tomcat9 - Debian Package Tracker

general

source: tomcat9 (main)
version: 9.0.95-1
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: tony mancill [DMD] – Emmanuel Bourg [DMD]
arch: all
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 9.0.31-1~deb10u6
o-o-sec: 9.0.31-1~deb10u12
oldstable: 9.0.43-2~deb11u10
old-sec: 9.0.43-2~deb11u12
stable: 9.0.70-2
testing: 9.0.95-1
unstable: 9.0.95-1

versioned links

9.0.31-1~deb10u6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.0.31-1~deb10u12: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.0.43-2~deb11u10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.0.43-2~deb11u12: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.0.70-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.0.95-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libtomcat9-java (1 bugs: 0, 1, 0, 0)

action needed

A new upstream version is available: 9.0.107 high

A new upstream version 9.0.107 is available, you should consider packaging it.

Created: 2024-10-04 Last update: 2025-07-18 13:33

11 security issues in bullseye high

There are 11 open security issues in bullseye.

6 important issues:

CVE-2025-48976: Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
CVE-2025-48988: Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
CVE-2025-49125: Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
CVE-2025-52434: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 9.0.107, which fixes the issue.
CVE-2025-52520: For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
CVE-2025-53506: Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.

4 issues postponed or untriaged:

CVE-2024-34750: (postponed; to be fixed through a stable update) Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
CVE-2025-31650: (postponed; to be fixed through a stable update) Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.
CVE-2025-31651: (postponed; to be fixed through a stable update) Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
CVE-2025-46701: (postponed; to be fixed through a stable update) Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.

1 ignored issue:

CVE-2024-54677: Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

Created: 2025-06-17 Last update: 2025-07-11 16:03

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2025-01-06 Last update: 2025-07-18 17:31

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2025-02-28 Last update: 2025-07-18 17:01

lintian reports 12 warnings normal

Lintian reports 12 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2024-10-01 Last update: 2024-10-01 03:02

debian/patches: 7 patches to forward upstream low

Among the 15 debian patches available in version 9.0.95-1 of the package, we noticed the following issues:

7 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2024-09-30 20:04

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).

Created: 2025-02-21 Last update: 2025-02-27 13:25

news

[rss feed]

[2025-04-01] Accepted tomcat9 9.0.43-2~deb11u12 (source) into oldstable-security (Markus Koschany)
[2025-01-16] Accepted tomcat9 9.0.43-2~deb11u11 (source) into oldstable-security (Markus Koschany)
[2024-10-05] tomcat9 9.0.95-1 MIGRATED to testing (Debian testing watch)
[2024-09-30] Accepted tomcat9 9.0.95-1 (source) into unstable (Emmanuel Bourg)
[2024-04-20] Accepted tomcat9 9.0.43-2~deb11u10 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2024-04-19] Accepted tomcat9 9.0.43-2~deb11u10 (source) into oldstable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2024-04-05] Accepted tomcat9 9.0.31-1~deb10u12 (source) into oldoldstable (Markus Koschany)
[2024-01-05] Accepted tomcat9 9.0.31-1~deb10u11 (source) into oldoldstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2023-12-21] Removed 9.0.70-1 from unstable (Debian FTP Masters)
[2023-10-28] Accepted tomcat9 9.0.43-2~deb11u9 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2023-10-16] Accepted tomcat9 9.0.43-2~deb11u9 (source) into oldstable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2023-10-16] Accepted tomcat9 9.0.31-1~deb10u10 (source) into oldoldstable (Markus Koschany)
[2023-10-15] Accepted tomcat9 9.0.43-2~deb11u8 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2023-10-13] Accepted tomcat9 9.0.31-1~deb10u9 (source) into oldoldstable (Markus Koschany)
[2023-10-12] Accepted tomcat9 9.0.43-2~deb11u8 (source) into oldstable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2023-10-12] Accepted tomcat9 9.0.43-2~deb11u7 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Emmanuel Bourg)
[2023-10-10] Accepted tomcat9 9.0.43-2~deb11u7 (source) into oldstable-security (Debian FTP Masters) (signed by: Emmanuel Bourg)
[2023-06-02] tomcat9 9.0.70-2 MIGRATED to testing (Debian testing watch)
[2023-05-27] Accepted tomcat9 9.0.70-2 (source) into unstable (Markus Koschany)
[2023-04-07] Accepted tomcat9 9.0.43-2~deb11u6 (source) into proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2023-04-05] Accepted tomcat9 9.0.43-2~deb11u6 (source) into stable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2023-04-05] Accepted tomcat9 9.0.31-1~deb10u8 (source) into oldstable (Markus Koschany)
[2023-01-22] Accepted tomcat9 9.0.43-2~deb11u5 (source) into proposed-updates (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2022-12-11] tomcat9 9.0.70-1 MIGRATED to testing (Debian testing watch)
[2022-12-05] Accepted tomcat9 9.0.70-1 (source) into unstable (Emmanuel Bourg)
[2022-11-05] Accepted tomcat9 9.0.43-2~deb11u4 (source) into proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2022-10-29] Accepted tomcat9 9.0.43-2~deb11u4 (source) into stable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2022-10-25] Accepted tomcat9 9.0.31-1~deb10u7 (source) into oldstable (Markus Koschany)
[2022-10-20] tomcat9 9.0.68-1.1 MIGRATED to testing (Debian testing watch)
[2022-10-15] Accepted tomcat9 9.0.68-1.1 (source) into unstable (Michael Biebl)

bugs [bug history graph]

all: 10
RC: 0
I&N: 7
M&W: 2
F&P: 1
patch: 2

links

homepage
lintian (0, 12)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 9.0.70-2ubuntu3
23 bugs
patches for 9.0.70-2ubuntu3