[SECURITY] [DSA 5522-3] tomcat9 regression update

To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 5522-3] tomcat9 regression update
From: Markus Koschany <apo@debian.org>
Date: Mon, 16 Oct 2023 21:36:38 +0000
Message-id: <[🔎] ZS2s5rAy338joZy4@seger.debian.org>
Reply-to: debian-security-announce-request@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5522-3                   security@debian.org
https://www.debian.org/security/                          Markus Koschany
October 16, 2023                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tomcat9
CVE ID         : CVE-2023-44487

A regression was discovered in the Http2UpgradeHandler class of Tomcat 9
introduced by the patch to fix CVE-2023-44487 (Rapid Reset Attack). A wrong
value for the overheadcount variable forced HTTP2 connections to close early.

For the oldstable distribution (bullseye), this problem has been fixed
in version 9.0.43-2~deb11u9.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat9

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUtrGRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRklBAAg7AmsDgaOQ6E4PR41JewkEIlV/n/jfqEkhHXRxG9zG4yijcszgTcF3Ii
rf3lBgytAMlSD7dRyy9HG6tRpgMTaajEgeAZdeL01mQf0JnJMg3WPZbkDV9kgyzy
TMhKjMwaSi65nuBETud5OTZIVsnpaonWsQsTxjaIrbdGnQFJrr13cRVKrY8aT5Ur
AxtxTFL8FGQxU+RgTehV5KMbtCY9kZhemwyQ6LRk1UstWhype8/ydK7UCaQEJ777
zyl7ioGvv15GmZMMJCZ1zH0Z6FXlhbVDLCcVshJN3/ddlVTC9Xx10lCEx/hZY29x
b6Stq/YMayZMoKQY2V3JeQbM3OMCPalpcPU+/WbhuX9eZuWHapnlyTwgsjQOVLNc
prPfuUAAGCmNFuPMqN//EtmSQV5SP+dqJrwcGMxWDmuagB4qD9nbwtr1zNb5QJpK
rK24yHlY3Pmu1yegPIeZIJxuFMc5N5cIDj7BfKY51nnV5kbHRshSacBmbm4Sxvfv
lqEPeqZKogGIAXvmPSeC1gCoL0l98rKVOq3bc8+9z2TgB7W/vB60/IyM1pR8svPu
+ShPWFh+tkWvt4PjgZ+qThM+xGkcMX12lhRDmFhs4rE8IQIDChiZWBMReggtw6Ii
ETuYDmr5EAd5u5ymMyQmououeNKwRDi4AbGRPV7JddIVkcbUxgk=
=ENCN
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DSA 5528-1] node-babel7 security update
Next by Date: [SECURITY] [DSA 5529-1] slurm-wlm security update
Previous by thread: [SECURITY] [DSA 5528-1] node-babel7 security update
Next by thread: [SECURITY] [DSA 5529-1] slurm-wlm security update
Index(es):
- Date
- Thread