1. Forum
  2. Usenet
  3. LINUX.DEBIAN.CHANGES

  • Accepted tomcat9 9.0.43-2~deb11u4 (source) into proposed-updates

    From Debian FTP Masters@21:1/5 to All on Sat Nov 5 16:40:02 2022
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    Format: 1.8
    Date: Sat, 29 Oct 2022 18:34:02 CEST
    Source: tomcat9
    Architecture: source
    Version: 9.0.43-2~deb11u4
    Distribution: bullseye-security
    Urgency: high
    Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
    Changed-By: Markus Koschany <apo@debian.org>
    Checksums-Sha1:
    7703abc9efa1d08a67cf47740e448d5a08dfc47c 2906 tomcat9_9.0.43-2~deb11u4.dsc
    9f1801599dc7d1bcb46c4774b975ef7a9a00e70b 42928 tomcat9_9.0.43-2~deb11u4.debian.tar.xz
    3da251e7d174929d41b164c92dde2713993d62be 14498 tomcat9_9.0.43-2~deb11u4_amd64.buildinfo
    Checksums-Sha256:
    15bea427541848618dec25a13c95d97d78503bd15f3884c7b6f5f1e59b1eca24 2906 tomcat9_9.0.43-2~deb11u4.dsc
    1b88aaabeccedcea5e2999cca72c4a54b39074aba6233e2bbed0d0b7a3e35641 42928 tomcat9_9.0.43-2~deb11u4.debian.tar.xz
    1dcd8c790ba6ba1b98fe068f40fe3976c9312fba5fd681f57c2034dc0de7f48a 14498 tomcat9_9.0.43-2~deb11u4_amd64.buildinfo
    Changes:
    tomcat9 (9.0.43-2~deb11u4) bullseye-security; urgency=high
    .
    * Team upload.
    * Fix CVE-2021-43980:
    The simplified implementation of blocking reads and writes introduced in
    Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing
    (but extremely hard to trigger) concurrency bug that could cause client
    connections to share an Http11Processor instance resulting in responses, or
    part responses, to be received by the wrong client.
    * Fix CVE-2022-23181:
    The fix for bug CVE-2020-9484 introduced a time of check, time of use
    vulnerability into Apache Tomcat that allowed a local attacker to perform
    actions with the privileges of the user that the Tomcat process is using.
    This issue is only exploitable when Tomcat is configured to persist sessions
    using the FileStore.
    * Fix CVE-2022-29885:
    The documentation of Apache Tomcat for the EncryptInterceptor incorrectly
    stated it enabled Tomcat clustering to run over an untrusted network. This
    was not correct. While the EncryptInterceptor does provide confidentiality
    and integrity protection, it does not protect against all risks associated
    with running over any untrusted network, particularly DoS risks.
    Files:
    9ec5366aca1444ccaedae67d4e02f8ca 2906 java optional tomcat9_9.0.43-2~deb11u4.dsc
    c18a104200c86e53194a610312a7017a 42928 java optional tomcat9_9.0.43-2~deb11u4.debian.tar.xz
    d7de40ba8ade64216326af72aa248c68 14498 java optional tomcat9_9.0.43-2~deb11u4_amd64.buildinfo

    -----BEGIN PGP SIGNATURE-----

    iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmNdVlxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkBuIP/1DM+oSmkvR6OY3zP/f1/C2ZUEUd7ZgMMZ21 D/zh9qIgBXg8cEf4WOlRP6sTW2jYl5JwwhmWCK5084q2qR4bPEISrbRq+d1qo3az sARl7XADbcFhPInLdr9mT7xub51eXCplo65HIiO388TlO0cCmF03iKekW5v9NWmq nY9IxJwnVVDjSn1p55Ol5+pEbeDQyiFn5EHKSEsWd+uvftr1kXkbZHI0L07JuMdf nU6Vrnub4MC/wVzEPIQkT9ic85WiwB3O96wtaIg4rvSaZKLZXVC2c0W6Tpu1Ihxh R9E4ttsKHd8b1yU5R+efVjXCgy1HhqnmK7KIxk7X401SzeQoqV80NPby5MP9rKlp CnSGmz8XafFJgXEPzmBavfwD+IkiqYvMDqGkH5pnau2ssM6Ik0joHv2QCR7uWReD orQCfBz7B1IwdnAVUnn4o4bQjXdLQfd2q8duB2sUX26p9jMnxfuM+MLUQ6yK+5Zk xdeoQhgf64wIUht4YvexrWpjiD37cACpUn0zfMqVoJa92l4W9uXJGApdXFwmlWD5 CkQYn03cnJs8Y36P4qFjPnUSvPF3P6mJukSOXuh4pL9OeQhSNwgpnUIJktaEk7Gx 8+IJMX4sVmXyYLdedlJNGXhSRGQvrwmJQ1b+4WdfMtLOV9/HdvZS2aE52V7xhCY4
    sf25j1+q
    =OmHG
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)