tomcat9 - Debian Package Tracker

general

source: tomcat9 (main)
version: 9.0.95-1
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: tony mancill [DMD] – Emmanuel Bourg [DMD]
arch: all
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 9.0.31-1~deb10u6
o-o-sec: 9.0.31-1~deb10u12
oldstable: 9.0.43-2~deb11u10
old-sec: 9.0.43-2~deb11u12
stable: 9.0.70-2
testing: 9.0.95-1
unstable: 9.0.95-1

versioned links

9.0.31-1~deb10u6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.0.31-1~deb10u12: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.0.43-2~deb11u10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.0.43-2~deb11u12: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.0.70-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.0.95-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libtomcat9-java (1 bugs: 0, 1, 0, 0)

action needed

A new upstream version is available: 9.0.104 high

A new upstream version 9.0.104 is available, you should consider packaging it.

Created: 2024-10-04 Last update: 2025-05-03 02:00

4 security issues in bullseye high

There are 4 open security issues in bullseye.

2 important issues:

CVE-2025-31650: Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.
CVE-2025-31651: Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

1 issue postponed or untriaged:

CVE-2024-34750: (postponed; to be fixed through a stable update) Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

1 ignored issue:

CVE-2024-54677: Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

Created: 2025-04-29 Last update: 2025-04-29 04:57

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2025-01-06 Last update: 2025-05-03 04:02

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2025-02-28 Last update: 2025-05-02 23:32

lintian reports 12 warnings normal

Lintian reports 12 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2024-10-01 Last update: 2024-10-01 03:02

debian/patches: 7 patches to forward upstream low

Among the 15 debian patches available in version 9.0.95-1 of the package, we noticed the following issues:

7 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2024-09-30 20:04

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).

Created: 2025-02-21 Last update: 2025-02-27 13:25

news

[rss feed]

[2025-04-01] Accepted tomcat9 9.0.43-2~deb11u12 (source) into oldstable-security (Markus Koschany)
[2025-01-16] Accepted tomcat9 9.0.43-2~deb11u11 (source) into oldstable-security (Markus Koschany)
[2024-10-05] tomcat9 9.0.95-1 MIGRATED to testing (Debian testing watch)
[2024-09-30] Accepted tomcat9 9.0.95-1 (source) into unstable (Emmanuel Bourg)
[2024-04-20] Accepted tomcat9 9.0.43-2~deb11u10 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2024-04-19] Accepted tomcat9 9.0.43-2~deb11u10 (source) into oldstable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2024-04-05] Accepted tomcat9 9.0.31-1~deb10u12 (source) into oldoldstable (Markus Koschany)
[2024-01-05] Accepted tomcat9 9.0.31-1~deb10u11 (source) into oldoldstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2023-12-21] Removed 9.0.70-1 from unstable (Debian FTP Masters)
[2023-10-28] Accepted tomcat9 9.0.43-2~deb11u9 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2023-10-16] Accepted tomcat9 9.0.43-2~deb11u9 (source) into oldstable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2023-10-16] Accepted tomcat9 9.0.31-1~deb10u10 (source) into oldoldstable (Markus Koschany)
[2023-10-15] Accepted tomcat9 9.0.43-2~deb11u8 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2023-10-13] Accepted tomcat9 9.0.31-1~deb10u9 (source) into oldoldstable (Markus Koschany)
[2023-10-12] Accepted tomcat9 9.0.43-2~deb11u8 (source) into oldstable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2023-10-12] Accepted tomcat9 9.0.43-2~deb11u7 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Emmanuel Bourg)
[2023-10-10] Accepted tomcat9 9.0.43-2~deb11u7 (source) into oldstable-security (Debian FTP Masters) (signed by: Emmanuel Bourg)
[2023-06-02] tomcat9 9.0.70-2 MIGRATED to testing (Debian testing watch)
[2023-05-27] Accepted tomcat9 9.0.70-2 (source) into unstable (Markus Koschany)
[2023-04-07] Accepted tomcat9 9.0.43-2~deb11u6 (source) into proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2023-04-05] Accepted tomcat9 9.0.43-2~deb11u6 (source) into stable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2023-04-05] Accepted tomcat9 9.0.31-1~deb10u8 (source) into oldstable (Markus Koschany)
[2023-01-22] Accepted tomcat9 9.0.43-2~deb11u5 (source) into proposed-updates (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2022-12-11] tomcat9 9.0.70-1 MIGRATED to testing (Debian testing watch)
[2022-12-05] Accepted tomcat9 9.0.70-1 (source) into unstable (Emmanuel Bourg)
[2022-11-05] Accepted tomcat9 9.0.43-2~deb11u4 (source) into proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2022-10-29] Accepted tomcat9 9.0.43-2~deb11u4 (source) into stable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2022-10-25] Accepted tomcat9 9.0.31-1~deb10u7 (source) into oldstable (Markus Koschany)
[2022-10-20] tomcat9 9.0.68-1.1 MIGRATED to testing (Debian testing watch)
[2022-10-15] Accepted tomcat9 9.0.68-1.1 (source) into unstable (Michael Biebl)

bugs [bug history graph]

all: 10
RC: 0
I&N: 7
M&W: 2
F&P: 1
patch: 2

links

homepage
lintian (0, 12)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 9.0.70-2ubuntu1.1
22 bugs
patches for 9.0.70-2ubuntu1.1