[SECURITY] [DLA 3617-2] tomcat9 regression update

2023-10-1622:23:23

lists.debian.org

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.72 High

EPSS

Percentile

98.0%

JSON

Debian LTS Advisory DLA-3617-2 [email protected]
https://www.debian.org/lts/security/ Markus Koschany
October 17, 2023 https://wiki.debian.org/LTS

Package : tomcat9
Version : 9.0.31-1~deb10u10
CVE ID : CVE-2023-44487

A regression was discovered in the Http2UpgradeHandler class of Tomcat 9
introduced by the patch to fix CVE-2023-44487 (Rapid Reset Attack). A wrong
value for the overheadcount variable forced HTTP2 connections to close early.

For Debian 10 buster, this problem has been fixed in version
9.0.31-1~deb10u10.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat9

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: This is a digitally signed message part

OSVersionArchitecturePackageVersionFilename
Debian11mipsellibnghttp2-14< 1.43.0-1+deb11u1libnghttp2-14_1.43.0-1+deb11u1_mipsel.deb
Debian11ppc64elnghttp2-client< 1.43.0-1+deb11u1nghttp2-client_1.43.0-1+deb11u1_ppc64el.deb
Debian10allnghttp2< 1.36.0-2+deb10u2nghttp2_1.36.0-2+deb10u2_all.deb
Debian10alltomcat9-user< 9.0.31-1~deb10u9tomcat9-user_9.0.31-1~deb10u9_all.deb
Debian12alllibnghttp2-doc< 1.52.0-1+deb12u1libnghttp2-doc_1.52.0-1+deb12u1_all.deb
Debian10alltomcat9-examples< 9.0.31-1~deb10u10tomcat9-examples_9.0.31-1~deb10u10_all.deb
Debian11mipselnghttp2-client-dbgsym< 1.43.0-1+deb11u1nghttp2-client-dbgsym_1.43.0-1+deb11u1_mipsel.deb
Debian11armhflibnghttp2-14< 1.43.0-1+deb11u1libnghttp2-14_1.43.0-1+deb11u1_armhf.deb
Debian12i386nghttp2-proxy< 1.52.0-1+deb12u1nghttp2-proxy_1.52.0-1+deb12u1_i386.deb
Debian11armhfnghttp2-client< 1.43.0-1+deb11u1nghttp2-client_1.43.0-1+deb11u1_armhf.deb

OS	Version	Architecture	Package	Version	Filename
Debian	11	mipsel	libnghttp2-14	< 1.43.0-1+deb11u1	libnghttp2-14_1.43.0-1+deb11u1_mipsel.deb
Debian	11	ppc64el	nghttp2-client	< 1.43.0-1+deb11u1	nghttp2-client_1.43.0-1+deb11u1_ppc64el.deb
Debian	10	all	nghttp2	< 1.36.0-2+deb10u2	nghttp2_1.36.0-2+deb10u2_all.deb
Debian	10	all	tomcat9-user	< 9.0.31-1~deb10u9	tomcat9-user_9.0.31-1~deb10u9_all.deb
Debian	12	all	libnghttp2-doc	< 1.52.0-1+deb12u1	libnghttp2-doc_1.52.0-1+deb12u1_all.deb
Debian	10	all	tomcat9-examples	< 9.0.31-1~deb10u10	tomcat9-examples_9.0.31-1~deb10u10_all.deb
Debian	11	mipsel	nghttp2-client-dbgsym	< 1.43.0-1+deb11u1	nghttp2-client-dbgsym_1.43.0-1+deb11u1_mipsel.deb
Debian	11	armhf	libnghttp2-14	< 1.43.0-1+deb11u1	libnghttp2-14_1.43.0-1+deb11u1_armhf.deb
Debian	12	i386	nghttp2-proxy	< 1.52.0-1+deb12u1	nghttp2-proxy_1.52.0-1+deb12u1_i386.deb
Debian	11	armhf	nghttp2-client	< 1.43.0-1+deb11u1	nghttp2-client_1.43.0-1+deb11u1_armhf.deb