Your message dated Fri, 07 Apr 2023 10:02:22 +0000
with message-id <[email protected]>
and subject line Bug#1033475: fixed in tomcat9 9.0.43-2~deb11u6
has caused the Debian Bug report #1033475,
regarding tomcat9: CVE-2023-28708
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1033475: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033475
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tomcat9
Version: 9.0.70-1
Severity: important
Tags: security upstream
Forwarded: https://bz.apache.org/bugzilla/show_bug.cgi?id=66471
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 9.0.43-2~deb11u4
Control: found -1 9.0.43-2
Hi,
The following vulnerability was published for tomcat9.
CVE-2023-28708[0]:
| When using the RemoteIpFilter with requests received from a reverse
| proxy via HTTP that include the X-Forwarded-Proto header set to https,
| session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2,
| 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not
| include the secure attribute. This could result in the user agent
| transmitting the session cookie over an insecure channel.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-28708
https://www.cve.org/CVERecord?id=CVE-2023-28708
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=66471
[2] https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: tomcat9
Source-Version: 9.0.43-2~deb11u6
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
tomcat9, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated tomcat9 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 5 Apr 2023 17:57:36 CEST
Source: tomcat9
Architecture: source
Version: 9.0.43-2~deb11u6
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Checksums-Sha1:
5dcbdb9596463f2b52520b943356f25973924882 2906 tomcat9_9.0.43-2~deb11u6.dsc
c0d398cfb9173c06567e7718c2e537b64bcd3e99 47364
tomcat9_9.0.43-2~deb11u6.debian.tar.xz
5c5a8d647c16d77cc8ed78912b572d540513b38c 13782
tomcat9_9.0.43-2~deb11u6_source.buildinfo
Checksums-Sha256:
343aab34c6e1ca8bb6b7e8bcdbbcc7594a7250288aa59102dd1886666bb9ab31 2906
tomcat9_9.0.43-2~deb11u6.dsc
2ef190ee41f4e7a5442eb049f4e0255a19f42b17ef0e9a339137c536a054ca98 47364
tomcat9_9.0.43-2~deb11u6.debian.tar.xz
320d9d96ed02d79273106c15fafaabb3bc662fbc31a6150af1e7075e5b540d87 13782
tomcat9_9.0.43-2~deb11u6_source.buildinfo
Closes: 1033475
Changes:
tomcat9 (9.0.43-2~deb11u6) bullseye-security; urgency=high
.
* Team upload.
* Fix CVE-2022-42252:
Apache Tomcat was configured to ignore invalid HTTP headers via setting
rejectIllegalHeader to false. Tomcat did not reject a request containing an
invalid Content-Length header making a request smuggling attack possible if
Tomcat was located behind a reverse proxy that also failed to reject the
request with the invalid header.
* Fix CVE-2022-45143:
The JsonErrorReportValve in Apache Tomcat did not escape the type, message
or description values. In some circumstances these are constructed from
user provided data and it was therefore possible for users to supply values
that invalidated or manipulated the JSON output.
* Fix CVE-2023-28708:
When using the RemoteIpFilter with requests received from a reverse proxy
via HTTP that include the X-Forwarded-Proto header set to https, session
cookies created by Apache Tomcat did not include the secure attribute. This
could result in the user agent transmitting the session cookie over an
insecure channel. (Closes: #1033475)
Files:
a0e3763cba0271c6a8a9f8f279668eea 2906 java optional
tomcat9_9.0.43-2~deb11u6.dsc
9218f651bb495a397c219d06b3224c36 47364 java optional
tomcat9_9.0.43-2~deb11u6.debian.tar.xz
139fc4cbef13d2e160db68d3714f19ab 13782 java optional
tomcat9_9.0.43-2~deb11u6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmQtmndfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkUQgP/1KVJTKd9e01/ouH1AYtcIiCuN0od2s5ULvf
bSMdB4Cw2wj9Psj/vJGR2xTSPItfvzomgfHfHoMRWwV6waqV/MKWacVVmlFmiCgm
7koWx2ObIy+/enuRZeOoSPp0f3K1hDA77RCH1Pk5rfJW51DENTkED+kqv4bpirkG
CufCeDrnAOC3cfnA2rVtN/kLPwavML+JPzzO2oWMQHwjY8GehbQ8rVVB6FNX+q6O
NpKvHQqhKk44Ylkjlsx78xNCHV14a9dEzpJ2XGGb5OxJelBs+jIn9RHsC3xPzOL5
ic+Whx5334WjYOlUMCGSVm8K0olcJx/n8FJwHc/7QcKsGPjUQxHyFwFXzI2c2bJc
ZwMoEJgS9Kd1xe9kIsDQwgqvJxoM3DxkPEG6aUmYV3ii6iW76e/VnJVn7kcQlfrP
d5s2NJsBFeeoWDAJTzaF81r2+wnCQm3pbdy3czL0tQlTWQYrVvLQt4WuJIUp2UaF
KaUw4r8HA5Ubz+AzwmcN5t3UsyJLVZQrHCFy+NmcjP/DZUYWI1jQB7GN68PPj5A4
iQdgp7XfqudGf9iE7kZl+PvEJqOhqBLm+AvpAyy4ZPGsWEQvHEFA6OyUAZyk/t+z
iXfqcvmzVRwyZmvAHHXUIEG0WFdxVR26nr5n6ljej4UcKtLWDeqQ5vtxxW0PbuxJ
ERhrc9ek
=Vy1i
-----END PGP SIGNATURE-----
--- End Message ---
