[SECURITY] [DSA 5522-2] tomcat9 regression update

To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 5522-2] tomcat9 regression update
From: Markus Koschany <apo@debian.org>
Date: Thu, 12 Oct 2023 20:30:56 +0000
Message-id: <ZShXgHoJH/YLNSux@seger.debian.org>
Reply-to: debian-security-announce-request@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5522-2                   security@debian.org
https://www.debian.org/security/                          Markus Koschany
October 12, 2023                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tomcat9
CVE ID         : CVE-2023-44487
Debian Bug     : 1053820

The patch to address CVE-2023-44487 (Rapid Reset Attack) was incomplete and
caused a regression when using asynchronous I/O (the default for NIO and NIO2).
DATA frames must be included when calculating the HTTP/2 overhead count to
ensure that connections are not prematurely terminated.

For the oldstable distribution (bullseye), this problem has been fixed
in version 9.0.43-2~deb11u8.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat9

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUoVnpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeTdbw/+O6hd6miJKAJtK7QqgsstFL9TdqVLv8cLsOli5tobVkH+G00iXk6umG7E
dzE7xekBXhR3rT/3rFw9AdJAl4wdiy7JySZGVfWWP+vLpBfnXX4tmIy8hCaoFc2d
/IarTTfW9TZ+R166cB16m9UGPNP9beYqvx+kuuQlF4CRV/WWLGcpnZ/hiWb656BW
BBsCh5Ig0BkBOundI44ofcWR2S/+4VQw0tNMEChqOJBkgNSVSD/IO/ia0n4Zy2so
NvWVi7FMAE8xNz1afsjwY9opJXCAHZSKJjzVU9qRPNmwsdJMExP26E73cmSObSZo
cUV95wFA6SFKoo5fWn5WSeC4BVGlXr0jrgE0kQy7NzPBM2KLmsB0l917ejdquHIy
CFoNSmdX+mFJgmvBgtnvR1tFa2VgLZFMROYFSCf39XzBF0XmfiqVc5ejEy6yZRtg
T9a8tA6yux8kzwC7aw+ZFfBfhmRcDt9m3hDlJO39ex7NP8Df9Wk++Jh2bIjj96LQ
FH12q5zr4Dnyk2pG29MJbAgyCtYJrYubJR3XY97UhSva6uBOa92GYLjXjJVfcBQA
UZ7vL2vIlwXF+7b/Xihb9mRAepPCKkHwROUGiFvVXnXNiNYUg84BZ1GhBTFo4M/G
hoyYeUc8HrreGPsGY5dLoTwOqH6hUVnYbcLjwNV885FnH6Ccz78=
=tl0s
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DSA 5527-1] webkit2gtk security update
Next by Date: [SECURITY] [DSA 5528-1] node-babel7 security update
Previous by thread: [SECURITY] [DSA 5527-1] webkit2gtk security update
Next by thread: [SECURITY] [DSA 5528-1] node-babel7 security update
Index(es):
- Date
- Thread