/2. When processing an HTTP/2 request, if the request exceeded any of
    the configured limits for headers, the associated HTTP/2 stream was not
    reset until after all of the headers had been processed.

    CVE-2024-23672

    Denial of Service via incomplete cleanup vulnerability. It was possible
    for WebSocket clients to keep WebSocket connections open leading to
    increased resource consumption.


    For the stable distribution (bookworm), these problems have been fixed in version 10.1.6-1+deb12u2.

    We recommend that you upgrade your tomcat10 packages.

    For the detailed security status of tomcat10 please refer to
    its security tracker page at: https://security-tracker.debian.org/tracker/tomcat10

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org
    -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmYgQdpfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeRxWg/9HomYTHhhPpVv0BwAECG399S7910TgHArULALOMKdpHjJLmi4PvNoB/u+ 7KwKWdpULjOr4z0YMmxyI6eMHYEgJAEHlZpSzGRt2Sue12g0ouSLJ7//jvfJcI6b 5JnzFdZQQYoGocfIgHczcKGooMDjaujmTuf/bA2tVV+X5gO0QYWGnbr7MLd0y4PC a8KaLGNJcGDSkN2nCFgEi2mMBZP++sEA+TyJJV6cOHyvnXEoD9/wk6IwFos4kDQT y3qbYtRGUwtg/frQ7iS8EtkpK8vHcjflPrtQTvfGLALdXV50RpOOgeIIKOecFs2v PtJp3dEg4L/cWNlPwLVsisYN6gC+pa6z3GoAg5J2O5d9xar+pJQeYLx9WozlGvkL NVVzvj6p30yQOxINtes2xG9pqPOM7alLQl6VjUxm8DVSCne4NKlK32HAyh8Uxi4R V+3nqTPRNeN+3bLeztCOeo/9oxSTkXDDqB9TT3rFooZpP3bpaUH2B37lOONcg/55 +WTTgh8bM8f8MlmOMYqz3IihrxW0WJlgE5oR2vCNwxb8a3ec4GhwdCV5/Sr3LxEJ YkURiWyUE37/OuZB/TnTg26HWcctJJpV+//JOTslRWBr0qXIg6PrMIwYYtTYZwXp U8mmX8cIQVdHQoFvYrJuQz4J74sjDRIddo5rWB7bXXJQEuxcBrs=
    =WEw1
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)