Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-changes@lists.debian.org>
Subject: Accepted tomcat9 9.0.31-1~deb10u2 (source all) into proposed-updates->stable-new, proposed-updates
Date: Thu, 23 Jul 2020 20:44:22 +0000
Signed by: Markus Koschany <apo@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Jul 2020 13:43:33 +0200
Source: tomcat9
Binary: libtomcat9-embed-java libtomcat9-java tomcat9 tomcat9-admin tomcat9-common tomcat9-docs tomcat9-examples tomcat9-user
Architecture: source all
Version: 9.0.31-1~deb10u2
Distribution: buster-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libtomcat9-embed-java - Apache Tomcat 9 - Servlet and JSP engine -- embed libraries
 libtomcat9-java - Apache Tomcat 9 - Servlet and JSP engine -- core libraries
 tomcat9    - Apache Tomcat 9 - Servlet and JSP engine
 tomcat9-admin - Apache Tomcat 9 - Servlet and JSP engine -- admin web application
 tomcat9-common - Apache Tomcat 9 - Servlet and JSP engine -- common files
 tomcat9-docs - Apache Tomcat 9 - Servlet and JSP engine -- documentation
 tomcat9-examples - Apache Tomcat 9 - Servlet and JSP engine -- example web applicati
 tomcat9-user - Apache Tomcat 9 - Servlet and JSP engine -- tools to create user
Changes:
 tomcat9 (9.0.31-1~deb10u2) buster-security; urgency=high
 .
   * Team upload.
 .
   [ Emmanuel Bourg ]
   * Fixed CVE-2020-13935: WebSocket Denial of Service. The payload length
     in a WebSocket frame was not correctly validated. Invalid payload lengths
     could trigger an infinite loop. Multiple requests with invalid payload
     lengths could lead to a denial of service.
   * Fixed CVE-2020-13934: HTTP/2 Denial of Service. An h2c direct connection
     did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a
     sufficient number of such requests were made, an OutOfMemoryException
     could occur leading to a denial of service.
 .
   [ Markus Koschany ]
   * Fix CVE-2020-9484:
     When using Apache Tomcat an attacker is able to control the contents and
     name of a file on the server; and b) the server is configured to use the
     PersistenceManager with a FileStore; and c) the PersistenceManager is
     configured with sessionAttributeValueClassNameFilter="null" (the default
     unless a SecurityManager is used) or a sufficiently lax filter to allow the
     attacker provided object to be deserialized; and d) the attacker knows the
     relative file path from the storage location used by FileStore to the file
     the attacker has control over; then, using a specifically crafted request,
     the attacker will be able to trigger remote code execution via
     deserialization of the file under their control. Note that all of
     conditions a) to d) must be true for the attack to succeed.
   * Fix CVE-2020-11996:
     A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat could
     trigger high CPU usage for several seconds. If a sufficient number of such
     requests were made on concurrent HTTP/2 connections, the server could
     become unresponsive.
Checksums-Sha1:
 b84e0525a8c3760c4874ff999aa53c2efc42c618 2889 tomcat9_9.0.31-1~deb10u2.dsc
 8ce808d6a49bef5c1dacd07de8e99e15844a27f0 37556 tomcat9_9.0.31-1~deb10u2.debian.tar.xz
 346c2a30e28d7a42cfe44de01defa798c65606dc 4098384 libtomcat9-embed-java_9.0.31-1~deb10u2_all.deb
 5dd6634f6b1b6a2bdbf122e8f3201a31a5d2b9b3 5845240 libtomcat9-java_9.0.31-1~deb10u2_all.deb
 5d0e261ab22512d4c4b12045a3e6c69fb9d76d55 34076 tomcat9-admin_9.0.31-1~deb10u2_all.deb
 c1db452444b361cd442c2d4a4b7d0343426f7321 69308 tomcat9-common_9.0.31-1~deb10u2_all.deb
