Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted tomcat9 9.0.31-1~deb10u8 (source) into oldstable
Date: Wed, 05 Apr 2023 16:30:21 +0000
Signed by: Markus Koschany <apo@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed,  5 Apr 2023 18:23:55 CEST
Source: tomcat9
Architecture: source
Version: 9.0.31-1~deb10u8
Distribution: buster-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
 4e0745cd0deb07a83c50c16d4fc3d085b8615b69 2889 tomcat9_9.0.31-1~deb10u8.dsc
 7e34400a97c93048dc39165b49bfe830eb9bc53c 52148 tomcat9_9.0.31-1~deb10u8.debian.tar.xz
 0be296fa0a9dfb92aa9127f14e62c09692c4bed9 13782 tomcat9_9.0.31-1~deb10u8_source.buildinfo
Checksums-Sha256:
 6fa6a8687541cf88fd7802a8416ba9155f1d78432207935fea3e254b5e763c4c 2889 tomcat9_9.0.31-1~deb10u8.dsc
 939a6d2677ad05da3398bafef3ea5f7af22a4c8917854d70f7a56cf6edc30439 52148 tomcat9_9.0.31-1~deb10u8.debian.tar.xz
 7f7b7d4c27cb9becbf7b1a7ec32c31a38ad3c1344680eba57bf5ba4d4680dcac 13782 tomcat9_9.0.31-1~deb10u8_source.buildinfo
Changes:
 tomcat9 (9.0.31-1~deb10u8) buster-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2022-42252:
     Apache Tomcat was configured to ignore invalid HTTP headers via setting
     rejectIllegalHeader to false. Tomcat did not reject a request containing an
     invalid Content-Length header making a request smuggling attack possible if
     Tomcat was located behind a reverse proxy that also failed to reject the
     request with the invalid header.
   * Fix CVE-2023-28708:
     When using the RemoteIpFilter with requests received from a reverse proxy
     via HTTP that include the X-Forwarded-Proto header set to https, session
     cookies created by Apache Tomcat did not include the secure attribute. This
     could result in the user agent transmitting the session cookie over an
     insecure channel.
Files:
 ef2094506244567e3bd6260940974720 2889 java optional tomcat9_9.0.31-1~deb10u8.dsc
 93c170db7c291d70f6c2bd64cb9392e1 52148 java optional tomcat9_9.0.31-1~deb10u8.debian.tar.xz
 545dabae2db34c5e2f0aaf46f6610091 13782 java optional tomcat9_9.0.31-1~deb10u8_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmQtoMZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkDPcP/2255CIuAkt5zJvy4V6DwKuf7+AAjyUwObhN
LO3pFmw6saOr2QUMTkBx9sFvy3k/oxmJ+rHAR0xsLRfKUiiG/E5E6PLF2IgSCqQZ
1Yegd+4MxtQeDLjXWwhMPJq15FvBIAJsHsVDS3VeT5QCT86bYdwSpOWbLIyi7YS9
JaN7qJSxHTPCNltYlR3j6F8b5KJoYmCGxXxlOB53Z0joJ3sOnDXnw7az+4Qf2Hps
oOYpTUeJZ/LVBIfrKw0WK+EgisA+ACzQvLu7pj4uKOiWNxGK8PzmAAZG037F0hpD
7kFquO+snnpulv0bmZx4PXfGHWJEnpdaqXs9nGPCOMcmBjud7FPUQQPtS6c++1AU
sYxLu6NrTfByL4ikxS61h8q+OEQzXa8B7Txj0R+s0AuWAtcPCsOu5OAewDkd/1Ur
refG6CTDxWFwTbtXNw9UmFipOcEuHVBgR2EBoFfAoVnd8TOgVSlSUH2QCDwMpOyW
2DMHhUFUcXZIanj0sf+vzVgVlZsQF77P6pklvlf7S6rX8w2DhIaqFvffOqUfQ93L
pnr9Cg/imgouztPJWRnYf78B/+47A6oXDAobibwAnSWylcWIiBa/1ccYr24ASWal
YTakQZsgqjwxJp+M/eFyl5IWZE2hjGWpobYRsZFjpErB/qk6awov/dTbqK/XQ455
fVvJ8Zms
=81Xh
-----END PGP SIGNATURE-----

News for package tomcat9