-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 16 Jan 2025 21:05:24 CET
Source: tomcat9
Architecture: source
Version: 9.0.43-2~deb11u11
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
aef798829e3085c7b9f168ded1efbb2a6f4996be 2910 tomcat9_9.0.43-2~deb11u11.dsc
afbab759d9b278c27ebbf62e29337320681d40b3 69136 tomcat9_9.0.43-2~deb11u11.debian.tar.xz
b18cdca7408e0ee1adafb20a0ff90ed11380d715 14731 tomcat9_9.0.43-2~deb11u11_amd64.buildinfo
Checksums-Sha256:
7fb50e9dd6e8927bd984e302faa0e77be28a22790580a7c1ae8670e10905ece2 2910 tomcat9_9.0.43-2~deb11u11.dsc
8a5ef0fec2dcaee3454f9a0c36c191439540dd532e8de8285db867debedeaa95 69136 tomcat9_9.0.43-2~deb11u11.debian.tar.xz
a7dc647aa76285c6b169b411e7a61e35b2255511a9b6c0504e4b5063ddff11e8 14731 tomcat9_9.0.43-2~deb11u11_amd64.buildinfo
Changes:
tomcat9 (9.0.43-2~deb11u11) bullseye-security; urgency=high
.
* Team upload.
* Fix CVE-2024-52316:
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is
configured to use a custom Jakarta Authentication (formerly JASPIC)
ServerAuthContext component which may throw an exception during the
authentication process without explicitly setting an HTTP status to
indicate failure, the authentication may not fail, allowing the user to
bypass the authentication process. There are no known Jakarta
Authentication components that behave in this way.
* Fix CVE-2024-21733:
Generation of Error Message Containing Sensitive Information vulnerability
in Apache Tomcat.
* Fix CVE-2024-38286:
Apache Tomcat, under certain configurations, allows an attacker to cause an
OutOfMemoryError by abusing the TLS handshake process.
* Fix CVE-2024-50379:
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP
compilation in Apache Tomcat permits an RCE on case insensitive file
systems when the default servlet is enabled for write (non-default
configuration).
Files:
d1cee236fd6b671c8d7027c65b298618 2910 java optional tomcat9_9.0.43-2~deb11u11.dsc
fe20e729b823407540ffc12b3b7f8d5c 69136 java optional tomcat9_9.0.43-2~deb11u11.debian.tar.xz
08ee06b70311bf5174f0812441257a61 14731 java optional tomcat9_9.0.43-2~deb11u11_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmeJZqhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkM+MQAIN9DoeP303nY/Zq/UVWQbUvz+EE/uD09OBE
AZauWEmEvMvPPoFTX/IoLwSaoFriK8Kia4X9JsrEuV/txLkwKK7857ze35ESsp4u
PbT5LvH8r3bGzKDPXm0v/z23/oHrieJFMMc7+Z5cq1eAhmYwdk4GWS8QvQR90D2W
4gY/R67PJ4ADyJ1xaMJNQex/R2zzSTPKwQu2bHWLDrBObsboOij5b0MJWo+WjgOK
mmMIhU4wERTpnJIrT3w4pN3wIlwgztgRcvYqtDxURZcJgCBsQt+BbMy49AW4yRJ4
VDllP51SSiJ2xBPPiNhieV5N3On2tWxyv+RLzw44n8bzElTeSxiN2leFdBLW8DZB
5G/8GRfvZpcSdXzjgjZLq2wnJtBXrKk2HIj7YxAli75+wFp5KMVnTfK6p2O4g9LB
ygI4t6ol4vtUrIIeWDAPcoh232Mvw5PGs6sEm3LI+SkI0twAGRxo43yswoVGObpl
/4DqigkTuFvj9XREwA9Hi8YqcAOUxmmCvqTez7KcjQ2H11tsvD9zsAGqRCvY34PZ
/Z3Cep9X78F6dkAgGq7kyN+CX9nD6L8snfHoWdCUWON4Bu8dFab9cmxug7ew5uRw
cDcbVH8/2PaPqeP8hI4Q7QnSWV+nv81/6qoilKjKfFDHs0SKR455s1iTuJu5QXZN
GVSyAAKU
=S67I
-----END PGP SIGNATURE-----
Attachment:
pgp9O8USbM90t.pgp
Description: PGP signature