UbuntuUpdates.org

Package "tomcat9"

Name: tomcat9

Description:

Apache Tomcat 9 - Servlet and JSP engine
Latest version: 9.0.31-1ubuntu0.9
Release: focal (20.04)
Level: security
Repository: universe
Homepage: http://tomcat.apache.org

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "tomcat9"

All arch deb package
APT INSTALL

Other versions of "tomcat9" in Focal

Repository Area Version
base universe 9.0.31-1
updates universe 9.0.31-1ubuntu0.9

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 9.0.31-1ubuntu0.9 2025-04-07 12:07:02 UTC

  tomcat9 (9.0.31-1ubuntu0.9) focal-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2023-44487.patch: DoS caused by HTTP/2 frame
      overhead (Rapid Reset Attack)
    - CVE-2023-44487

 -- Giampaolo Fresi Roglia <email address hidden> Wed, 02 Apr 2025 17:04:23 +0200
Source diff to previous version
CVE-2023-44487 The HTTP/2 protocol allows a denial of service (server resource consum ...

Version: 9.0.31-1ubuntu0.8 2024-11-17 23:06:44 UTC

  tomcat9 (9.0.31-1ubuntu0.8) focal-security; urgency=medium

  * SECURITY UPDATE: Open redirect
    - debian/patches/CVE-2023-41080.patch: Avoid protocol relative
      redirects
    - CVE-2023-41080
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2024-23672.patch: Refactor WebSocket close for
      suspend/resume
    - CVE-2024-23672
  * SECURITY UPDATE: Information leak
    - debian/patches/CVE-2023-42795.patch: Improve handling of failures
      during recycle() methods
    - CVE-2023-42795
  * SECURITY UPDATE: Request smuggling
    - debian/patches/CVE-2023-45648.patch: Align processing of trailer
    headers with standard processing
    - CVE-2023-45648
  * SECURITY UPDATE: Insecure cookie
    - debian/patches/CVE-2023-28708.patch: Add secure attribute to
      cookie when transmitting over insecure channel
    - CVE-2023-28708

 -- Bruce Cable <email address hidden> Tue, 05 Nov 2024 16:31:52 +1100
Source diff to previous version
CVE-2023-41080 URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from
CVE-2024-23672 Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open lea
CVE-2023-42795 Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10
CVE-2023-45648 Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 thro
CVE-2023-28708 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, sess

Version: 9.0.31-1ubuntu0.7 2024-09-25 15:07:01 UTC

  tomcat9 (9.0.31-1ubuntu0.7) focal-security; urgency=medium

  * SECURITY UPDATE: HTTP request smuggling via invalid header size
    - debian/patches/CVE-2023-46589.patch: Ensure IOException on request read
      always triggers error handling.
    - CVE-2023-46589

 -- Octavio Galland <email address hidden> Mon, 23 Sep 2024 09:21:07 -0300
Source diff to previous version
CVE-2023-46589 Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 thro

Version: 9.0.31-1ubuntu0.6 2024-08-03 16:07:08 UTC

  tomcat9 (9.0.31-1ubuntu0.6) focal-security; urgency=medium

  * SECURITY UPDATE: Local privilege escalation via FileStore persistent
    sessions
    - debian/patches/CVE-2022-23181.patch: Make calculation of session storage
      location more robust.
    - CVE-2022-23181
  * SECURITY UPDATE: Denial of service via EncryptInterceptor
    - debian/patches/CVE-2022-29885.patch: EncryptInterceptor only provides
      partial protection on untrusted network.
    - CVE-2022-29885

 -- Octavio Galland <email address hidden> Mon, 29 Jul 2024 14:43:06 -0300
Source diff to previous version
CVE-2022-23181 The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14,
CVE-2022-29885 The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor in

Version: 9.0.31-1ubuntu0.5 2024-07-09 03:07:20 UTC

  tomcat9 (9.0.31-1ubuntu0.5) focal-security; urgency=medium

  * SECURITY UPDATE: Incorrect handling of requests enables potential smuggling
    attack
    - debian/patches/CVE-2022-42252.patch: Requests with invalid content-
      length should always be rejected
    - CVE-2022-42252

 -- Bruce Cable <email address hidden> Thu, 04 Jul 2024 09:44:24 +1000
CVE-2022-42252 If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via s


About   -   Send Feedback to @ubuntu_updates