-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 10 Oct 2023 18:20:19 +0200
Source: tomcat9
Binary: libtomcat9-embed-java libtomcat9-java tomcat9 tomcat9-admin tomcat9-common tomcat9-docs tomcat9-examples tomcat9-user
Architecture: all
Version: 9.0.43-2~deb11u7
Distribution: bullseye-security
Urgency: high
Maintainer: all Build Daemon (x86-csail-02) <buildd_all-x86-csail-02@buildd.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 libtomcat9-embed-java - Apache Tomcat 9 - Servlet and JSP engine -- embed libraries
 libtomcat9-java - Apache Tomcat 9 - Servlet and JSP engine -- core libraries
 tomcat9    - Apache Tomcat 9 - Servlet and JSP engine
 tomcat9-admin - Apache Tomcat 9 - Servlet and JSP engine -- admin web application
 tomcat9-common - Apache Tomcat 9 - Servlet and JSP engine -- common files
 tomcat9-docs - Apache Tomcat 9 - Servlet and JSP engine -- documentation
 tomcat9-examples - Apache Tomcat 9 - Servlet and JSP engine -- example web applicati
 tomcat9-user - Apache Tomcat 9 - Servlet and JSP engine -- tools to create user
Changes:
 tomcat9 (9.0.43-2~deb11u7) bullseye-security; urgency=high
 .
   * Fix CVE-2023-45648: Request smuggling. Tomcat did not correctly parse HTTP
     trailer headers. A specially crafted, invalid trailer header could cause
     Tomcat to treat a single request as multiple requests leading to the
     possibility of request smuggling when behind a reverse proxy.
   * Fix CVE-2023-44487: DoS caused by HTTP/2 frame overhead (Rapid Reset Attack)
   * Fix CVE-2023-42795: Information Disclosure. When recycling various internal
     objects, including the request and the response, prior to re-use by the next
     request/response, an error could cause Tomcat to skip some parts of the
     recycling process leading to information leaking from the current
     request/response to the next.
   * Fix CVE-2023-41080: Open redirect. If the ROOT (default) web application
     is configured to use FORM authentication then it is possible that a
     specially crafted URL could be used to trigger a redirect to an URL of
     the attackers choice.
   * Fix CVE-2023-28709: Denial of Service. If non-default HTTP connector
     settings were used such that the maxParameterCount could be reached using
     query string parameters and a request was submitted that supplied exactly
     maxParameterCount parameters in the query string, the limit for uploaded
     request parts could be bypassed with the potential for a denial of service
     to occur.
   * Fix CVE-2023-24998: Denial of service. Tomcat uses a packaged renamed copy
     of Apache Commons FileUpload to provide the file upload functionality
     defined in the Jakarta Servlet specification. Apache Tomcat was, therefore,
     also vulnerable to the Commons FileUpload vulnerability CVE-2023-24998 as
     there was no limit to the number of request parts processed. This resulted
     in the possibility of an attacker triggering a DoS with a malicious upload
     or series of uploads.
Checksums-Sha1:
 2b73f857fabf2b9399b8e52efda8c971f67c0c43 4199880 libtomcat9-embed-java_9.0.43-2~deb11u7_all.deb
 146bdcbf65ce73a3d04209ce62000c2cb91d7591 6004668 libtomcat9-java_9.0.43-2~deb11u7_all.deb
 ff40f6b996e6cf4a50d014d923ffc49b6e6f1f13 78276 tomcat9-admin_9.0.43-2~deb11u7_all.deb
