Package "tomcat9-user"

  tomcat9 (9.0.31-1ubuntu0.8) focal-security; urgency=medium

  * SECURITY UPDATE: Open redirect
    - debian/patches/CVE-2023-41080.patch: Avoid protocol relative
      redirects
    - CVE-2023-41080
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2024-23672.patch: Refactor WebSocket close for
      suspend/resume
    - CVE-2024-23672
  * SECURITY UPDATE: Information leak
    - debian/patches/CVE-2023-42795.patch: Improve handling of failures
      during recycle() methods
    - CVE-2023-42795
  * SECURITY UPDATE: Request smuggling
    - debian/patches/CVE-2023-45648.patch: Align processing of trailer
    headers with standard processing
    - CVE-2023-45648
  * SECURITY UPDATE: Insecure cookie
    - debian/patches/CVE-2023-28708.patch: Add secure attribute to
      cookie when transmitting over insecure channel
    - CVE-2023-28708

 -- Bruce Cable <email address hidden> Tue, 05 Nov 2024 16:31:52 +1100

  tomcat9 (9.0.31-1ubuntu0.7) focal-security; urgency=medium

  * SECURITY UPDATE: HTTP request smuggling via invalid header size
    - debian/patches/CVE-2023-46589.patch: Ensure IOException on request read
      always triggers error handling.
    - CVE-2023-46589

 -- Octavio Galland <email address hidden> Mon, 23 Sep 2024 09:21:07 -0300

  tomcat9 (9.0.31-1ubuntu0.6) focal-security; urgency=medium

  * SECURITY UPDATE: Local privilege escalation via FileStore persistent
    sessions
    - debian/patches/CVE-2022-23181.patch: Make calculation of session storage
      location more robust.
    - CVE-2022-23181
  * SECURITY UPDATE: Denial of service via EncryptInterceptor
    - debian/patches/CVE-2022-29885.patch: EncryptInterceptor only provides
      partial protection on untrusted network.
    - CVE-2022-29885

 -- Octavio Galland <email address hidden> Mon, 29 Jul 2024 14:43:06 -0300

  tomcat9 (9.0.31-1ubuntu0.5) focal-security; urgency=medium

  * SECURITY UPDATE: Incorrect handling of requests enables potential smuggling
    attack
    - debian/patches/CVE-2022-42252.patch: Requests with invalid content-
      length should always be rejected
    - CVE-2022-42252

 -- Bruce Cable <email address hidden> Thu, 04 Jul 2024 09:44:24 +1000

  tomcat9 (9.0.31-1ubuntu0.2) focal-security; urgency=medium

  * SECURITY UPDATE: TLS Denial of Service
    - debian/patches/CVE-2021-41079.patch: Apache Tomcat did not properly
      validate incoming TLS packets. When Tomcat was configured to use
      NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be
      used to trigger an infinite loop resulting in a denial of service.
    - CVE-2021-41079
  * SECURITY UPDATE: Authentication Vulnerability
    - debian/patches/CVE-2021-30640.patch: A vulnerability in the JNDI Realm
      of Apache Tomcat allows an attacker to authenticate using variations of
      a validc user name and/or to bypass some of the protection provided by
      the LockOut Realm.
    - CVE-2021-30640
  * SECURITY UPDATE: Request Smuggling
    - debian/patches/CVE-2021-33037.patch: Apache Tomcat did not correctly
      parse the HTTP transfer-encoding request header in some circumstances
      leading to the possibility to request smuggling when used with a reverse
      proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding
      header if the client declared it would only accept an HTTP/1.0 response;
      - Tomcat honoured the identify encoding; and - Tomcat did not ensure
      that, if present, the chunked encoding was the final encoding.
    - CVE-2021-33037
  * SECURITY UPDATE: remote code execution via session persistence
    - debian/patches/CVE-2021-25329.patch: The fix for CVE-2020-9484 was
      incomplete. When using Apache Tomcat with a configuration edge case that
      was highly unlikely to be used, the Tomcat instance was still vulnerable
      to CVE-2020-9494. Note that both the previously published prerequisites
      for CVE-2020-9484 and the previously published mitigations for
      CVE-2020-9484 also apply to this issue.
    - CVE-2021-25329
  * SECURITY UPDATE: Request Header Duplication
    - debian/patches/CVE-2021-25122.patch: When responding to new h2c
      connection requests, Apache Tomcat could duplicate request headers and a
      limited amount of request body from one request to another meaning user
      A and user B could both see the results of user A's request.
    - CVE-2021-25122
  * SECURITY UPDATE: HTTP/2 request header mix-up
    - debian/patches/CVE-2020-17527.patch: HTTP/2 It was discovered that
      Apache Tomcat could re-use an HTTP request header value from the previous
      stream received on an HTTP/2 connection for the request associated with
      the subsequent stream. While this would most likely lead to an error and
      the closure of the HTTP/2 connection, it is possible that information
      could leak between requests.
    - CVE-2020-17527
  * SECURITY UPDATE: HTTP/2 request mix-up
    - debian/patches/CVE-2020-13943.patch: If an HTTP/2 client exceeded the
      agreed maximum number of concurrent streams for a connection (in
      violation of the HTTP/2 protocol), it was possible that a subsequent
      request made on that connection could contain HTTP headers - including
      HTTP/2 pseudo headers - from a previous request rather than the intended
      headers. This could lead to users seeing responses for unexpected
      resources.
    - CVE-2020-13943

 -- Evren Yurtesen <email address hidden> Wed, 16 Mar 2022 20:51:24 +0200