FFe: Sync tomcat9 9.0.31-1~deb10u6 (universe) from Debian buster (security)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tomcat9 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Please sync tomcat9 9.0.31-1~deb10u6 (universe) from Debian buster (security)
Explanation of FeatureFreeze exception:
The Ubuntu package does not have any ubuntu specific patches added after FeatureFreeze in focal
However Debian package has bugfixes and security updates which does not exist in the Ubuntu package.
Changelog entries since current focal version 9.0.31-1:
tomcat9 (9.0.31-1~deb10u6) buster-security; urgency=high
* Team upload.
* CVE-2021-30640: Fix NullPointerExce
If no userRoleAttribute is specified in the user's Realm configuration its
default value will be null. This will cause a NPE in the methods
doFilterEsc
https:/
* Fix CVE-2021-41079:
Apache Tomcat did not properly validate incoming TLS packets. When Tomcat
was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially
crafted packet could be used to trigger an infinite loop resulting in a
denial of service.
-- Markus Koschany <email address hidden> Sat, 25 Sep 2021 22:17:13 +0200
tomcat9 (9.0.31-1~deb10u5) buster-security; urgency=high
* Team upload.
* Fix CVE-2021-30640:
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to
authenticate using variations of a valid user name and/or to bypass some of
the protection provided by the LockOut Realm.
* Fix CVE-2021-33037:
Apache Tomcat did not correctly parse the HTTP transfer-encoding request
header in some circumstances leading to the possibility to request
smuggling when used with a reverse proxy. Specifically: - Tomcat
incorrectly ignored the transfer encoding header if the client declared it
would only accept an HTTP/1.0 response; - Tomcat honoured the identify
encoding; and - Tomcat did not ensure that, if present, the chunked
encoding was the final encoding. (Closes: #991046)
-- Markus Koschany <email address hidden> Sat, 07 Aug 2021 18:25:15 +0200
tomcat9 (9.0.31-1~deb10u4) buster-security; urgency=medium
* CVE-2021-25122
* CVE-2021-25329
-- Moritz Mühlenhoff <email address hidden> Mon, 12 Apr 2021 16:45:06 +0200
tomcat9 (9.0.31-1~deb10u3) buster-security; urgency=medium
* Fixed CVE-2020-13943: HTTP/2 request mix-up. If an HTTP/2 client exceeded
the agreed maximum number of concurrent streams for a connection (in
violation of the HTTP/2 protocol), it was possible that a subsequent
request made on that connection could contain HTTP headers - including
HTTP/2 pseudo headers - from a previous request rather than the intended
headers. This could lead to users seeing responses for unexpected resources.
* Fixed CVE-2020-17527: HTTP/2 request header mix-up. It was discovered that
Apache Tomcat could re-use an HTTP request header value from the previous
stream received on an HTTP/2 connection for the request associated with
the subsequent stream. While this would most likely lead to an error and
the closure of the HTTP/2 connection, it is possible that information could
leak between requests.
-- Emmanuel Bourg <email address hidden> Tue, 19 Jan 2021 23:31:47 +0100
feature freeze exceptions are for introducing new features into the development release of Ubuntu after feature freeze. This appears to be a request for an update to tomcat9 in focal.
You either need to use the SRU process https:/ /wiki.ubuntu. com/StableRelea seUpdates or, if this is only about security fixes, coordinate with the Ubuntu Security team. However, it seems likely that any security fixes you're concerned about were included in https:/ /launchpad. net/ubuntu/ +source/ tomcat9/ 9.0.31- 1ubuntu0. 2