-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 16 Jan 2025 22:40:13 +0100
Source: tomcat10
Binary: libtomcat10-embed-java libtomcat10-java tomcat10 tomcat10-admin tomcat10-common tomcat10-docs tomcat10-examples tomcat10-user
Architecture: all
Version: 10.1.34-0+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: all Build Daemon (x86-csail-02) <buildd_all-x86-csail-02@buildd.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libtomcat10-embed-java - Apache Tomcat 10 - Servlet and JSP engine -- embed libraries
 libtomcat10-java - Apache Tomcat 10 - Servlet and JSP engine -- core libraries
 tomcat10   - Apache Tomcat 10 - Servlet and JSP engine
 tomcat10-admin - Apache Tomcat 10 - Servlet and JSP engine -- admin web applicatio
 tomcat10-common - Apache Tomcat 10 - Servlet and JSP engine -- common files
 tomcat10-docs - Apache Tomcat 10 - Servlet and JSP engine -- documentation
 tomcat10-examples - Apache Tomcat 10 - Servlet and JSP engine -- example web applicat
 tomcat10-user - Apache Tomcat 10 - Servlet and JSP engine -- tools to create user
Changes:
 tomcat10 (10.1.34-0+deb12u1) bookworm-security; urgency=high
 .
   * Team upload.
   * Backport 10.1.34 to bookworm to fix open CVE and improve HTTP/2
     functionality.
   * Fix CVE-2024-52316:
     Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is
     configured to use a custom Jakarta Authentication (formerly JASPIC)
     ServerAuthContext component which may throw an exception during the
     authentication process without explicitly setting an HTTP status to
     indicate failure, the authentication may not fail, allowing the user to
     bypass the authentication process. There are no known Jakarta
     Authentication components that behave in this way.
   * Fix CVE-2024-38286:
     Apache Tomcat, under certain configurations, allows an attacker to cause an
     OutOfMemoryError by abusing the TLS handshake process.
   * Fix CVE-2024-50379 / CVE-2024-56337:
     Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP
     compilation in Apache Tomcat permits an RCE on case insensitive file
     systems when the default servlet is enabled for write (non-default
     configuration).
     Some users may need additional configuration to fully mitigate
     CVE-2024-50379 depending on which version of Java they are using with
     Tomcat. For Debian 12 "bookworm" the system property sun.io.useCanonCaches
     must be explicitly set to false (it defaults to false). Most Debian users
     will not be affected because Debian uses case sensitive file systems by
     default.
   * Fix CVE-2024-34750:
     Improper Handling of Exceptional Conditions, Uncontrolled Resource
     Consumption vulnerability in Apache Tomcat. When processing an HTTP/2
     stream, Tomcat did not handle some cases of excessive HTTP headers
     correctly. This led to a miscounting of active HTTP/2 streams which in turn
     led to the use of an incorrect infinite timeout which allowed connections
     to remain open which should have been closed.
   * Fix CVE-2024-54677:
     Uncontrolled Resource Consumption vulnerability in the examples web
     application provided with Apache Tomcat leads to denial of service.
Checksums-Sha1:
 c8d6b70be7f5f4f88eef8e03ccc3f3d170df8d79 4468076 libtomcat10-embed-java_10.1.34-0+deb12u1_all.deb
