Debian 10261 Published by

A tomcat8 security update has been released for Debian GNU/Linux 8 and 9 Extended LTS to address several security vulnerabilities.



ELA-985-1 tomcat8 security update

Package : tomcat8
Version : 8.0.14-1+deb8u27 (jessie), 8.5.54-0+deb9u12 (stretch)

Related CVEs :
CVE-2023-42795
CVE-2023-45648
CVE-2023-44487

Several security vulnerabilities have been discovered in the Tomcat
servlet and JSP engine.

CVE-2023-42795
Information Disclosure. When recycling various internal objects, including
the request and the response, prior to re-use by the next request/response,
an error could cause Tomcat to skip some parts of the recycling process
leading to information leaking from the current request/response to the
next.

CVE-2023-44487
DoS caused by HTTP/2 frame overhead (Rapid Reset Attack).
Only Tomcat 8 in Debian 9 "Stretch" was affected.

CVE-2023-45648
Request smuggling. Tomcat did not correctly parse HTTP trailer headers. A
specially crafted, invalid trailer header could cause Tomcat to treat a
single request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.

ELA-985-1 tomcat8 security update