-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 2 Apr 2025 00:16:00 CEST Source: tomcat9 Architecture: source Version: 9.0.43-2~deb11u12 Distribution: bullseye-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Checksums-Sha1: 9ef90ecb6dbe071d3fe9bf571c5c223c925585fe 2910 tomcat9_9.0.43-2~deb11u12.dsc 23dcf6fd3cb3ba139d4be8ead6bc6bed49addd88 69772 tomcat9_9.0.43-2~deb11u12.debian.tar.xz 45982fda1a8ec6651249acceeef4f6a6ce193d46 14747 tomcat9_9.0.43-2~deb11u12_amd64.buildinfo Checksums-Sha256: c70caf30ad66511a98dc333f835692bb923c461731fdd0ff56dd13b6285088fb 2910 tomcat9_9.0.43-2~deb11u12.dsc a342114ff38a1c05f4280c0736d10393f6175e90b49a928c2850666ea8d29b5d 69772 tomcat9_9.0.43-2~deb11u12.debian.tar.xz b4f7797e21df284ca895ae64b18238dae297d5e6f5b204f18184f171783bb90e 14747 tomcat9_9.0.43-2~deb11u12_amd64.buildinfo Changes: tomcat9 (9.0.43-2~deb11u12) bullseye-security; urgency=high . * Team upload. * Fix CVE-2025-24813: It was found that a malicious user was able to view security sensitive files and/or inject content into those files when writes were enabled for the default servlet (disabled by default) and support for partial PUT was enabled (default). Under certain circumstances, depending on the application in use, remote code execution may have been possible. Files: 5da4892cf6ad7eec178b4abaa26ffcef 2910 java optional tomcat9_9.0.43-2~deb11u12.dsc e10faf5910b8e440d37e40685d540f68 69772 java optional tomcat9_9.0.43-2~deb11u12.debian.tar.xz 36916d4e85e90f09fb1f48d3fdf1a01a 14747 java optional tomcat9_9.0.43-2~deb11u12_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmfsZahfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HktQcQAMmvTCURzQDKDpmOq6vtiyfHVUwjAdOh8Hgj 8I4BkzekLV0sV/DBkK8CiDcpKBeQPc9GsMZBJ2cfpuFb/TH/CSKqQnVz9VHMyA6v 4V8W+w1FWEca331pejVuJ6W8RCZJVJ/GiLDPMLcVebYehVmNyA7r65spA9sd208q yU+52y1hH5Fqc6JwMg1NNt7S7d5ioDNz3n/+u9HCKllqZyKeH0ptm4KvRv4erwnt y5cs5moBF+wwsgCb/XZLCaiTbDWA0/rYP9ngcK+y+EYNDlLqZHT9KcRkgbhK9V4n jNb64tBIi90q5oa1kUUXSycjqIek+xqgUjgbgEe5Q8PZ5jReZx8n0f9UehQABiWh A6mzFEK+uuSFDW/wCdCyRJHa0UDgE2UQA8kHv6LJRhKgSy7hFN4HkhMpAViq2/lS zWYBy7xQLYW0xECC8XpIignUynlBzTkUi5Khaxguo8un9p67r/Rnzgw7QD4dg4x4 K9bDJIEWhOSgSzBbQSYoYlj1SFfPTTendFW1owjai13kHuCdinDOyJ89m986QLR6 RmiOo7yMjkNwJhojG2LSns3e5yZXyojBCiT+RjhnOTgNlomOFxmk/w6uWkyV0xLS MoU+sH/Zevm3rQBZie/MJ+4u+FAG7RnxqChgdRmPocY6KAxsNm04HlcV/guW9uRm ZCg9ztVQ =JlJj -----END PGP SIGNATURE-----