[ubuntu/questing-proposed] tomcat9 9.0.70-2ubuntu3 (Accepted)

Vyom Yadav vyom.yadav at canonical.com
Mon Jun 9 14:15:22 UTC 2025 

tomcat9 (9.0.70-2ubuntu3) questing; urgency=medium

  * SECURITY UPDATE: Information disclosure via missing secure attribute
    - debian/patches/CVE-2023-28708.patch: Fix BZ 66471 - JSessionId
      secure attribute missing with RemoteIpFilter and X-Forwarded-Proto
      set to https
    - CVE-2023-28708
  * SECURITY UPDATE: Information disclosure via incomplete cleanup
    - debian/patches/CVE-2023-42795.patch: Improve handling of failures
      during recycle() methods
    - CVE-2023-42795
  * SECURITY UPDATE: HTTP request smuggling via trailer headers
    - debian/patches/CVE-2023-45648.patch: Align processing of trailer
      headers with standard processing
    - CVE-2023-45648
  * SECURITY UPDATE: Denial of service via WebSocket connections
    - debian/patches/CVE-2024-23672-pre-1.patch: Rename prior to
      extending with additional tests
    - debian/patches/CVE-2024-23672-pre-2.patch: Add test util getter
      for root context with class path scanning disabled
    - debian/patches/CVE-2024-23672.patch: Refactor WebSocket close for
      suspend/resume
    - CVE-2024-23672
  * SECURITY UPDATE: Denial of service via HTTP/2 header parsing
    - debian/patches/CVE-2024-24549.patch: Report HTTP/2 header parsing
      errors earlier
    - debian/patches/CVE-2024-24549-post-1.patch: Make recycled streams
      eligible for GC immediately. Improves scalability.
    - debian/patches/CVE-2024-24549-post-2.patch: Update tests after
      HTTP/2 improvements
    - CVE-2024-24549
  * SECURITY UPDATE: Denial of service via HTTP/2 stream handling
    - debian/patches/CVE-2024-34750-pre-1.patch: Fix 66530 - Regression
      in fix for BZ 66442. Ensure count is decremented
    - debian/patches/CVE-2024-34750-pre-2.patch: Refactor decrement
      using a common method
    - debian/patches/CVE-2024-34750.patch: Make counting of active
      streams more robust
    - CVE-2024-34750
  * SECURITY UPDATE: Denial of service via TLS handshake abuse
    - debian/patches/CVE-2024-38286.patch: Add support for re-keying
      with TLS 1.3
    - CVE-2024-38286

Date: Mon, 09 Jun 2025 16:07:45 +0530
Changed-By: Vyom Yadav <vyom.yadav at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/tomcat9/9.0.70-2ubuntu3
-------------- next part --------------
Format: 1.8
Date: Mon, 09 Jun 2025 16:07:45 +0530
Source: tomcat9
Built-For-Profiles: noudeb
Architecture: source
Version: 9.0.70-2ubuntu3
Distribution: questing
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Vyom Yadav <vyom.yadav at canonical.com>
Changes:
 tomcat9 (9.0.70-2ubuntu3) questing; urgency=medium
 .
   * SECURITY UPDATE: Information disclosure via missing secure attribute
     - debian/patches/CVE-2023-28708.patch: Fix BZ 66471 - JSessionId
       secure attribute missing with RemoteIpFilter and X-Forwarded-Proto
       set to https
     - CVE-2023-28708
   * SECURITY UPDATE: Information disclosure via incomplete cleanup
     - debian/patches/CVE-2023-42795.patch: Improve handling of failures
       during recycle() methods
     - CVE-2023-42795
   * SECURITY UPDATE: HTTP request smuggling via trailer headers
     - debian/patches/CVE-2023-45648.patch: Align processing of trailer
       headers with standard processing
     - CVE-2023-45648
   * SECURITY UPDATE: Denial of service via WebSocket connections
     - debian/patches/CVE-2024-23672-pre-1.patch: Rename prior to
       extending with additional tests
     - debian/patches/CVE-2024-23672-pre-2.patch: Add test util getter
       for root context with class path scanning disabled
     - debian/patches/CVE-2024-23672.patch: Refactor WebSocket close for
       suspend/resume
     - CVE-2024-23672
   * SECURITY UPDATE: Denial of service via HTTP/2 header parsing
     - debian/patches/CVE-2024-24549.patch: Report HTTP/2 header parsing
       errors earlier
     - debian/patches/CVE-2024-24549-post-1.patch: Make recycled streams
       eligible for GC immediately. Improves scalability.
     - debian/patches/CVE-2024-24549-post-2.patch: Update tests after
       HTTP/2 improvements
     - CVE-2024-24549
   * SECURITY UPDATE: Denial of service via HTTP/2 stream handling
     - debian/patches/CVE-2024-34750-pre-1.patch: Fix 66530 - Regression
       in fix for BZ 66442. Ensure count is decremented
     - debian/patches/CVE-2024-34750-pre-2.patch: Refactor decrement
       using a common method
     - debian/patches/CVE-2024-34750.patch: Make counting of active
       streams more robust
     - CVE-2024-34750
   * SECURITY UPDATE: Denial of service via TLS handshake abuse
     - debian/patches/CVE-2024-38286.patch: Add support for re-keying
       with TLS 1.3
     - CVE-2024-38286
Checksums-Sha1:
 2d2ccc12c5ad7336b0ab1ddbf7ac1ddfb98dfac6 2424 tomcat9_9.0.70-2ubuntu3.dsc
 b1d24c5ed67b352045371d2232787820d2933204 49128 tomcat9_9.0.70-2ubuntu3.debian.tar.xz
 91f3ed89639141e01966fae421232ed77e9c8fc9 15529 tomcat9_9.0.70-2ubuntu3_source.buildinfo
Checksums-Sha256:
 59f12f401ef975a0c4c365a944ba4c69d863659b6b35ec95d7b98bd045b68f8a 2424 tomcat9_9.0.70-2ubuntu3.dsc
 06b0fced051342b971a25ef59d39f4a71cebe60dd204094f34d367ee45acfcea 49128 tomcat9_9.0.70-2ubuntu3.debian.tar.xz
 c8a6e24a75a8a2b110b263d2ef86b636bd8d7a3056042e796a66c4eed871bf44 15529 tomcat9_9.0.70-2ubuntu3_source.buildinfo
Files:
 4bb48bb01f28926f7864273bd5a62ba8 2424 java optional tomcat9_9.0.70-2ubuntu3.dsc
 3ea8afba5acc1ec38a2e9e871b3429ac 49128 java optional tomcat9_9.0.70-2ubuntu3.debian.tar.xz
 cdcea5981069c427373cec7a05524bed 15529 java optional tomcat9_9.0.70-2ubuntu3_source.buildinfo
Original-Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>

More information about the Questing-changes mailing list