[SECURITY] [DLA 3707-1] tomcat9 security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 3707-1] tomcat9 security update
From: rouca@debian.org
Date: Fri, 5 Jan 2024 09:40:41 +0000
Message-id: <[🔎] 242e34cf0d97e9eb3af84693877a3cbd.rouca@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3707-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien RoucariÃ¨s
January 05, 2024                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : tomcat9
Version        : 9.0.31-1~deb10u11
CVE ID         : CVE-2023-46589
Debian Bug     : 1057082

Apache Tomcat 9, a Servlet and JSP engine, was vulnerable.

An Improper Input Validation vulnerability was present.
and Tomcat did not correctly parse HTTP trailer headers.
A trailer header that exceeded the header size limit could cause
Tomcat to treat a single request as multiple requests leading to
the possibility of request smuggling when behind a reverse proxy.

For Debian 10 buster, this problem has been fixed in version
9.0.31-1~deb10u11.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat9

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmWXzpkACgkQADoaLapB
CF/SJBAAgivqtdM0kIF4dlGYh9gFt0tzuSALGHlQ+Pa2EZmWv2GPDoMDyGQJmjR+
L2ncKm8qwYi7E28W9Fc1gU+xo1dE/SUQ0Q1GusESEts9l16BUx0ni7oQjtNM9Iim
7rBJln6ILKHa7Q235uNjTIvBtlySzKrv2hm/nqeyXI3mn1Y7bvNZ3Zyskcizx4ok
goy5WvbpRtEnm9DIbFYLhDv6c5AFILnlWrCQUsdxN1nBeOyIcFB4KX5U6JKWY6lg
JKsXtgGJqUUhxP+IU9lLV6uNYgcKrOsOhpF16Ma6Famyk4YiYwTWmHzEwWbXyp1w
/en8PssuOfFD/a0szFQ/vnvYhAtGB4xtBMOLEyCSWITmnbEMZ611No50wszt7tHK
FmonzYR0YQfKLSe3U7XVQ1i+B2l54YEqzmq6NhZ/mGm+PeR3QirqxYjSO1bjCqJ+
rXb12A7AvbbuqLzXvPy08hgYonOSpqJhQHmhx9jXK848QaCx3WfqlZ9kS94MjXCo
TxwTwZKEEfjt30N9uJL3CXNKNHydhBu99Z3t4R1EWfttECMblO+k2EQjQiOsLPht
UPPsjIKLbI0myF1KnO0JLcriaTqzkUrmxeA42j6up4Lhg8gomQnpRqczytKCKLYd
S1xf5nSCmqGA6wAoLZaPXp/ZtXOoqzuW+vDqAwbuzZaGPPsoTGw=
=luX7
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3706-1] netatalk security update
Next by Date: [SECURITY] [DLA 3708-1] exim4 security update
Previous by thread: [SECURITY] [DLA 3706-1] netatalk security update
Next by thread: [SECURITY] [DLA 3708-1] exim4 security update
Index(es):
- Date
- Thread