tomcat9 - Debian Package Tracker

general

source: tomcat9 (main)
version: 9.0.95-1
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: tony mancill [DMD] – Emmanuel Bourg [DMD]
arch: all
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 9.0.31-1~deb10u6
o-o-sec: 9.0.31-1~deb10u12
oldstable: 9.0.43-2~deb11u10
old-sec: 9.0.43-2~deb11u10
stable: 9.0.70-2
testing: 9.0.95-1
unstable: 9.0.95-1

versioned links

9.0.31-1~deb10u6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.0.31-1~deb10u12: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.0.43-2~deb11u10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.0.70-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.0.95-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libtomcat9-java (1 bugs: 0, 1, 0, 0)

action needed

A new upstream version is available: 9.0.97 high

A new upstream version 9.0.97 is available, you should consider packaging it.

Created: 2024-10-04 Last update: 2024-11-21 01:30

4 security issues in bullseye high

There are 4 open security issues in bullseye.

1 important issue:

CVE-2024-52316: Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

3 issues postponed or untriaged:

CVE-2024-21733: (postponed; to be fixed through a stable update) Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.
CVE-2024-34750: (postponed; to be fixed through a stable update) Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
CVE-2024-38286: (postponed; to be fixed through a stable update) Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

Created: 2024-11-19 Last update: 2024-11-20 00:00

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2024-02-25 Last update: 2024-11-21 06:31

lintian reports 12 warnings normal

Lintian reports 12 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2024-10-01 Last update: 2024-10-01 03:02

debian/patches: 7 patches to forward upstream low

Among the 15 debian patches available in version 9.0.95-1 of the package, we noticed the following issues:

7 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2024-09-30 20:04

news

[rss feed]

[2024-10-05] tomcat9 9.0.95-1 MIGRATED to testing (Debian testing watch)
[2024-09-30] Accepted tomcat9 9.0.95-1 (source) into unstable (Emmanuel Bourg)
[2024-04-20] Accepted tomcat9 9.0.43-2~deb11u10 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2024-04-19] Accepted tomcat9 9.0.43-2~deb11u10 (source) into oldstable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2024-04-05] Accepted tomcat9 9.0.31-1~deb10u12 (source) into oldoldstable (Markus Koschany)
[2024-01-05] Accepted tomcat9 9.0.31-1~deb10u11 (source) into oldoldstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2023-12-21] Removed 9.0.70-1 from unstable (Debian FTP Masters)
[2023-10-28] Accepted tomcat9 9.0.43-2~deb11u9 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2023-10-16] Accepted tomcat9 9.0.43-2~deb11u9 (source) into oldstable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2023-10-16] Accepted tomcat9 9.0.31-1~deb10u10 (source) into oldoldstable (Markus Koschany)
[2023-10-15] Accepted tomcat9 9.0.43-2~deb11u8 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2023-10-13] Accepted tomcat9 9.0.31-1~deb10u9 (source) into oldoldstable (Markus Koschany)
[2023-10-12] Accepted tomcat9 9.0.43-2~deb11u8 (source) into oldstable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2023-10-12] Accepted tomcat9 9.0.43-2~deb11u7 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Emmanuel Bourg)
[2023-10-10] Accepted tomcat9 9.0.43-2~deb11u7 (source) into oldstable-security (Debian FTP Masters) (signed by: Emmanuel Bourg)
[2023-06-02] tomcat9 9.0.70-2 MIGRATED to testing (Debian testing watch)
[2023-05-27] Accepted tomcat9 9.0.70-2 (source) into unstable (Markus Koschany)
[2023-04-07] Accepted tomcat9 9.0.43-2~deb11u6 (source) into proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2023-04-05] Accepted tomcat9 9.0.43-2~deb11u6 (source) into stable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2023-04-05] Accepted tomcat9 9.0.31-1~deb10u8 (source) into oldstable (Markus Koschany)
[2023-01-22] Accepted tomcat9 9.0.43-2~deb11u5 (source) into proposed-updates (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2022-12-11] tomcat9 9.0.70-1 MIGRATED to testing (Debian testing watch)
[2022-12-05] Accepted tomcat9 9.0.70-1 (source) into unstable (Emmanuel Bourg)
[2022-11-05] Accepted tomcat9 9.0.43-2~deb11u4 (source) into proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2022-10-29] Accepted tomcat9 9.0.43-2~deb11u4 (source) into stable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2022-10-25] Accepted tomcat9 9.0.31-1~deb10u7 (source) into oldstable (Markus Koschany)
[2022-10-20] tomcat9 9.0.68-1.1 MIGRATED to testing (Debian testing watch)
[2022-10-15] Accepted tomcat9 9.0.68-1.1 (source) into unstable (Michael Biebl)
[2022-10-13] tomcat9 9.0.68-1 MIGRATED to testing (Debian testing watch)
[2022-10-08] Accepted tomcat9 9.0.68-1 (source) into unstable (Emmanuel Bourg)

bugs [bug history graph]

all: 10
RC: 0
I&N: 7
M&W: 2
F&P: 1
patch: 2

links

homepage
lintian (0, 12)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 9.0.70-2ubuntu1.1
22 bugs
patches for 9.0.70-2ubuntu1.1