CLSA-2024-1724260496 Fix CVE(s): CVE-2020-9484, CVE-2021-25329, CVE-2022-23181

SECURITY UPDATE: still vulnerable to CVE-2020-9484 with a configuration edge case - debian/patches/CVE-2021-25329.patch: use java.nio.file.Path for consistent sub-directory checking - CVE-2021-25329 SECURITY UPDATE: time-of-check to time-of-use vulnerability introduced by the CVE-2020-9484 fix -...

CLSA-2022-1655757814 Fix CVE(s): CVE-2020-1938, CVE-2020-9484, CVE-2021-25329

Fix build process: - debian/keystores/.pem|.jks: update expiring certs and keystores - debian/patches/0028-update-expiring-test-certs.patch: update expiring test certs - debian/patches/0029-fix-path-to-valid-keystore.patch: fix path to valid keystore - debian/patches/0030-use-tls12-in-tests.patch...

tomcat: Incomplete fix for CVE-2020-9484 (RCE via session persistence)

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the...

Exploit for Deserialization of Untrusted Data in Apache Tomcat

CVE-2020-9484 Tomcat For educational purposes only. See Re...