Package "tomcat9"

  tomcat9 (9.0.31-1ubuntu0.8) focal-security; urgency=medium

  * SECURITY UPDATE: Open redirect
    - debian/patches/CVE-2023-41080.patch: Avoid protocol relative
      redirects
    - CVE-2023-41080
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2024-23672.patch: Refactor WebSocket close for
      suspend/resume
    - CVE-2024-23672
  * SECURITY UPDATE: Information leak
    - debian/patches/CVE-2023-42795.patch: Improve handling of failures
      during recycle() methods
    - CVE-2023-42795
  * SECURITY UPDATE: Request smuggling
    - debian/patches/CVE-2023-45648.patch: Align processing of trailer
    headers with standard processing
    - CVE-2023-45648
  * SECURITY UPDATE: Insecure cookie
    - debian/patches/CVE-2023-28708.patch: Add secure attribute to
      cookie when transmitting over insecure channel
    - CVE-2023-28708

 -- Bruce Cable <email address hidden> Tue, 05 Nov 2024 16:31:52 +1100

  tomcat9 (9.0.31-1ubuntu0.7) focal-security; urgency=medium

  * SECURITY UPDATE: HTTP request smuggling via invalid header size
    - debian/patches/CVE-2023-46589.patch: Ensure IOException on request read
      always triggers error handling.
    - CVE-2023-46589

 -- Octavio Galland <email address hidden> Mon, 23 Sep 2024 09:21:07 -0300

  tomcat9 (9.0.31-1ubuntu0.6) focal-security; urgency=medium

  * SECURITY UPDATE: Local privilege escalation via FileStore persistent
    sessions
    - debian/patches/CVE-2022-23181.patch: Make calculation of session storage
      location more robust.
    - CVE-2022-23181
  * SECURITY UPDATE: Denial of service via EncryptInterceptor
    - debian/patches/CVE-2022-29885.patch: EncryptInterceptor only provides
      partial protection on untrusted network.
    - CVE-2022-29885

 -- Octavio Galland <email address hidden> Mon, 29 Jul 2024 14:43:06 -0300

  tomcat9 (9.0.31-1ubuntu0.5) focal-security; urgency=medium

  * SECURITY UPDATE: Incorrect handling of requests enables potential smuggling
    attack
    - debian/patches/CVE-2022-42252.patch: Requests with invalid content-
      length should always be rejected
    - CVE-2022-42252

 -- Bruce Cable <email address hidden> Thu, 04 Jul 2024 09:44:24 +1000

  tomcat9 (9.0.31-1ubuntu0.4) focal; urgency=medium

  * d/p/lp1903851-multipart-upload-over-https.patch: apply revert
    from 9.0.32 to fix multi-part upload over HTTPS (LP: #1903851)

 -- Tom Moyer <email address hidden> Fri, 18 Nov 2022 19:07:15 +0000