-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 10 Oct 2023 18:33:08 +0200 Source: tomcat10 Binary: libtomcat10-embed-java libtomcat10-java tomcat10 tomcat10-admin tomcat10-common tomcat10-docs tomcat10-examples tomcat10-user Architecture: all Version: 10.1.6-1+deb12u1 Distribution: bookworm-security Urgency: high Maintainer: all Build Daemon (x86-grnet-02) Changed-By: Emmanuel Bourg Description: libtomcat10-embed-java - Apache Tomcat 10 - Servlet and JSP engine -- embed libraries libtomcat10-java - Apache Tomcat 10 - Servlet and JSP engine -- core libraries tomcat10 - Apache Tomcat 10 - Servlet and JSP engine tomcat10-admin - Apache Tomcat 10 - Servlet and JSP engine -- admin web applicatio tomcat10-common - Apache Tomcat 10 - Servlet and JSP engine -- common files tomcat10-docs - Apache Tomcat 10 - Servlet and JSP engine -- documentation tomcat10-examples - Apache Tomcat 10 - Servlet and JSP engine -- example web applicat tomcat10-user - Apache Tomcat 10 - Servlet and JSP engine -- tools to create user Changes: tomcat10 (10.1.6-1+deb12u1) bookworm-security; urgency=high . * Fix CVE-2023-45648: Request smuggling. Tomcat did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. * Fix CVE-2023-44487: DoS caused by HTTP/2 frame overhead (Rapid Reset Attack) * Fix CVE-2023-42795: Information Disclosure. When recycling various internal objects, including the request and the response, prior to re-use by the next request/response, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. * Fix CVE-2023-41080: Open redirect. If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice. * Fix CVE-2023-28709: Denial of Service. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur. Checksums-Sha1: 48174914859a2e5940e78b60b1cc1f182e9f84f0 4302992 libtomcat10-embed-java_10.1.6-1+deb12u1_all.deb 0fb9955c6942238ae216cbb4c6bf6bce97af1c26 6166740 libtomcat10-java_10.1.6-1+deb12u1_all.deb adab6e7a86559051ff551641e134efb3e4f3360a 71080 tomcat10-admin_10.1.6-1+deb12u1_all.deb 730ce81f5703c9a5a4dfcefb23bcf9f46969f485 65372 tomcat10-common_10.1.6-1+deb12u1_all.deb 7f752fedb6c760531bd4baa069079c9fdeef5460 637268 tomcat10-docs_10.1.6-1+deb12u1_all.deb 86e1d531febd1344494d872044e34153b09ceb63 485060 tomcat10-examples_10.1.6-1+deb12u1_all.deb 5966643b624eac3a32bb035f9006e43de8538024 37320 tomcat10-user_10.1.6-1+deb12u1_all.deb 4be93eded48ea626ad6940e3883627fb3b3f8ada 16082 tomcat10_10.1.6-1+deb12u1_all-buildd.buildinfo 2ee6a8cd5f0c4d0858e3fc5e35682045739cc267 41108 tomcat10_10.1.6-1+deb12u1_all.deb Checksums-Sha256: e96438773f482d05dcfb04904d7716d8d203f501bfd009fb38981988a3d09718 4302992 