 8fa858624f3bb9c4c8a83b18956d41225790f122 71644 tomcat9-common_9.0.43-2~deb11u7_all.deb
 bd48c025c0ba2141cddbec62191760c5e4d04153 706364 tomcat9-docs_9.0.43-2~deb11u7_all.deb
 7fbcefcaef0a90aae5a4d87467b0466a0ab3d430 404596 tomcat9-examples_9.0.43-2~deb11u7_all.deb
 8698c9acd512661b0eabd27826cbd28d79a2ec24 44316 tomcat9-user_9.0.43-2~deb11u7_all.deb
 4031c9df28ec45703038902b5635e41fb798338b 14208 tomcat9_9.0.43-2~deb11u7_all-buildd.buildinfo
 9509a41ddce41415c4ea71beed6ceea5ab24fdd6 48112 tomcat9_9.0.43-2~deb11u7_all.deb
Checksums-Sha256:
 0a3beb0e66d502569a1f5459824c27153e2eef5c46060d5434e2c3782457569e 4199880 libtomcat9-embed-java_9.0.43-2~deb11u7_all.deb
 40dfd7217f1bb96796c1744b3251b06bafa55b3f30baf1ff4477c750bd42cd2b 6004668 libtomcat9-java_9.0.43-2~deb11u7_all.deb
 580689c973526738970cbcde12d306b15bde9e74b60b8f5c6a9d40557328157f 78276 tomcat9-admin_9.0.43-2~deb11u7_all.deb
 0d2cf946072ed58bb05c9b57842593800d3cc6d3f3eedc158c7d26c820c432f6 71644 tomcat9-common_9.0.43-2~deb11u7_all.deb
 c2143888e6459ec977a58a157c491583017132523813925ebeb2ecb411113a6f 706364 tomcat9-docs_9.0.43-2~deb11u7_all.deb
 ae657b458d7c74ad5c322cb47ecb9d88df8afe455f4b1b4142329239025010bc 404596 tomcat9-examples_9.0.43-2~deb11u7_all.deb
 f5820bbdbc97b826a63a3418f2fdbcb49f2160830c14df78ac95f80a41270bdf 44316 tomcat9-user_9.0.43-2~deb11u7_all.deb
 02520199846bf7e6c3e3b526a5dc162f263563504656029c967742710f01e036 14208 tomcat9_9.0.43-2~deb11u7_all-buildd.buildinfo
 ba43c0ebe3716e781dac1a806dc90d0cb426305a6153b5bf373a9b8cde47ac20 48112 tomcat9_9.0.43-2~deb11u7_all.deb
Files:
 3fad627bb13ae6a592d43ab32d9adc5a 4199880 java optional libtomcat9-embed-java_9.0.43-2~deb11u7_all.deb
 ca442df7f28cc70d31e7c470a274ce13 6004668 java optional libtomcat9-java_9.0.43-2~deb11u7_all.deb
 b124fb9b85ffe39dba2a588ac417a69c 78276 java optional tomcat9-admin_9.0.43-2~deb11u7_all.deb
 f8680a5dd65caada55ccc31d9eb1ff02 71644 java optional tomcat9-common_9.0.43-2~deb11u7_all.deb
 db8bd0a9255b285497e8ddad10e947db 706364 doc optional tomcat9-docs_9.0.43-2~deb11u7_all.deb
 aaac11f4104128cc12a8b0a6158b1b29 404596 java optional tomcat9-examples_9.0.43-2~deb11u7_all.deb
 a68c74fb091063416885aa283f9d6099 44316 java optional tomcat9-user_9.0.43-2~deb11u7_all.deb
 cd208664f82e3b14fdba054846dd3ba1 14208 java optional tomcat9_9.0.43-2~deb11u7_all-buildd.buildinfo
 9520f2e9420ffedc92a437e077e43357 48112 java optional tomcat9_9.0.43-2~deb11u7_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtzb3SVunlrB0F8t8ExOkVqF4GXMFAmUlsMYACgkQExOkVqF4
GXP1kxAAgu5vOavS9lLNkni3DDj0zMPmLhAxEPgqjCQnfnAg8joJtcu9AIOVwNt6
7d/nlO1hkp2tuAznT0RHPMb5fWc1ygIqVoL743MQJ+0ILehohL8bGRpmXLmVg3FT
J7LsnBp+pj8+z0u/10WWAgdZT4XfEcD//E8WUPyEhufloMU6YT5or/TCPjMLlN21
81O4iVUYew/2QXmbTaVhgJwvlQxZHPhdRqBcpvakHi/NN0r7HQARfITZDFufwIko
Isuo2VCICL9laCTEeLnELv75xumSVxDP/q5BCawuAhk/XrtvoN9k03YfmNjTjmTq
wJG4VZXHwlqv2B6jhz0uKA+IXdhMgZFN0Yvyy8iviyN3WWb6fe2ad0UMUaeaN91u
qBrRx6QDPmETwwk8Um2aSEO/nej1DrENHB5+nZfLwNZaAOZ20p4sjzdaQuxlKMpO
aYYld2sT7WfqEwHRzOmnvzeSaY57pKli/9nUp8hqoGaFc/bayUn4h6+Q3ZtIBBR9
Xnr6UhZABoEQ4rGOU+6f0G2QqJ5GA+J2nqYJInSvP7oCkz3YnB41NVGJysJzLJEw
9kI7GdGN8pMUSjfJRUWhNpoh613YiS4NEWlk+lchGaftgvl6uAy+ICC3+VeEzR46
VMK8H12IBMPbr0OT1aP71PXAgEQoNt5A0HPEFEpl+Uwfv5gNXrQ=
=u0fT
-----END PGP SIGNATURE-----