Public bug reported:
Please sync tomcat9 9.0.31-1~deb10u6 (universe) from Debian buster
(security)
Explanation of FeatureFreeze exception:
The Ubuntu package does not have any ubuntu specific patches added after
FeatureFreeze in focal
However Debian package has bugfixes and security updates which does not exist
in the Ubuntu package.
Changelog entries since current focal version 9.0.31-1:
tomcat9 (9.0.31-1~deb10u6) buster-security; urgency=high
* Team upload.
* CVE-2021-30640: Fix NullPointerException.
If no userRoleAttribute is specified in the user's Realm configuration its
default value will be null. This will cause a NPE in the methods
doFilterEscaping and doAttributeValueEscaping. This is upstream bug
https://bz.apache.org/bugzilla/show_bug.cgi?id=65308
* Fix CVE-2021-41079:
Apache Tomcat did not properly validate incoming TLS packets. When Tomcat
was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially
crafted packet could be used to trigger an infinite loop resulting in a
denial of service.
-- Markus Koschany <a...@debian.org> Sat, 25 Sep 2021 22:17:13 +0200
tomcat9 (9.0.31-1~deb10u5) buster-security; urgency=high
* Team upload.
* Fix CVE-2021-30640:
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to
authenticate using variations of a valid user name and/or to bypass some of
the protection provided by the LockOut Realm.
* Fix CVE-2021-33037:
Apache Tomcat did not correctly parse the HTTP transfer-encoding request
header in some circumstances leading to the possibility to request
smuggling when used with a reverse proxy. Specifically: - Tomcat
incorrectly ignored the transfer encoding header if the client declared it
would only accept an HTTP/1.0 response; - Tomcat honoured the identify
encoding; and - Tomcat did not ensure that, if present, the chunked
encoding was the final encoding. (Closes: #991046)
-- Markus Koschany <a...@debian.org> Sat, 07 Aug 2021 18:25:15 +0200
tomcat9 (9.0.31-1~deb10u4) buster-security; urgency=medium
* CVE-2021-25122
* CVE-2021-25329
-- Moritz Mühlenhoff <j...@debian.org> Mon, 12 Apr 2021 16:45:06 +0200
tomcat9 (9.0.31-1~deb10u3) buster-security; urgency=medium
* Fixed CVE-2020-13943: HTTP/2 request mix-up. If an HTTP/2 client exceeded
the agreed maximum number of concurrent streams for a connection (in
violation of the HTTP/2 protocol), it was possible that a subsequent
request made on that connection could contain HTTP headers - including
HTTP/2 pseudo headers - from a previous request rather than the intended
headers. This could lead to users seeing responses for unexpected resources.
* Fixed CVE-2020-17527: HTTP/2 request header mix-up. It was discovered that
Apache Tomcat could re-use an HTTP request header value from the previous
stream received on an HTTP/2 connection for the request associated with
the subsequent stream. While this would most likely lead to an error and
the closure of the HTTP/2 connection, it is possible that information could
leak between requests.
-- Emmanuel Bourg <ebo...@apache.org> Tue, 19 Jan 2021 23:31:47 +0100
** Affects: tomcat9 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1964987
Title:
FFe: Sync tomcat9 9.0.31-1~deb10u6 (universe) from Debian buster
(security)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1964987/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
