-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 5 Apr 2023 17:57:36 CEST Source: tomcat9 Architecture: source Version: 9.0.43-2~deb11u6 Distribution: bullseye-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Checksums-Sha1: 5dcbdb9596463f2b52520b943356f25973924882 2906 tomcat9_9.0.43-2~deb11u6.dsc c0d398cfb9173c06567e7718c2e537b64bcd3e99 47364 tomcat9_9.0.43-2~deb11u6.debian.tar.xz 5c5a8d647c16d77cc8ed78912b572d540513b38c 13782 tomcat9_9.0.43-2~deb11u6_source.buildinfo Checksums-Sha256: 343aab34c6e1ca8bb6b7e8bcdbbcc7594a7250288aa59102dd1886666bb9ab31 2906 tomcat9_9.0.43-2~deb11u6.dsc 2ef190ee41f4e7a5442eb049f4e0255a19f42b17ef0e9a339137c536a054ca98 47364 tomcat9_9.0.43-2~deb11u6.debian.tar.xz 320d9d96ed02d79273106c15fafaabb3bc662fbc31a6150af1e7075e5b540d87 13782 tomcat9_9.0.43-2~deb11u6_source.buildinfo Closes: 1033475 Changes: tomcat9 (9.0.43-2~deb11u6) bullseye-security; urgency=high . * Team upload. * Fix CVE-2022-42252: Apache Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false. Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. * Fix CVE-2022-45143: The JsonErrorReportValve in Apache Tomcat did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output. * Fix CVE-2023-28708: When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. (Closes: #1033475) Files: a0e3763cba0271c6a8a9f8f279668eea 2906 java optional tomcat9_9.0.43-2~deb11u6.dsc 9218f651bb495a397c219d06b3224c36 47364 java optional tomcat9_9.0.43-2~deb11u6.debian.tar.xz 139fc4cbef13d2e160db68d3714f19ab 13782 java optional tomcat9_9.0.43-2~deb11u6_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmQtmndfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkUQgP/1KVJTKd9e01/ouH1AYtcIiCuN0od2s5ULvf bSMdB4Cw2wj9Psj/vJGR2xTSPItfvzomgfHfHoMRWwV6waqV/MKWacVVmlFmiCgm 7koWx2ObIy+/enuRZeOoSPp0f3K1hDA77RCH1Pk5rfJW51DENTkED+kqv4bpirkG CufCeDrnAOC3cfnA2rVtN/kLPwavML+JPzzO2oWMQHwjY8GehbQ8rVVB6FNX+q6O NpKvHQqhKk44Ylkjlsx78xNCHV14a9dEzpJ2XGGb5OxJelBs+jIn9RHsC3xPzOL5 ic+Whx5334WjYOlUMCGSVm8K0olcJx/n8FJwHc/7QcKsGPjUQxHyFwFXzI2c2bJc ZwMoEJgS9Kd1xe9kIsDQwgqvJxoM3DxkPEG6aUmYV3ii6iW76e/VnJVn7kcQlfrP d5s2NJsBFeeoWDAJTzaF81r2+wnCQm3pbdy3czL0tQlTWQYrVvLQt4WuJIUp2UaF KaUw4r8HA5Ubz+AzwmcN5t3UsyJLVZQrHCFy+NmcjP/DZUYWI1jQB7GN68PPj5A4 iQdgp7XfqudGf9iE7kZl+PvEJqOhqBLm+AvpAyy4ZPGsWEQvHEFA6OyUAZyk/t+z iXfqcvmzVRwyZmvAHHXUIEG0WFdxVR26nr5n6ljej4UcKtLWDeqQ5vtxxW0PbuxJ ERhrc9ek =Vy1i -----END PGP SIGNATURE-----