1. Forum
  2. Usenet
  3. LINUX.DEBIAN.CHANGES

  • Accepted tomcat10 10.1.34-0+deb12u1 (source) into proposed-updates

    From Debian FTP Masters@21:1/5 to All on Fri Jan 17 18:40:01 2025
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    Format: 1.8
    Date: Fri, 17 Jan 2025 00:33:16 CET
    Source: tomcat10
    Architecture: source
    Version: 10.1.34-0+deb12u1
    Distribution: bookworm-security
    Urgency: high
    Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
    Changed-By: Markus Koschany <apo@debian.org>
    Checksums-Sha1:
    1d1ef8fe9974b1773c02ec1dd5a9aa4062bfd317 3014 tomcat10_10.1.34-0+deb12u1.dsc
    392a1dda8a1c6de8ac066117f5a3f04c1c2a476a 4706224 tomcat10_10.1.34.orig.tar.xz
    5a79e435f5feab95db8dcdb877122270cdbb7a22 51256 tomcat10_10.1.34-0+deb12u1.debian.tar.xz
    c575d97ff98d0d06320dd6441dc96858e345a4ee 16788 tomcat10_10.1.34-0+deb12u1_amd64.buildinfo
    Checksums-Sha256:
    3aa02ff00c46891ede32b9dbd6bb25b2f40e034b242d11837e33055e8c966682 3014 tomcat10_10.1.34-0+deb12u1.dsc
    a56c7fb9a822f44b3cd104ec2be0c892084c991ae839394166dc772a2b272a54 4706224 tomcat10_10.1.34.orig.tar.xz
    2a7067524b9ae7f7fd3fe32943b77e0681b78a9f337b310cf02caab8190523da 51256 tomcat10_10.1.34-0+deb12u1.debian.tar.xz
    898aed9896f71f68d994aead75f59331df80a86a88bc9b9519d76fa1227b28ee 16788 tomcat10_10.1.34-0+deb12u1_amd64.buildinfo
    Changes:
    tomcat10 (10.1.34-0+deb12u1) bookworm-security; urgency=high
    .
    * Team upload.
    * Backport 10.1.34 to bookworm to fix open CVE and improve HTTP/2
    functionality.
    * Fix CVE-2024-52316:
    Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is
    configured to use a custom Jakarta Authentication (formerly JASPIC)
    ServerAuthContext component which may throw an exception during the
    authentication process without explicitly setting an HTTP status to
    indicate failure, the authentication may not fail, allowing the user to
    bypass the authentication process. There are no known Jakarta
    Authentication components that behave in this way.
    * Fix CVE-2024-38286:
    Apache Tomcat, under certain configurations, allows an attacker to cause an
    OutOfMemoryError by abusing the TLS handshake process.
    * Fix CVE-2024-50379 / CVE-2024-56337:
    Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP
    compilation in Apache Tomcat permits an RCE on case insensitive file
    systems when the default servlet is enabled for write (non-default
    configuration).
    Some users may need additional configuration to fully mitigate
    CVE-2024-50379 depending on which version of Java they are using with
    Tomcat. For Debian 12 "bookworm" the system property sun.io.useCanonCaches
    must be explicitly set to false (it defaults to false). Most Debian users
    will not be affected because Debian uses case sensitive file systems by
    default.
    * Fix CVE-2024-34750:
    Improper Handling of Exceptional Conditions, Uncontrolled Resource
    Consumption vulnerability in Apache Tomcat. When processing an HTTP/2
    stream, Tomcat did not handle some cases of excessive HTTP headers
    correctly. This led to a miscounting of active HTTP/2 streams which in turn
    led to the use of an incorrect infinite timeout which allowed connections
    to remain open which should have been closed.
    * Fix CVE-2024-54677:
    Uncontrolled Resource Consumption vulnerability in the examples web
    application provided with Apache Tomcat leads to denial of service.
    Files:
    91dfa2ccfd1d361328bb11d9e6dcd445 3014 java optional tomcat10_10.1.34-0+deb12u1.dsc
    cfa998de0b5116ef8d9bbab6905e145e 4706224 java optional tomcat10_10.1.34.orig.tar.xz
    2f6ddf934c19e392651d074fe5d3c876 51256 java optional tomcat10_10.1.34-0+deb12u1.debian.tar.xz
    95e3fbf30359bddacae579cf72dcde1f 16788 java optional tomcat10_10.1.34-0+deb12u1_amd64.buildinfo

    -----BEGIN PGP SIGNATURE-----

    iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmeJl6RfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkJIwP/ip5arKF0rSlwKZ8Ftmt3rs/kY5JBLl2+bsI jBKn45//qX9CAkIisV5jaPpn5nD7ewXE8I+eG6jc/ECwc4J4l8cjFA80t9OvLmMA t0I+QaJU1qBGlKyLEDk8BUAxe06JdlPqUqdHLf3Ii0GVaohs6PJH8aOg1UPbvcbG Hiyj4BI2u37vcZCOW2IuIPy3NM8d1Waecdlv5O2HIajBZYOQ0wg03oQSoj9iH40C fIyixfDqFjOpLHssZUjvvgtZmxOOi12MZatUteUdqg+Rxnya0gCsO8gJFkUHyjB1 XIcoeirnJmzeJxPmbf1FuZ55iwkbr1UakqqkF+HIVInW+iSrzRSTwj7tQ5prkv74 aSweEceKyYXyYU2erxvflrOKsAbijX8syC+hUn8GIVS70fLUdY617GFIOteWanQ2 7JSet+oDVFuQSG6xJOh7zNATpqASoWC6lgmuDDiwDB+L9LjKUdn6tfmINA+WTdI2 QZvnGCWHB9pY+Kqi8Y45RsKQ4PdzZn9MyYOAeHAaCYmh60po2ng7mdjE/ZDWGi3Z eCGHkcdAMZ/o2nB6mkwdTWeT3bmiPyrIkiNQPRaLSXWPAmqL6VBduIiGF38PczlE Ieay++eLc4Sr2cKVKY/lSuH7UnytbgYmd/OZfCcnrHJGUjxTMS7lWJxM3CgVT13J
    85Fnz8HG
    =XwsC
    -----END PGP SIGNATURE-----


    --==============t80922360448512602=Content-Type: application/pgp-signature

    -----BEGIN PGP SIGNATURE-----

    iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCZ4qUGQAKCRCb9qggYcy5 IZN/AP48GalsJeo9rlvLdi2eJLMo91rComT2e0o7uWsz5/zmrwEAn3uZHj0zUQqk JZQDv7B2GhXsY68IaIjcQEkBRw0PDQg=sflu
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)