Debian Security Advisory
DSA-4680-1 tomcat9 -- security update
- Date Reported:
- 06 May 2020
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2019-10072, CVE-2019-12418, CVE-2019-17563, CVE-2019-17569, CVE-2020-1935, CVE-2020-1938.
- More information:
Several vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in HTTP request smuggling, code execution in the AJP connector (disabled by default in Debian) or a man-in-the-middle attack against the JMX interface.
For the stable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u1. The fix for CVE-2020-1938 may require configuration changes when Tomcat is used with the AJP connector, e.g. in combination with libapache-mod-jk. For instance the attribute
secretRequiredis set to true by default now. For affected setups it's recommended to review https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html before the deploying the update.
We recommend that you upgrade your tomcat9 packages.
For the detailed security status of tomcat9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat9