tomcat9 9.0.31-1ubuntu0.2 source package in Ubuntu
Changelog
tomcat9 (9.0.31-1ubuntu0.2) focal-security; urgency=medium * SECURITY UPDATE: TLS Denial of Service - debian/patches/CVE-2021-41079.patch: Apache Tomcat did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service. - CVE-2021-41079 * SECURITY UPDATE: Authentication Vulnerability - debian/patches/CVE-2021-30640.patch: A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a validc user name and/or to bypass some of the protection provided by the LockOut Realm. - CVE-2021-30640 * SECURITY UPDATE: Request Smuggling - debian/patches/CVE-2021-33037.patch: Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. - CVE-2021-33037 * SECURITY UPDATE: remote code execution via session persistence - debian/patches/CVE-2021-25329.patch: The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. - CVE-2021-25329 * SECURITY UPDATE: Request Header Duplication - debian/patches/CVE-2021-25122.patch: When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. - CVE-2021-25122 * SECURITY UPDATE: HTTP/2 request header mix-up - debian/patches/CVE-2020-17527.patch: HTTP/2 It was discovered that Apache Tomcat could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. - CVE-2020-17527 * SECURITY UPDATE: HTTP/2 request mix-up - debian/patches/CVE-2020-13943.patch: If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. - CVE-2020-13943 -- Evren Yurtesen <email address hidden> Wed, 16 Mar 2022 20:51:24 +0200
Upload details
- Uploaded by:
- Evren Yurtesen
- Sponsored by:
- Paulo Flabiano Smorigo
- Uploaded to:
- Focal
- Original maintainer:
- Ubuntu Developers
- Architectures:
- all
- Section:
- java
- Urgency:
- Medium Urgency
See full publishing history Publishing
Series | Published | Component | Section | |
---|---|---|---|---|
Focal | security | universe | misc |
Downloads
File | Size | SHA-256 Checksum |
---|---|---|
tomcat9_9.0.31.orig.tar.xz | 3.7 MiB | d8d61755c7d670f44b58d5863a79b0f1e900c3a832d74d9b57d6bdc130bbd6c8 |
tomcat9_9.0.31-1ubuntu0.2.debian.tar.xz | 44.3 KiB | dff936f14bc081c5013e726bd558d23624adf732998f77b050a2ee9bddadc8b2 |
tomcat9_9.0.31-1ubuntu0.2.dsc | 2.8 KiB | 89f727e972d049698043690cedf60a2e92aa61d3dc92fb6786bd39f2f22fc215 |
Available diffs
Binary packages built by this source
- libtomcat9-embed-java: Apache Tomcat 9 - Servlet and JSP engine -- embed libraries
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Oracle, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains the libraries required to embed Tomcat into Java
applications.
- libtomcat9-java: Apache Tomcat 9 - Servlet and JSP engine -- core libraries
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Oracle, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains the Tomcat core classes which can be used by other
Java applications to embed Tomcat.
- tomcat9: Apache Tomcat 9 - Servlet and JSP engine
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Oracle, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains only the startup scripts for the system-wide daemon.
No documentation or web applications are included here, please install
the tomcat9-docs and tomcat9-examples packages if you want them.
Install tomcat9-user instead of this package if you don't want Tomcat to
start as a service.
- tomcat9-admin: Apache Tomcat 9 - Servlet and JSP engine -- admin web applications
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Oracle, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains the administrative web interfaces.
- tomcat9-common: Apache Tomcat 9 - Servlet and JSP engine -- common files
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Oracle, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains common files needed by the tomcat9 and tomcat9-user
packages (Tomcat 9 scripts and libraries).
- tomcat9-docs: Apache Tomcat 9 - Servlet and JSP engine -- documentation
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Oracle, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains the online documentation web application.
- tomcat9-examples: Apache Tomcat 9 - Servlet and JSP engine -- example web applications
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Oracle, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains the default Tomcat example webapps.
- tomcat9-user: Apache Tomcat 9 - Servlet and JSP engine -- tools to create user instances
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Oracle, and provides a "pure Java" HTTP web
server environment for Java code to run.
.
This package contains files needed to create a user Tomcat instance.
This user Tomcat instance can be started and stopped using the scripts
provided in the Tomcat instance directory.