** Merge proposal linked: https://code.launchpad.net/~ebarretto/ubuntu/+source/tomcat9/+git/tomcat9/+merge/488660
** Description changed: Scheduled-For: ubuntu-25.07 Ubuntu: 9.0.70-2ubuntu3 Debian Unstable: 9.0.95-1 A new release of tomcat9 is available for syncing from Debian Unstable + + ### New Debian Changes ### + + tomcat9 (9.0.95-1) unstable; urgency=medium + + * New upstream release + - Refreshed the patches + * Add the missing dependency on libeclipse-jdt-core-compiler-batch-java + (Closes: #1078389) + * No longer suggest the removed tomcat9 package + * Standards-Version updated to 4.7.0 + + -- Emmanuel Bourg <[email protected]> Mon, 30 Sep 2024 14:22:45 +0200 + + ### Old Ubuntu Delta ### + + tomcat9 (9.0.70-2ubuntu3) questing; urgency=medium + + * SECURITY UPDATE: Information disclosure via missing secure attribute + - debian/patches/CVE-2023-28708.patch: Fix BZ 66471 - JSessionId + secure attribute missing with RemoteIpFilter and X-Forwarded-Proto + set to https + - CVE-2023-28708 + * SECURITY UPDATE: Information disclosure via incomplete cleanup + - debian/patches/CVE-2023-42795.patch: Improve handling of failures + during recycle() methods + - CVE-2023-42795 + * SECURITY UPDATE: HTTP request smuggling via trailer headers + - debian/patches/CVE-2023-45648.patch: Align processing of trailer + headers with standard processing + - CVE-2023-45648 + * SECURITY UPDATE: Denial of service via WebSocket connections + - debian/patches/CVE-2024-23672-pre-1.patch: Rename prior to + extending with additional tests + - debian/patches/CVE-2024-23672-pre-2.patch: Add test util getter + for root context with class path scanning disabled + - debian/patches/CVE-2024-23672.patch: Refactor WebSocket close for + suspend/resume + - CVE-2024-23672 + * SECURITY UPDATE: Denial of service via HTTP/2 header parsing + - debian/patches/CVE-2024-24549.patch: Report HTTP/2 header parsing + errors earlier + - debian/patches/CVE-2024-24549-post-1.patch: Make recycled streams + eligible for GC immediately. Improves scalability. + - debian/patches/CVE-2024-24549-post-2.patch: Update tests after + HTTP/2 improvements + - CVE-2024-24549 + * SECURITY UPDATE: Denial of service via HTTP/2 stream handling + - debian/patches/CVE-2024-34750-pre-1.patch: Fix 66530 - Regression + in fix for BZ 66442. Ensure count is decremented + - debian/patches/CVE-2024-34750-pre-2.patch: Refactor decrement + using a common method + - debian/patches/CVE-2024-34750.patch: Make counting of active + streams more robust + - CVE-2024-34750 + * SECURITY UPDATE: Denial of service via TLS handshake abuse + - debian/patches/CVE-2024-38286.patch: Add support for re-keying + with TLS 1.3 + - CVE-2024-38286 + + -- Vyom Yadav <[email protected]> Mon, 09 Jun 2025 16:07:45 + +0530 + + tomcat9 (9.0.70-2ubuntu2) questing; urgency=medium + + * SECURITY UPDATE: Path equivalence vulnerability in DefaultServlet + - debian/patches/CVE-2025-24813.patch: Enhance lifecycle of + temporary files used by partial PUT and use File.createTempFile() + instead of custom naming based on resource path conversion in + java/org/apache/catalina/servlets/DefaultServlet.java + - CVE-2025-24813 + + -- Vyom Yadav <[email protected]> Mon, 26 May 2025 12:58:55 + +0530 + + tomcat9 (9.0.70-2ubuntu1.1) oracular; urgency=medium + + * Search for the appropriate JDT jar according to new project + structure + + -- Octavio Galland <[email protected]> Tue, 24 Sep 2024 + 15:59:05 -0300 + + tomcat9 (9.0.70-2ubuntu1) oracular; urgency=medium + + * SECURITY UPDATE: HTTP request smuggling via invalid header size + - debian/patches/CVE-2023-46589_1.patch: Differentiate request cancellation + from a bad request. + - debian/patches/CVE-2023-46589_2.patch: Ensure IOException on request read + always triggers error handling. + - CVE-2023-46589 + + -- Octavio Galland <[email protected]> Mon, 23 Sep 2024 + 14:01:33 -0300 + + + Out of all the Security Patches applied in the Ubuntu delta, only the fix for CVE-2025-24813 is still needed as the other CVEs are already fixed in the source code of Debian's version. Also, we can drop the change done to debian/ant.properties in Ubuntu's delta, as Debian solved the same in a different manner in d/p/0030-eclipse-jdt-classpath.patch. + A test build was done here: https://launchpad.net/~ebarretto/+archive/ubuntu/devel-testing/+packages?field.name_filter=tomcat9&field.status_filter=published&field.series_filter= -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2116267 Title: Please merge tomcat9 from Debian Unstable for Questing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/2116267/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