 2ba22305ecf76b21ece5afb18b98cf8d638f5341 705272 tomcat9-docs_9.0.31-1~deb10u2_all.deb
 b459288f4099fc5c297423fa8563916841f42314 191160 tomcat9-examples_9.0.31-1~deb10u2_all.deb
 f35aaeff36487debd306373c0d0072eaf3016535 42228 tomcat9-user_9.0.31-1~deb10u2_all.deb
 60cff2aaecfc4aa1405102d4e55cddba1694d619 45976 tomcat9_9.0.31-1~deb10u2_all.deb
 24882af651574c8959fc09d10d8e5647d821dcfa 13743 tomcat9_9.0.31-1~deb10u2_amd64.buildinfo
Checksums-Sha256:
 366ee20e916ab6c3d4519f2070dee21e4e18aad1251b072c29d7760ec97b4f95 2889 tomcat9_9.0.31-1~deb10u2.dsc
 4c41d556bfeae640e8089a8b9a6013fb54f957c69a3690aa2070c93dd856098b 37556 tomcat9_9.0.31-1~deb10u2.debian.tar.xz
 7d98635b773c578580069799be206e9025ddb229c32f974f6be7a0ba61eb2b8e 4098384 libtomcat9-embed-java_9.0.31-1~deb10u2_all.deb
 155a5ac2a645b43e224c0e138f664364fecaea5a749d89b12e6a4cc6baab8415 5845240 libtomcat9-java_9.0.31-1~deb10u2_all.deb
 9f8dcc99fe85cd8a61bb25145ac0ba085a84bf48ed117c408cd8f2714529720a 34076 tomcat9-admin_9.0.31-1~deb10u2_all.deb
 79b545acc04b040c3ec5eddcb9a5bfa60183f87ba296cdf0d359a119cecf19a4 69308 tomcat9-common_9.0.31-1~deb10u2_all.deb
 d14f480de4ed0f63304b9366e0235c4e7b0f3381224aed6ad7ae1f80bf151859 705272 tomcat9-docs_9.0.31-1~deb10u2_all.deb
 723e8a5bea9089d0bb451929d9190da1196912bc23a325bc6ec5c27c89008725 191160 tomcat9-examples_9.0.31-1~deb10u2_all.deb
 0e1c88727711adbb7280fe60fb88408949400ea25050c43c083bf8c86c2a27c6 42228 tomcat9-user_9.0.31-1~deb10u2_all.deb
 231778dcf3d05daf470b887a2d05619861620188e28fb604382c911fa8089275 45976 tomcat9_9.0.31-1~deb10u2_all.deb
 c9da58a30ada0367a35e24b09809f6d626cb8a241eb55315b9da816b1bf8716f 13743 tomcat9_9.0.31-1~deb10u2_amd64.buildinfo
Files:
 f135194010be661a07926d3aacab04e0 2889 java optional tomcat9_9.0.31-1~deb10u2.dsc
 4c00461d9e8855cbcdd64956c21bbec0 37556 java optional tomcat9_9.0.31-1~deb10u2.debian.tar.xz
 5483c771c6e993dbdcee355579e46a74 4098384 java optional libtomcat9-embed-java_9.0.31-1~deb10u2_all.deb
 9db7da5e9dae2c7f6338f273ac077a0c 5845240 java optional libtomcat9-java_9.0.31-1~deb10u2_all.deb
 5db1238011ea189b79e13cab0e5d8645 34076 java optional tomcat9-admin_9.0.31-1~deb10u2_all.deb
 9824c2c178eda915ad3c7658a25af2de 69308 java optional tomcat9-common_9.0.31-1~deb10u2_all.deb
 f5349c662837c266885080f19ff55342 705272 doc optional tomcat9-docs_9.0.31-1~deb10u2_all.deb
 4b319c3700784d729fa0de005a37297f 191160 java optional tomcat9-examples_9.0.31-1~deb10u2_all.deb
 e9f56338fe460414f07ab5d541431bf9 42228 java optional tomcat9-user_9.0.31-1~deb10u2_all.deb
 d32e40f15c1f04f6d55a41dba10f11ed 45976 java optional tomcat9_9.0.31-1~deb10u2_all.deb
 91dbd9d6a2db77eb2fcc28499bdd9ee9 13743 java optional tomcat9_9.0.31-1~deb10u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl8PISJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkOy4P/jRMVhMrdLvx8sirgA8+kL8N3gN89KMb8nkZ
kHbcwmBFfcUIhy6kh7xYD54AVVep9wXDcvSoXmzmLLx08a1LQQF0bXA2vnPsGx9G
BT+Ue3HjCouTlp8slb5r7YbhGCkrsoAtOwfu/8tqwc0p+vDNGDdmf1dfQWfMw37K
OAsag+Bc6KIi62oROTAmyfb95l5NRer9Rozpi/HtfvVQrVEQkI/U8kp2jY8Nht/F
Gso7pTcHHMZgQLSEsuvbutM9k0O02LNbUZS+4q93aNUdfb/vWmCVmQgU1CjPdP0+
2mhYyjSEXBhHSpcH655314+rIJP2hX789lap5Mq6S/pxpd5lY3qgm2ggQlarsAyD
gA8jMaxQeNYrUD282giAkPcdt2/Xr0qswkfaVRKityVdRBntP19HCwwdWKoVbjx9
WbDcwQhJOW7e8BeLUfIEwCpmiOFJpzcgZj1vihzR9pBa9uDbGxkucbM3oOQURj8S
EzYpOKVHGoaNT7U+B4RjNyfJ1hJI2VxnsykJjqik4pIkDgJGotHzpOl6W8uK2w3p
68GH7DswNowoOlsgjO810uB+JlOt9FoT+KPCtgM/CulLEH5EZTNkRwffKMMG7+o6
Fe1+Axb/JseDMkGqgjUYTo/974WTtnQderVMOkwoPVfQOeJJktUjXcfECSg3NVQ/
Ow//Vdnz
=BKpm
-----END PGP SIGNATURE-----
News for package tomcat9
