ELA-986-1 tomcat7 security update
Package : tomcat7
Version : 7.0.56-3+really7.0.109-1+deb8u5 (jessie)
Related CVEs :
CVE-2023-42795
CVE-2023-45648
Two security vulnerabilities have been discovered in the Tomcat servlet and JSP
engine.
CVE-2023-42795
Information Disclosure. When recycling various internal objects, including
the request and the response, prior to re-use by the next request/response,
an error could cause Tomcat to skip some parts of the recycling process
leading to information leaking from the current request/response to the
next.
CVE-2023-45648
Request smuggling. Tomcat did not correctly parse HTTP trailer headers. A
specially crafted, invalid trailer header could cause Tomcat to treat a
single request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.
A tomcat7 security update has been released for Debian GNU/Linux 8 Extended LTS to address two security vulnerabilities.