1. Forum
  2. Usenet
  3. LINUX.DEBIAN.CHANGES

  • Accepted tomcat9 9.0.43-2~deb11u6 (source) into proposed-updates

    From Debian FTP Masters@21:1/5 to All on Fri Apr 7 12:10:01 2023
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    Format: 1.8
    Date: Wed, 5 Apr 2023 17:57:36 CEST
    Source: tomcat9
    Architecture: source
    Version: 9.0.43-2~deb11u6
    Distribution: bullseye-security
    Urgency: high
    Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
    Changed-By: Markus Koschany <apo@debian.org>
    Checksums-Sha1:
    5dcbdb9596463f2b52520b943356f25973924882 2906 tomcat9_9.0.43-2~deb11u6.dsc
    c0d398cfb9173c06567e7718c2e537b64bcd3e99 47364 tomcat9_9.0.43-2~deb11u6.debian.tar.xz
    5c5a8d647c16d77cc8ed78912b572d540513b38c 13782 tomcat9_9.0.43-2~deb11u6_source.buildinfo
    Checksums-Sha256:
    343aab34c6e1ca8bb6b7e8bcdbbcc7594a7250288aa59102dd1886666bb9ab31 2906 tomcat9_9.0.43-2~deb11u6.dsc
    2ef190ee41f4e7a5442eb049f4e0255a19f42b17ef0e9a339137c536a054ca98 47364 tomcat9_9.0.43-2~deb11u6.debian.tar.xz
    320d9d96ed02d79273106c15fafaabb3bc662fbc31a6150af1e7075e5b540d87 13782 tomcat9_9.0.43-2~deb11u6_source.buildinfo
    Closes: 1033475
    Changes:
    tomcat9 (9.0.43-2~deb11u6) bullseye-security; urgency=high
    .
    * Team upload.
    * Fix CVE-2022-42252:
    Apache Tomcat was configured to ignore invalid HTTP headers via setting
    rejectIllegalHeader to false. Tomcat did not reject a request containing an
    invalid Content-Length header making a request smuggling attack possible if
    Tomcat was located behind a reverse proxy that also failed to reject the
    request with the invalid header.
    * Fix CVE-2022-45143:
    The JsonErrorReportValve in Apache Tomcat did not escape the type, message
    or description values. In some circumstances these are constructed from
    user provided data and it was therefore possible for users to supply values
    that invalidated or manipulated the JSON output.
    * Fix CVE-2023-28708:
    When using the RemoteIpFilter with requests received from a reverse proxy
    via HTTP that include the X-Forwarded-Proto header set to https, session
    cookies created by Apache Tomcat did not include the secure attribute. This
    could result in the user agent transmitting the session cookie over an
    insecure channel. (Closes: #1033475)
    Files:
    a0e3763cba0271c6a8a9f8f279668eea 2906 java optional tomcat9_9.0.43-2~deb11u6.dsc
    9218f651bb495a397c219d06b3224c36 47364 java optional tomcat9_9.0.43-2~deb11u6.debian.tar.xz
    139fc4cbef13d2e160db68d3714f19ab 13782 java optional tomcat9_9.0.43-2~deb11u6_source.buildinfo

    -----BEGIN PGP SIGNATURE-----

    iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmQtmndfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkUQgP/1KVJTKd9e01/ouH1AYtcIiCuN0od2s5ULvf bSMdB4Cw2wj9Psj/vJGR2xTSPItfvzomgfHfHoMRWwV6waqV/MKWacVVmlFmiCgm 7koWx2ObIy+/enuRZeOoSPp0f3K1hDA77RCH1Pk5rfJW51DENTkED+kqv4bpirkG CufCeDrnAOC3cfnA2rVtN/kLPwavML+JPzzO2oWMQHwjY8GehbQ8rVVB6FNX+q6O NpKvHQqhKk44Ylkjlsx78xNCHV14a9dEzpJ2XGGb5OxJelBs+jIn9RHsC3xPzOL5 ic+Whx5334WjYOlUMCGSVm8K0olcJx/n8FJwHc/7QcKsGPjUQxHyFwFXzI2c2bJc ZwMoEJgS9Kd1xe9kIsDQwgqvJxoM3DxkPEG6aUmYV3ii6iW76e/VnJVn7kcQlfrP d5s2NJsBFeeoWDAJTzaF81r2+wnCQm3pbdy3czL0tQlTWQYrVvLQt4WuJIUp2UaF KaUw4r8HA5Ubz+AzwmcN5t3UsyJLVZQrHCFy+NmcjP/DZUYWI1jQB7GN68PPj5A4 iQdgp7XfqudGf9iE7kZl+PvEJqOhqBLm+AvpAyy4ZPGsWEQvHEFA6OyUAZyk/t+z iXfqcvmzVRwyZmvAHHXUIEG0WFdxVR26nr5n6ljej4UcKtLWDeqQ5vtxxW0PbuxJ
    ERhrc9ek
    =Vy1i
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)