Fix for CVE-2023-46589 in Jammy's tomcat9

Please note that tomcat9 in Ubuntu Jammy is in universe and community supported. If you can contribute the fix, please see https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

OK, I've created a Tomcat 9 package set which has a fix for the CVE.

I didn't base it on the very latest Tomcat 9, because Java 17 has become a requirement for the very latest Tomcat 9 releases, somewhat surprisingly.

https://launchpad.net/~troels-w/+archive/ubuntu/tomcat-slipstream

NOTE: This is already pending fixes for Noble as the updated version from Debian is synced in and sitting in Proposed.

@thomas, can you help me understand this better? (I'm rather new in the Ubuntu world, having mostly used distros in the Red Hat family before.)

Where can I inspect details the package which is about to enter Ubuntu 22's Universe? And how about the package about to enter Noble?

The thing is last I checked, Debian had not fixed this CVE in any Tomcat packages.

Actually, should we kill tomcat9 before Noble is released?

The 9.0.70-2 version was uploaded in october https://launchpad.net/ubuntu/+source/tomcat9 and it hasn't migrated from proposed to release yet because it trips autopkgtest failures https://ubuntu-archive-team.ubuntu.com/proposed-migration/update_excuses.html#tomcat9

The Debian changelog says:

  * Drop tomcat9 server packages because only one Tomcat version is supported
    per release. Only retain libtomcat9-java because of compatibility reasons
    for now. Users are strongly encouraged to switch to Tomcat 10 instead.
    (Closes: #1034824)

If this package migrates, we lose the tomcat9 server in noble and later. If this package doesn't migrate, then we keep shipping a vulnerable version. We could accept Troels's fixes, or we could drop the package entirely.

What's best?

Thanks

@troels, could you please bump the version to 9.0.83+ in that PPA? As suggested, CVE-2023-46589 was not fixed until 9.0.83
https://nvd.nist.gov/vuln/detail/CVE-2023-46589

Thanks

Seth: I agree tomcat9 does not have a place for Noble.

Mark: Tomcat 9.0.83 needs to built with Java 17, according to its release notes. I suppose in principle, it does not rule out running the resulting binaries with Java 11, but I think it sounds risky.
I think it's important to not introduce a sudden Java 17 dependency into a long-term release like Jammy.
So I chose to use the latest version of Tomcat 9 which fully supports Java 11, and then I backported the fix for CVE-2023-46589 to it.

If someone can make a compelling argument for it being safe to build with Java 17 but run with Java 11, then we could move to the latest Tomcat.

I wonder if I should prepare 9.0.86 for Noble, because there is still use for it (Java 8-based applications)?

Regarding safety: according to tomcat version page[1] 9.0.x can be safely ran on Java 8 and up. Hence it safe to run with Java 11.
Though it would violate Debian Java policy to build it with jdk other than default.

I should check if tomcat 9 can be built with 11 in packaging, as the requirement for 17 seems to come from the build dependency binaries, not the code itself.

[1] https://tomcat.apache.org/whichversion.html

Where I work, having tomcat9 for Ubuntu 24 would be great, but can we sustain it for years and years, along with other Tomcat generations?