-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 16 Jan 2025 21:05:24 CET Source: tomcat9 Architecture: source Version: 9.0.43-2~deb11u11 Distribution: bullseye-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Checksums-Sha1: aef798829e3085c7b9f168ded1efbb2a6f4996be 2910 tomcat9_9.0.43-2~deb11u11.dsc afbab759d9b278c27ebbf62e29337320681d40b3 69136 tomcat9_9.0.43-2~deb11u11.debian.tar.xz b18cdca7408e0ee1adafb20a0ff90ed11380d715 14731 tomcat9_9.0.43-2~deb11u11_amd64.buildinfo Checksums-Sha256: 7fb50e9dd6e8927bd984e302faa0e77be28a22790580a7c1ae8670e10905ece2 2910 tomcat9_9.0.43-2~deb11u11.dsc 8a5ef0fec2dcaee3454f9a0c36c191439540dd532e8de8285db867debedeaa95 69136 tomcat9_9.0.43-2~deb11u11.debian.tar.xz a7dc647aa76285c6b169b411e7a61e35b2255511a9b6c0504e4b5063ddff11e8 14731 tomcat9_9.0.43-2~deb11u11_amd64.buildinfo Changes: tomcat9 (9.0.43-2~deb11u11) bullseye-security; urgency=high . * Team upload. * Fix CVE-2024-52316: Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. * Fix CVE-2024-21733: Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat. * Fix CVE-2024-38286: Apache Tomcat, under certain configurations, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process. * Fix CVE-2024-50379: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). Files: d1cee236fd6b671c8d7027c65b298618 2910 java optional tomcat9_9.0.43-2~deb11u11.dsc fe20e729b823407540ffc12b3b7f8d5c 69136 java optional tomcat9_9.0.43-2~deb11u11.debian.tar.xz 08ee06b70311bf5174f0812441257a61 14731 java optional tomcat9_9.0.43-2~deb11u11_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmeJZqhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkM+MQAIN9DoeP303nY/Zq/UVWQbUvz+EE/uD09OBE AZauWEmEvMvPPoFTX/IoLwSaoFriK8Kia4X9JsrEuV/txLkwKK7857ze35ESsp4u PbT5LvH8r3bGzKDPXm0v/z23/oHrieJFMMc7+Z5cq1eAhmYwdk4GWS8QvQR90D2W 4gY/R67PJ4ADyJ1xaMJNQex/R2zzSTPKwQu2bHWLDrBObsboOij5b0MJWo+WjgOK mmMIhU4wERTpnJIrT3w4pN3wIlwgztgRcvYqtDxURZcJgCBsQt+BbMy49AW4yRJ4 VDllP51SSiJ2xBPPiNhieV5N3On2tWxyv+RLzw44n8bzElTeSxiN2leFdBLW8DZB 5G/8GRfvZpcSdXzjgjZLq2wnJtBXrKk2HIj7YxAli75+wFp5KMVnTfK6p2O4g9LB ygI4t6ol4vtUrIIeWDAPcoh232Mvw5PGs6sEm3LI+SkI0twAGRxo43yswoVGObpl /4DqigkTuFvj9XREwA9Hi8YqcAOUxmmCvqTez7KcjQ2H11tsvD9zsAGqRCvY34PZ /Z3Cep9X78F6dkAgGq7kyN+CX9nD6L8snfHoWdCUWON4Bu8dFab9cmxug7ew5uRw cDcbVH8/2PaPqeP8hI4Q7QnSWV+nv81/6qoilKjKfFDHs0SKR455s1iTuJu5QXZN GVSyAAKU =S67I -----END PGP SIGNATURE-----
