-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 08 Aug 2021 15:19:44 +0200 Source: tomcat9 Architecture: source Version: 9.0.43-2~deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Closes: 991046 Changes: tomcat9 (9.0.43-2~deb11u1) bullseye-security; urgency=medium . * Team upload. * Rebuild for bullseye-security. . tomcat9 (9.0.43-2) unstable; urgency=medium . * Team upload. . [ mirabilos ] * fix /var/log/tomcat9 permissions fixup for commit 51128fe9fb2d4d0b56be675d845cf92e4301a6c3 . [ Markus Koschany ] * Fix CVE-2021-30640: A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. * Fix CVE-2021-33037: Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. (Closes: #991046) Checksums-Sha1: 61fc2c80eeedb603e340ee2985ac8a4441a9ba6d 2906 tomcat9_9.0.43-2~deb11u1.dsc ea110ef5cd867c48a5c01608a1e15e1f6cc57157 3949672 tomcat9_9.0.43.orig.tar.xz 569815562dd55fddf2c3b097a2087ccea0bd82d7 38716 tomcat9_9.0.43-2~deb11u1.debian.tar.xz 0f6fa8acee7d20f93fe615432ea864561ca9e1d5 13847 tomcat9_9.0.43-2~deb11u1_amd64.buildinfo Checksums-Sha256: 61a7ec4f43007def48de2a1af783b0b4d1ec2ec908dc4e576fac0e951ff91683 2906 tomcat9_9.0.43-2~deb11u1.dsc f40d140f643f2e64e712c5160a220acd5db55c1766dd1feec82e5711ab48978d 3949672 tomcat9_9.0.43.orig.tar.xz 1adb6e1403ab60778e69dc0319da127d47fb8f9e3620d87b3c4961cfc8644555 38716 tomcat9_9.0.43-2~deb11u1.debian.tar.xz 12b7441fd69a67324147aa48943ebe96cedaacd39afd257580d53af736b8d05d 13847 tomcat9_9.0.43-2~deb11u1_amd64.buildinfo Files: 26c9db98612810b308c83ee1ea281eca 2906 java optional tomcat9_9.0.43-2~deb11u1.dsc 9e72899cab97f8906aa7bdb643af1987 3949672 java optional tomcat9_9.0.43.orig.tar.xz b4d877b970a523b54d5d13e94aba154b 38716 java optional tomcat9_9.0.43-2~deb11u1.debian.tar.xz c46ba4ebe662ea2004ac3e00634c2fc3 13847 java optional tomcat9_9.0.43-2~deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmEP3LRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk5dwQAMIOYwgIsdM3kAaB8WzLISN+6fgE4+bwc2Cx 9gAg/Rtd6HrJrg/7vI2/4LpyUBfQD525ZwLv6wvcSQA+NjdPET67z2fEe5eg+62Y eA2VfEd8jqPDkDe4xe0UYlJQGm/tezCBHCJW19iSkU5c2Gq98AgnFra6hikB/i6z WNjNoemMxs/toRJEX6Ybx0mS+C3WjvdWUANoEeRDB+WAcsJ4kM9i3hBUir5Kbh/7 p4Fe6HMpMoyJJ2HCbayXcPj5aRfkLgzhVCpLQQ+59wuR7hNO1A6+HPREBw2/Hk9K 6o/ecU6XGn4CKtMZy/OhO4WbqqlRnkeTggWmGVEfUVqxK4dxWZDxZvI6t47zcBsW Zl57R5TfgyjRY3KJl+U3hZ1jVaWx3pBhMgE57jbatwwEw5nxX5e6WK0ZnvTbXbEd OshoWxQb6XxQA7xwKAMcw/C5vkojhGYsiMiQ1fruA+N/CK14Pb9iuKZW3R+AiKTm UwhQdD1fdwics+2kB+8kAETdYFS6wD73ELL5k94nS3bHwbaHd17gJVftP8maC7dt ngihwcJYqaLDebVUGmfyFKQjNzSgJCkyO3KwoYCsc0s346ctxVOWhDmncn+lMRQG A0ZEwTQJfR+psAs4zWQa+HMS0+yaqND0IKJG3NThSdhdB6r/BxqLYmw3NrhKoo7x mFcPvCYG =98qi -----END PGP SIGNATURE-----
