tomcat9 - Debian Package Tracker

general

source: tomcat9 (main)
version: 9.0.63-1
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Emmanuel Bourg [DMD] – tony mancill [DMD]
arch: all
std-ver: 4.6.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-bpo: 9.0.16-4~bpo9+1
oldstable: 9.0.31-1~deb10u5
old-sec: 9.0.31-1~deb10u6
stable: 9.0.43-2~deb11u3
stable-sec: 9.0.43-2~deb11u3
testing: 9.0.62-1
unstable: 9.0.63-1

versioned links

9.0.16-4~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.0.31-1~deb10u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.0.31-1~deb10u6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.0.43-2~deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.0.62-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.0.63-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libtomcat9-embed-java
libtomcat9-java
tomcat9 (6 bugs: 0, 5, 1, 0)
tomcat9-admin
tomcat9-common
tomcat9-docs
tomcat9-examples
tomcat9-user

action needed

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2022-29885: The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

Created: 2022-05-13 Last update: 2022-05-15 06:30

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2021-08-14 Last update: 2022-05-17 05:40

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2020-08-04 Last update: 2022-05-17 03:11

lintian reports 3 warnings normal

Lintian reports 3 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-11-05 Last update: 2021-11-05 04:35

2 low-priority security issues in buster low

There are 2 open security issues in buster.

2 issues left for the package maintainer to handle:

CVE-2022-23181: (postponed; to be fixed through a stable update) The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.
CVE-2022-29885: (postponed; to be fixed through a stable update) The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-01-29 Last update: 2022-05-15 06:30

2 low-priority security issues in bullseye low

There are 2 open security issues in bullseye.

2 issues left for the package maintainer to handle:

CVE-2022-23181: (postponed; to be fixed through a stable update) The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.
CVE-2022-29885: (postponed; to be fixed through a stable update) The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-01-29 Last update: 2022-05-15 06:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.6.0).

Created: 2022-05-11 Last update: 2022-05-14 00:55

testing migrations

excuses:
- Migration status for tomcat9 (9.0.62-1 to 9.0.63-1): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Too young, only 3 of 5 days old
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/t/tomcat9.html
- Not considered

news

[rss feed]

[2022-05-13] Accepted tomcat9 9.0.63-1 (source) into unstable (Markus Koschany)
[2022-05-05] tomcat9 9.0.62-1 MIGRATED to testing (Debian testing watch)
[2022-05-05] tomcat9 9.0.62-1 MIGRATED to testing (Debian testing watch)
[2022-04-29] Accepted tomcat9 9.0.62-1 (source) into unstable (Markus Koschany)
[2022-02-15] tomcat9 9.0.58-1 MIGRATED to testing (Debian testing watch)
[2022-02-09] Accepted tomcat9 9.0.58-1 (source) into unstable (Markus Koschany)
[2021-11-21] tomcat9 9.0.55-1 MIGRATED to testing (Debian testing watch)
[2021-11-19] Accepted tomcat9 9.0.43-2~deb11u3 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2021-11-15] Accepted tomcat9 9.0.55-1 (source) into unstable (Markus Koschany)
[2021-11-12] Accepted tomcat9 9.0.43-2~deb11u3 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2021-10-28] tomcat9 9.0.54-1 MIGRATED to testing (Debian testing watch)
[2021-10-22] Accepted tomcat9 9.0.54-1 (source) into unstable (Markus Koschany)
[2021-10-16] Accepted tomcat9 9.0.43-2~deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2021-10-16] Accepted tomcat9 9.0.31-1~deb10u6 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2021-10-14] Accepted tomcat9 9.0.43-2~deb11u2 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2021-10-14] Accepted tomcat9 9.0.31-1~deb10u6 (source) into oldstable->embargoed, oldstable (Debian FTP Masters) (signed by: Markus Koschany)
[2021-09-30] tomcat9 9.0.53-1 MIGRATED to testing (Debian testing watch)
[2021-09-24] Accepted tomcat9 9.0.53-1 (source) into unstable (Markus Koschany)
[2021-08-27] Accepted tomcat9 9.0.31-1~deb10u5 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2021-08-16] tomcat9 9.0.43-3 MIGRATED to testing (Debian testing watch)
[2021-08-10] Accepted tomcat9 9.0.43-3 (source) into unstable (Markus Koschany)
[2021-08-09] Accepted tomcat9 9.0.43-2~deb11u1 (source) into testing-proposed-updates (Markus Koschany)
[2021-08-09] Accepted tomcat9 9.0.31-1~deb10u5 (source) into stable->embargoed, stable (Debian FTP Masters) (signed by: Markus Koschany)
[2021-08-09] Accepted tomcat9 9.0.43-2~deb11u1 (source) into testing-security->embargoed, testing-security (Debian FTP Masters) (signed by: Markus Koschany)
[2021-08-07] Accepted tomcat9 9.0.43-2 (source) into unstable (Markus Koschany)
[2021-04-15] Accepted tomcat9 9.0.31-1~deb10u4 (source all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2021-04-13] Accepted tomcat9 9.0.31-1~deb10u4 (source all) into stable->embargoed, stable (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2021-02-08] Accepted tomcat9 9.0.43-1~bpo10+1 (source) into buster-backports (Emmanuel Bourg)
[2021-02-08] tomcat9 9.0.43-1 MIGRATED to testing (Debian testing watch)
[2021-02-02] Accepted tomcat9 9.0.43-1 (source) into unstable (Emmanuel Bourg)

bugs [bug history graph]

all: 7
RC: 0
I&N: 6
M&W: 1
F&P: 0
patch: 2

links

homepage
lintian (0, 3)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 9.0.63-1
18 bugs (1 patch)