UbuntuUpdates.org

Package "tomcat9"

Name: tomcat9

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • Apache Tomcat 9 - Servlet and JSP engine -- core libraries
Latest version: 9.0.70-2ubuntu1.24.10.2
Release: oracular (24.10)
Level: security
Repository: universe

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "tomcat9" in Oracular

Repository Area Version
base universe 9.0.70-2ubuntu1.1
updates universe 9.0.70-2ubuntu1.24.10.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 9.0.70-2ubuntu1.24.10.2 2025-06-09 16:07:29 UTC

  tomcat9 (9.0.70-2ubuntu1.24.10.2) oracular-security; urgency=medium

  * SECURITY UPDATE: Information disclosure via missing secure attribute
    - debian/patches/CVE-2023-28708.patch: Fix BZ 66471 - JSessionId
      secure attribute missing with RemoteIpFilter and X-Forwarded-Proto
      set to https
    - CVE-2023-28708
  * SECURITY UPDATE: Information disclosure via incomplete cleanup
    - debian/patches/CVE-2023-42795.patch: Improve handling of failures
      during recycle() methods
    - CVE-2023-42795
  * SECURITY UPDATE: HTTP request smuggling via trailer headers
    - debian/patches/CVE-2023-45648.patch: Align processing of trailer
      headers with standard processing
    - CVE-2023-45648
  * SECURITY UPDATE: Denial of service via WebSocket connections
    - debian/patches/CVE-2024-23672-pre-1.patch: Rename prior to
      extending with additional tests
    - debian/patches/CVE-2024-23672-pre-2.patch: Add test util getter
      for root context with class path scanning disabled
    - debian/patches/CVE-2024-23672.patch: Refactor WebSocket close for
      suspend/resume
    - CVE-2024-23672
  * SECURITY UPDATE: Denial of service via HTTP/2 header parsing
    - debian/patches/CVE-2024-24549.patch: Report HTTP/2 header parsing
      errors earlier
    - debian/patches/CVE-2024-24549-post-1.patch: Make recycled streams
      eligible for GC immediately. Improves scalability.
    - debian/patches/CVE-2024-24549-post-2.patch: Update tests after
      HTTP/2 improvements
    - CVE-2024-24549
  * SECURITY UPDATE: Denial of service via HTTP/2 stream handling
    - debian/patches/CVE-2024-34750-pre-1.patch: Fix 66530 - Regression
      in fix for BZ 66442. Ensure count is decremented
    - debian/patches/CVE-2024-34750-pre-2.patch: Refactor decrement
      using a common method
    - debian/patches/CVE-2024-34750.patch: Make counting of active
      streams more robust
    - CVE-2024-34750
  * SECURITY UPDATE: Denial of service via TLS handshake abuse
    - debian/patches/CVE-2024-38286.patch: Add support for re-keying
      with TLS 1.3
    - CVE-2024-38286

 -- Vyom Yadav <email address hidden> Mon, 09 Jun 2025 16:02:34 +0530
Source diff to previous version
CVE-2023-28708 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, sess
CVE-2023-42795 Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10
CVE-2023-45648 Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 thro
CVE-2024-23672 Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open lea
CVE-2024-24549 Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the requ
CVE-2024-34750 Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomc
CVE-2024-38286 Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0

Version: 9.0.70-2ubuntu1.24.10.1 2025-05-26 15:07:57 UTC

  tomcat9 (9.0.70-2ubuntu1.24.10.1) oracular-security; urgency=medium

  * SECURITY UPDATE: Path equivalence vulnerability in DefaultServlet
    - debian/patches/CVE-2025-24813.patch: Enhance lifecycle of
      temporary files used by partial PUT and use File.createTempFile()
      instead of custom naming based on resource path conversion in
      java/org/apache/catalina/servlets/DefaultServlet.java
    - CVE-2025-24813

 -- Vyom Yadav <email address hidden> Mon, 26 May 2025 10:20:52 +0530
CVE-2025-24813 Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploade


About   -   Send Feedback to @ubuntu_updates