Debian 10264 Published by

A tomcat8 security update has been released for Debian GNU/Linux 8 and 9 Extended LTS to address two security vulnerabilities.



ELA-959-1 tomcat8 security update

Package : tomcat8
Version : 8.0.14-1+deb8u26 (jessie), 8.5.54-0+deb9u11 (stretch)

Related CVEs :
CVE-2023-24998
CVE-2023-41080

Two security vulnerabilities were discovered in Apache Tomcat, a servlet and
JSP engine.

CVE-2023-24998
Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to
provide the file upload functionality defined in the Jakarta Servlet
specification. Apache Tomcat was, therefore, also vulnerable to the Apache
Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to
the number of request parts processed. This resulted in the possibility of
an attacker triggering a DoS with a malicious upload or series of uploads.

CVE-2023-41080
If the ROOT (default) web application is configured to use FORM
authentication then it is possible that a specially crafted URL could be
used to trigger a redirect to an URL of the attacker's choice.

ELA-959-1 tomcat8 security update