-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 15 Apr 2024 22:05:02 +0200 Source: tomcat10 Architecture: source Version: 10.1.6-1+deb12u2 Distribution: bookworm-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Changes: tomcat10 (10.1.6-1+deb12u2) bookworm-security; urgency=high . * Team upload. * Fix CVE-2023-46589: Improper Input Validation vulnerability in Apache Tomcat. Tomcat 10 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. * Fix CVE-2024-24549: Denial of Service due to improper input validation vulnerability for HTTP/2. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed. * Fix CVE-2024-23672: Denial of Service via incomplete cleanup vulnerability. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption. Checksums-Sha1: 91ff9b857c9a5faf9e89b9f5752cb7adf56277d0 2993 tomcat10_10.1.6-1+deb12u2.dsc 30161550450c45b18e4326a0c62e519bcd6c8f7f 48516 tomcat10_10.1.6-1+deb12u2.debian.tar.xz edb76d38012b4bedbacffe214b270d7c775d0534 14427 tomcat10_10.1.6-1+deb12u2_source.buildinfo Checksums-Sha256: b80bdd4a98f5dd8dab2d49efac588f58bcc4dd1202d1b925787a088111a71681 2993 tomcat10_10.1.6-1+deb12u2.dsc ebe3ad5ef8b27caec12922059b9152a615556cca96ec2f0e878bb991b2ee6f97 48516 tomcat10_10.1.6-1+deb12u2.debian.tar.xz 8c4eb2f4f2331f5ba56b5550cd021b663c55779d6f9e510205eb7779a67f50ce 14427 tomcat10_10.1.6-1+deb12u2_source.buildinfo Files: 62cbf99bed5fa4a4a0a1e541d0240a26 2993 java optional tomcat10_10.1.6-1+deb12u2.dsc bba08952be74219e8f933403c931000b 48516 java optional tomcat10_10.1.6-1+deb12u2.debian.tar.xz 05cc9aca9b1e801ce2c3be036c744e47 14427 java optional tomcat10_10.1.6-1+deb12u2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmYe2xxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkKMQQAJL5gWfYQwCLKYSs5w5Qk12dDJ25z8JSszvw 89a0DFUo75aq6YVnipgnvb53erwdOCr3YLDx2ER5kN1dlu2QASy45jVgXyRl/pdp 3y+EcnWeF8np1JtshKUU0Xdn57/1OscMQ/kpUX1SVjvdPbT8baN99xIYojHSoQxU cVQ94a9KScc5T6f504QCzuh6szqzdnsjzoFGVuiolzN29YEdgXYJbXDEn6U+6KRK oaHr7xVE00oMeaOTcOV+vOFLxSzNJLbADNGPP8X1WaFuFlk5K+pd+Sh5HjL5A+au iMuQhvtmPZ+RrRm+q7GzwrBP7VvS08vS5M5vXZ1FAz9B/urCxxjZMwWL5Y21wU9m ICQ81Iyn+EF6Dhuc/9VVW4sNbMY3AVz+q53sC+chhEHbQTSlXSuYbm9CZHDTq2tn ZIvy4ZNGMP/xdTNHsCuVFrhqiYXsyPJGIsxdthTud0hro6HHgI1fgtc3I6R11azg t4GmeSfW4S6szwrTdICRG1dmiLNZdbxd+JIER8uczGbaiVwHNIitW/kCiDCZZS3/ LX3Ii5ZtrnYVW5coAt++cBtowcjGNPaPcYgHmJu8h156tcZKinws7BgRQ9GMyxj0 lq48g27vBlo3GUw3gtLusgFlc5sNEp/tGXyJAEqBOrQ1gYjByJBlrkSAyjt1sqaV Xi7/uBpL =44nP -----END PGP SIGNATURE-----