[ubuntu/plucky-security] tomcat9 9.0.70-2ubuntu1.25.04.2 (Accepted)

Vyom Yadav vyom.yadav at canonical.com
Mon Jun 9 14:49:14 UTC 2025 

tomcat9 (9.0.70-2ubuntu1.25.04.2) plucky-security; urgency=medium

  * SECURITY UPDATE: Information disclosure via missing secure attribute
    - debian/patches/CVE-2023-28708.patch: Fix BZ 66471 - JSessionId
      secure attribute missing with RemoteIpFilter and X-Forwarded-Proto
      set to https
    - CVE-2023-28708
  * SECURITY UPDATE: Information disclosure via incomplete cleanup
    - debian/patches/CVE-2023-42795.patch: Improve handling of failures
      during recycle() methods
    - CVE-2023-42795
  * SECURITY UPDATE: HTTP request smuggling via trailer headers
    - debian/patches/CVE-2023-45648.patch: Align processing of trailer
      headers with standard processing
    - CVE-2023-45648
  * SECURITY UPDATE: Denial of service via WebSocket connections
    - debian/patches/CVE-2024-23672-pre-1.patch: Rename prior to
      extending with additional tests
    - debian/patches/CVE-2024-23672-pre-2.patch: Add test util getter
      for root context with class path scanning disabled
    - debian/patches/CVE-2024-23672.patch: Refactor WebSocket close for
      suspend/resume
    - CVE-2024-23672
  * SECURITY UPDATE: Denial of service via HTTP/2 header parsing
    - debian/patches/CVE-2024-24549.patch: Report HTTP/2 header parsing
      errors earlier
    - debian/patches/CVE-2024-24549-post-1.patch: Make recycled streams
      eligible for GC immediately. Improves scalability.
    - debian/patches/CVE-2024-24549-post-2.patch: Update tests after
      HTTP/2 improvements
    - CVE-2024-24549
  * SECURITY UPDATE: Denial of service via HTTP/2 stream handling
    - debian/patches/CVE-2024-34750-pre-1.patch: Fix 66530 - Regression
      in fix for BZ 66442. Ensure count is decremented
    - debian/patches/CVE-2024-34750-pre-2.patch: Refactor decrement
      using a common method
    - debian/patches/CVE-2024-34750.patch: Make counting of active
      streams more robust
    - CVE-2024-34750
  * SECURITY UPDATE: Denial of service via TLS handshake abuse
    - debian/patches/CVE-2024-38286.patch: Add support for re-keying
      with TLS 1.3
    - CVE-2024-38286

Date: 2025-06-09 10:41:13.499048+00:00
Changed-By: Vyom Yadav <vyom.yadav at canonical.com>
https://launchpad.net/ubuntu/+source/tomcat9/9.0.70-2ubuntu1.25.04.2
-------------- next part --------------
Sorry, changesfile not available.

More information about the plucky-changes mailing list