libtomcat10-embed-java_10.1.6-1+deb12u1_all.deb cbddea95d121e80c29b91f66c7d1a4aab7f11490dd9d04bde32e00d8cfe12b49 6166740 libtomcat10-java_10.1.6-1+deb12u1_all.deb e955e44ae459f0e93581b1013d0a66c0fddb4aef982df70f198d68b8c9997063 71080 tomcat10-admin_10.1.6-1+deb12u1_all.deb 8e92e85c814b8897c6639ec39b7e2de9be25f62397f49831bb755c1096739c38 65372 tomcat10-common_10.1.6-1+deb12u1_all.deb fdc51548a0eea6f7f93cfd3bb8be43fa4bcd12ddde515ee7dba81dec66291848 637268 tomcat10-docs_10.1.6-1+deb12u1_all.deb cff9aa8ff29ee9a49bbfdeeda17c4ce243a258d796fe7d3d0b2cd1450c995200 485060 tomcat10-examples_10.1.6-1+deb12u1_all.deb 31268be511d0c345c41a7c4678592b982356d638e3912183706435d29849061b 37320 tomcat10-user_10.1.6-1+deb12u1_all.deb 9a78956356f019188d1b7fabb3a572d5daece43dcfb30d799bdca89d92e32bda 16082 tomcat10_10.1.6-1+deb12u1_all-buildd.buildinfo 34b3e8df386561469675668330c6d452b8669568d5220ef84e4076ead8fdd45b 41108 tomcat10_10.1.6-1+deb12u1_all.deb Files: ab4088aeb6096471743a588d1aaa4a09 4302992 java optional libtomcat10-embed-java_10.1.6-1+deb12u1_all.deb bcfcfb0edc4ae6c390cd3f81820bbfba 6166740 java optional libtomcat10-java_10.1.6-1+deb12u1_all.deb 10b0e8f44d2e1bd819d7e1ffc1debbd3 71080 java optional tomcat10-admin_10.1.6-1+deb12u1_all.deb bf45a609499e0e93a5620d1b03d87b9f 65372 java optional tomcat10-common_10.1.6-1+deb12u1_all.deb 7c3fea3b9ee5d5cb7e968d39e7ceb0ec 637268 doc optional tomcat10-docs_10.1.6-1+deb12u1_all.deb ec6fb93b594beca34f10456909b3143d 485060 java optional tomcat10-examples_10.1.6-1+deb12u1_all.deb 29a7a5f01eef646f202894ff784b51e7 37320 java optional tomcat10-user_10.1.6-1+deb12u1_all.deb 0048d4e53a1800cae2d4493f5d7c5e51 16082 java optional tomcat10_10.1.6-1+deb12u1_all-buildd.buildinfo 8095df80631e48eff6471d24e1835d66 41108 java optional tomcat10_10.1.6-1+deb12u1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzW1K1578DQd6MDTQEbLkkg2OS0oFAmUlt8QACgkQEbLkkg2O S0rOyg/+O0Bhz7CH6tlmm8i7zi4zAaZM+Cye/7/HlxbIR9nZeRtNKxd8lu+UOp+q WrACAM4WrSByBWBIquzVynv8tO+XpGmdKSMtK8qjWYg8Paclc3VYB6obTTHLj7sy B/F03Nlg5PGyjQJuIwJuxNuDRD2OxSm8eq3brD0ToHjx+mKB3oHW/L/fcvPaYaps 6fVaeGhZC0wK3M2hQ8zGazAHAwk+oUAvJhIhm/InGjWC0MKthEyn4hAQllmfI+6M I0vxaCAJVWZhUYhgpYm4nKKKw7NfqGo6dFdIWs3mFFT2L/vz3Vd6dqAdSDvySYcA s2L1+08Kq+lpf5QvqdjSHtUwKE5dPPpxe+L8gjLfd9E+2tXpA68t5m/KVC82W17s eTF7BygHN7J/LsaIeiA3Vqwi6c5NZdC9ytz6Kk7jYagdnY0HmHmjIw1ZWBVeXfeE Lt+jEhDHp4tbJlTF3ftI3dnWSFYS8LAtMkqbg1NZ/pldbVDLL+W80G/DAGxNCcWO Ld57xeSxNlH3Vsu0jqmky599huiFHKwbiQtPnRK3NK1huoRsQXHE7xFA3Fr2yvIL qrqrXg6Pge3bMuN905SgOP5kVmHUutuFZjFRaMvecujdNAxC1CRXtgASwR/KTsg8 n8NPWAFKL3oMRgUIgvNE0bUD3qti3Wg0rG4WvZoD4eNGnNRARVI= =g2B7 -----END PGP SIGNATURE-----