-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 19 Jan 2021 23:31:47 +0100 Source: tomcat9 Architecture: source Version: 9.0.31-1~deb10u3 Distribution: buster-security Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebourg@apache.org> Changes: tomcat9 (9.0.31-1~deb10u3) buster-security; urgency=medium . * Fixed CVE-2020-13943: HTTP/2 request mix-up. If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. * Fixed CVE-2020-17527: HTTP/2 request header mix-up. It was discovered that Apache Tomcat could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. Checksums-Sha1: 6114a33281ca0e9c8daef2f238aa13184383b66a 2763 tomcat9_9.0.31-1~deb10u3.dsc 106fff92ae4a0b0f476a73af35995b13629aa2d3 39344 tomcat9_9.0.31-1~deb10u3.debian.tar.xz f90a3487965b9a8338c09e91b9509b62eddc1dd9 13688 tomcat9_9.0.31-1~deb10u3_source.buildinfo Checksums-Sha256: df98580df659a893e6fe497d980a7e3f241c375e10eac5d779b8eb6210040279 2763 tomcat9_9.0.31-1~deb10u3.dsc 16bbaf0a16099840cb3d170a6b979a7435c750c9341d93db66b5b9d0148449fa 39344 tomcat9_9.0.31-1~deb10u3.debian.tar.xz c26321445f77c133cfbec102a8590117911afff3bfde4eecca9b66f223247c54 13688 tomcat9_9.0.31-1~deb10u3_source.buildinfo Files: 00ee74e5e4b2fb5eea31ec7ccb6f07b8 2763 java optional tomcat9_9.0.31-1~deb10u3.dsc 4e45476fc03ee09ca0c9470b074f97d3 39344 java optional tomcat9_9.0.31-1~deb10u3.debian.tar.xz 2aede94c0609d28c4580242c3262373a 13688 java optional tomcat9_9.0.31-1~deb10u3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAmAIKOQSHGVib3VyZ0Bh cGFjaGUub3JnAAoJEPUTxBnkudCsUYEP/Rmh7THqiNr3V7YfQwAfzGwZDDOFgue7 C/dPUrDtz0gObR70lJ8oKRi2HOGwuNW2cpz3qW0N1+m5bjy0WCXQ5QfBN8O5FQoL ScgF5Q5saTiAYouz03ix0tRRm+33/gy8trKStbTVedISJYXbxGxB321GPEWiaBE0 RG6GxWtoou42Gbx9pRI95QcCBv0hfoKW/W+PiHR0qf5fndR5UXAJGc0nrmlzwdU5 K3nyvJGmH6I3R+ZfjG0aZ8DdkBGpeBGvaAL+nTHDmYikUzyBoHRDyCAZ7lQ/+ZhR EzJAZbpDCp9Pe4G6Etfd4Mz56G3xENelSdteTqnRpNbL0H3JHgk//W8lw8JW/nFm krg1AlFWHrVwPv6p6W29YNkv9GQYWA3dQOGivSQLifurNZqdbymzKMV/dGG+4d13 Vupx2B/QvK1Mr/DLJeJfOdHpPLCYZYxxyYR92oguvDHf1wUcBW9IsJrRubxy0a+i 3k3LG0viDyRzuch51XpqmoSY5P/gET7MSGoQB+xlk3F4Wc4EZ+vHixDofdry2oDL YEdhuGOHYCR/lLVpEiuXO9kcEONuiBoafZuCcNJyf5g0R5a48CNmL/g1HGGZ3ET/ bFQclfTC003cjFhAeMxdc8N7y9VKOG04bQ5NCJD3nNQ8OIenwjMIT4LP38ben1WY 7dPwW2L2bbMv =bqJa -----END PGP SIGNATURE-----