Debian 10225 Published by

The following new security updates are available for Debian GNU/Linux:

[DSA 5665-1] tomcat10 security update
[DSA 5664-1] jetty9 security update
[DSA 5663-1] firefox-esr security update




[DSA 5665-1] tomcat10 security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5665-1 security@debian.org
https://www.debian.org/security/ Markus Koschany
April 17, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tomcat10
CVE ID : CVE-2023-46589 CVE-2024-23672 CVE-2024-24549
Debian Bug : 1057082 1066877 1066878

Several security vulnerabilities have been discovered in the Tomcat
servlet and JSP engine.

CVE-2023-46589

Tomcat 10 did not correctly parse HTTP trailer headers. A trailer header
that exceeded the header size limit could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.

CVE-2024-24549

Denial of Service due to improper input validation vulnerability for
HTTP/2. When processing an HTTP/2 request, if the request exceeded any of
the configured limits for headers, the associated HTTP/2 stream was not
reset until after all of the headers had been processed.

CVE-2024-23672

Denial of Service via incomplete cleanup vulnerability. It was possible
for WebSocket clients to keep WebSocket connections open leading to
increased resource consumption.

For the stable distribution (bookworm), these problems have been fixed in
version 10.1.6-1+deb12u2.

We recommend that you upgrade your tomcat10 packages.

For the detailed security status of tomcat10 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat10

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DSA 5664-1] jetty9 security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5664-1 security@debian.org
https://www.debian.org/security/ Markus Koschany
April 17, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : jetty9
CVE ID : CVE-2024-22201

Jetty 9 is a Java based web server and servlet engine. It was discovered that
remote attackers may leave many HTTP/2 connections in ESTABLISHED state (not
closed), TCP congested and idle. Eventually the server will stop accepting new
connections from valid clients which can cause a denial of service.

For the oldstable distribution (bullseye), this problem has been fixed
in version 9.4.50-4+deb11u2.

For the stable distribution (bookworm), this problem has been fixed in
version 9.4.50-4+deb12u3.

We recommend that you upgrade your jetty9 packages.

For the detailed security status of jetty9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jetty9

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DSA 5663-1] firefox-esr security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5663-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 17, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : firefox-esr
CVE ID : CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854
CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code or clickjacking.

For the oldstable distribution (bullseye), these problems have been fixed
in version 115.10.0esr-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in
version 115.10.0esr-1~deb12u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/