UbuntuUpdates.org

Package "tomcat9-user"

Name: tomcat9-user

Description:

Apache Tomcat 9 - Servlet and JSP engine -- tools to create user instances

Latest version: 9.0.31-1ubuntu0.8
Release: focal (20.04)
Level: updates
Repository: universe
Head package: tomcat9
Homepage: http://tomcat.apache.org

Links


Download "tomcat9-user"


Other versions of "tomcat9-user" in Focal

Repository Area Version
base universe 9.0.31-1
security universe 9.0.31-1ubuntu0.8

Changelog

Version: 9.0.31-1ubuntu0.8 2024-11-18 01:06:50 UTC

  tomcat9 (9.0.31-1ubuntu0.8) focal-security; urgency=medium

  * SECURITY UPDATE: Open redirect
    - debian/patches/CVE-2023-41080.patch: Avoid protocol relative
      redirects
    - CVE-2023-41080
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2024-23672.patch: Refactor WebSocket close for
      suspend/resume
    - CVE-2024-23672
  * SECURITY UPDATE: Information leak
    - debian/patches/CVE-2023-42795.patch: Improve handling of failures
      during recycle() methods
    - CVE-2023-42795
  * SECURITY UPDATE: Request smuggling
    - debian/patches/CVE-2023-45648.patch: Align processing of trailer
    headers with standard processing
    - CVE-2023-45648
  * SECURITY UPDATE: Insecure cookie
    - debian/patches/CVE-2023-28708.patch: Add secure attribute to
      cookie when transmitting over insecure channel
    - CVE-2023-28708

 -- Bruce Cable <email address hidden> Tue, 05 Nov 2024 16:31:52 +1100

Source diff to previous version
CVE-2023-41080 URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from
CVE-2024-23672 Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open lea
CVE-2023-42795 Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10
CVE-2023-45648 Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 thro
CVE-2023-28708 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, sess

Version: 9.0.31-1ubuntu0.7 2024-09-25 16:06:54 UTC

  tomcat9 (9.0.31-1ubuntu0.7) focal-security; urgency=medium

  * SECURITY UPDATE: HTTP request smuggling via invalid header size
    - debian/patches/CVE-2023-46589.patch: Ensure IOException on request read
      always triggers error handling.
    - CVE-2023-46589

 -- Octavio Galland <email address hidden> Mon, 23 Sep 2024 09:21:07 -0300

Source diff to previous version
CVE-2023-46589 Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 thro

Version: 9.0.31-1ubuntu0.6 2024-08-01 19:07:13 UTC

  tomcat9 (9.0.31-1ubuntu0.6) focal-security; urgency=medium

  * SECURITY UPDATE: Local privilege escalation via FileStore persistent
    sessions
    - debian/patches/CVE-2022-23181.patch: Make calculation of session storage
      location more robust.
    - CVE-2022-23181
  * SECURITY UPDATE: Denial of service via EncryptInterceptor
    - debian/patches/CVE-2022-29885.patch: EncryptInterceptor only provides
      partial protection on untrusted network.
    - CVE-2022-29885

 -- Octavio Galland <email address hidden> Mon, 29 Jul 2024 14:43:06 -0300

Source diff to previous version
CVE-2022-23181 The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14,
CVE-2022-29885 The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor in

Version: 9.0.31-1ubuntu0.5 2024-07-09 04:07:07 UTC

  tomcat9 (9.0.31-1ubuntu0.5) focal-security; urgency=medium

  * SECURITY UPDATE: Incorrect handling of requests enables potential smuggling
    attack
    - debian/patches/CVE-2022-42252.patch: Requests with invalid content-
      length should always be rejected
    - CVE-2022-42252

 -- Bruce Cable <email address hidden> Thu, 04 Jul 2024 09:44:24 +1000

Source diff to previous version
CVE-2022-42252 If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via s

Version: 9.0.31-1ubuntu0.4 2022-12-14 00:07:16 UTC

  tomcat9 (9.0.31-1ubuntu0.4) focal; urgency=medium

  * d/p/lp1903851-multipart-upload-over-https.patch: apply revert
    from 9.0.32 to fix multi-part upload over HTTPS (LP: #1903851)

 -- Tom Moyer <email address hidden> Fri, 18 Nov 2022 19:07:15 +0000

1903851 Tomcat9: multipart upload fails over https



About   -   Send Feedback to @ubuntu_updates