[SECURITY] [DLA 3617-2] tomcat9 regression update
- Debian LTS Advisory DLA-3617-2debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany October 17, 2023 https://wiki.debian.org/LTS - Package: tomcat9 Version: 9.0.31-1~deb10u10 CVE ID : CVE-2023-44487 A regression was discovered in the Http2UpgradeHandler class of Tomcat 9 introduced by the patch to fix CVE-2023-44487 (Rapid Reset Attack). A wrong value for the overheadcount variable forced HTTP2 connections to close early. For Debian 10 buster, this problem has been fixed in version 9.0.31-1~deb10u10. We recommend that you upgrade your tomcat9 packages. For the detailed security status of tomcat9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat9 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3621-1] nghttp2 security update
- Debian LTS Advisory DLA-3621-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Sean Whitton October 16, 2023 https://wiki.debian.org/LTS - Package: nghttp2 Version: 1.36.0-2+deb10u2 CVE ID : CVE-2020-11080 CVE-2023-44487 Debian Bug : 962145 1053769 Multiple vulnerabilities were discovered in nghttp2, an implementation of the HTTP/2 protocol. CVE-2020-11080 A denial-of-service could be caused by a large HTTP/2 SETTINGS frame payload. CVE-2023-44487 A denial-of-service could be caused by resetting many HTTP/2 streams quickly. This has been observed in the wild since August. For Debian 10 buster, these problems have been fixed in version 1.36.0-2+deb10u2. We recommend that you upgrade your nghttp2 packages. For the detailed security status of nghttp2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nghttp2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3620-1] poppler security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3620-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk October 16, 2023 https://wiki.debian.org/LTS - - Package: poppler Version: 0.71.0-5+deb10u3 CVE ID : CVE-2020-23804 CVE-2022-37050 CVE-2022-37051 Several vulnerabilities have been fixed in poppler, a PDF rendering library. CVE-2020-23804 Stack overflow in XRef::readXRefTable() CVE-2022-37050 Crash in PDFDoc::savePageAs() CVE-2022-37051 Crash in the pdfunite tool For Debian 10 buster, these problems have been fixed in version 0.71.0-5+deb10u3. We recommend that you upgrade your poppler packages. For the detailed security status of poppler please refer to its security tracker page at: https://security-tracker.debian.org/tracker/poppler Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmUtIVUACgkQiNJCh6LY mLFCbg/9EeMkqDSl+BeHiGlhEdIoJzs2HTah8PhXqbsEzzJnyig+JlEn3d4oe404 y+nrhA2LhrkJFFdElAtWynNL0xk3DWbKZ5FNL9CrdQvJhRshKNumlupAqk4xbvpn pt2ukISdCrdtEIRKRtyceXmGCYEJsUjvNMkiQ+8MzdwhOO0dgKjO4hmSbEwlMAPy 4L7sZA3lxS8OHBJh0fymTG2Oo2rV7fZoy0Kw/JuJglE7mn/4acYYJUHS9BDr3T44 EHy6STxY9lva4dtsx1svDQjhIf4L2pDtP99kyEPzNOEJPQnaT6QJbuYPGSEVeE8D tbUiRNG35efjccYZLnULKmxSFYT2XzBaazFNCUQhzZeeuZH9BwDn4nALSARaXwuO 2jO7yI13E6fye8L4StphnVJYSZbMg8O56ZDMBuozQG9uHica2YoldA3Rvnz10w8k bdXY/4c9SF7D1KdMHy45CcWEdLHDrOoZF7OcZ9fcwzhRsPCRz4xhjmmIaMycoCCH 4WuzLPXnG8WwbkYDpuHAMW+hixzvWNJIdarkgpzhhxoL8KZBFhUsOaUq9K3tcO7d AZGzWEtfhlFNh1fFtRb0UFkrdF5ooWJ7GRCZbAHaE6Tvl1YhxeGU+B7S8EX79GIO YNtIPSRMhSg35+hVMy1YNGIId8ma4CauOs3rCGfeDacq2iSjg3Y= =m81V -END PGP SIGNATURE-