 56a4386f28ad10bb7408ec5a5323c5b5c13f67c0 6389124 libtomcat10-java_10.1.34-0+deb12u1_all.deb
 cc3e9d7f4dc627284fd75cc4a9b2406df37fa3bd 72412 tomcat10-admin_10.1.34-0+deb12u1_all.deb
 116cb47f713cc6595cc9d30cb80bfbe10ba90b07 66524 tomcat10-common_10.1.34-0+deb12u1_all.deb
 385ca1ff01ce31216e17029ea324c1f1dfe71a7b 1239236 tomcat10-docs_10.1.34-0+deb12u1_all.deb
 a41022eb06993ff3b0bc4ccffe883d356a8248d1 392768 tomcat10-examples_10.1.34-0+deb12u1_all.deb
 7ea78566558aabe7e9a129a56458a08c63f3ae30 38456 tomcat10-user_10.1.34-0+deb12u1_all.deb
 832cfb1e396e5d261ee340d091128a8339db7995 16233 tomcat10_10.1.34-0+deb12u1_all-buildd.buildinfo
 db591004cb9a5e43bb4e4d312dd5a4da488c4d30 42200 tomcat10_10.1.34-0+deb12u1_all.deb
Checksums-Sha256:
 dc81df5f170f4ce66263025d49718645373130272a3bc510b36fa153e715daf8 4468076 libtomcat10-embed-java_10.1.34-0+deb12u1_all.deb
 fce02c77c43c574629b3c7535e9833a79b8b8053873dbaa15ea7195a4dc3901a 6389124 libtomcat10-java_10.1.34-0+deb12u1_all.deb
 2f52a3e6a636217e2cacd900c4e4ccf3d547b22e06d331c8a83c6f02641cff97 72412 tomcat10-admin_10.1.34-0+deb12u1_all.deb
 b0a8be4eed335cd239b700fc33b6f3fdd8d0efcfab6b5bcff82e1e94fbba1f72 66524 tomcat10-common_10.1.34-0+deb12u1_all.deb
 ed7bc35103b673716261b0795bae68d03908ae65bd1eb3b5b3e5308d865d26e1 1239236 tomcat10-docs_10.1.34-0+deb12u1_all.deb
 bc163803dc22ca579a92d090f2f14aaac4bb04b1cd7e6b16db46252241580a51 392768 tomcat10-examples_10.1.34-0+deb12u1_all.deb
 cf80fbb490c88d106be3967645bb4c64ac1e9f7a715d2bbe523db090ed103375 38456 tomcat10-user_10.1.34-0+deb12u1_all.deb
 f1724212f8760f2ec3ef5df0a68f1718c0d6f8d483f379d3f03485f8e88e4095 16233 tomcat10_10.1.34-0+deb12u1_all-buildd.buildinfo
 376bd6ef8c53fe69c8c1f312ef71ceeac8348ee4511201a82110d30363f56950 42200 tomcat10_10.1.34-0+deb12u1_all.deb
Files:
 f259b8f639a574e4b0f1d8041653d520 4468076 java optional libtomcat10-embed-java_10.1.34-0+deb12u1_all.deb
 078250fc7f535dbccaa2c5fc8be9a85b 6389124 java optional libtomcat10-java_10.1.34-0+deb12u1_all.deb
 35b553744d0439065da349db6c9bb279 72412 java optional tomcat10-admin_10.1.34-0+deb12u1_all.deb
 69c1a461593e3af51cddf38e1d9f5e37 66524 java optional tomcat10-common_10.1.34-0+deb12u1_all.deb
 8bb95c656ad0524564e2c4c12da137fc 1239236 doc optional tomcat10-docs_10.1.34-0+deb12u1_all.deb
 a027c8ee734bed555d9f765288bac975 392768 java optional tomcat10-examples_10.1.34-0+deb12u1_all.deb
 783af87ef09d3dd93959ddeb5f9834f5 38456 java optional tomcat10-user_10.1.34-0+deb12u1_all.deb
 53410ca042323093fab3e18afe4e3f00 16233 java optional tomcat10_10.1.34-0+deb12u1_all-buildd.buildinfo
 26e36c7ad5b12630e5bbc5ec3848c61d 42200 java optional tomcat10_10.1.34-0+deb12u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEzcbx6nIE/ydHa1FFigL77i1GSVkFAmeJsgkACgkQigL77i1G
SVmKNw/+P0+cptyZ5jIm79R/RgfaVeUYMHODm0hJQAbKttg8tw3NR+E3B9LvoUG6
2ggsNj1rWDkATo+6MawqWmR9DP/iySmeeyYhyVgbMRHlTROja6dzyBQV/ICRqPnq
X44HjCPc8x7IXQQO0gFiX2KUem9kDlqk+VAXdnhd4TzVdd9vZHt6WxDOgjoxRq31
37DegYCA/rKOqaxAl2wlBB3OSgoKIj3B32ZN7gzRkg9YgpqbWYkCwHlhtaDFCSdj
PF7BfwVcBehAX+QabApK18l/yxBGH+WZ7CK/kCXwE1zA61QDRSz1Y1CCi+JPlyRl
4hhDOFgTO3kmZ5e9aZxKB9+lpPQsyJkZCKci5QmuNtHxgVxDEO0XEyoikYPR75AS
VNme9ikNrJcThGxszAcmPu2q5fc1dTxpP8274993jUW1mHn9YAsWCkA9z/uWPPVV
Q2Fr4oYcf3fpEuOjXh1zRPjyfmnF48jFSGPbef6HuMEiXh05dyF8RtSkeh40BUsX
R7ihkG645keyh7UjSISWqu2oYTdOwlwVsYswZFXvWGerrAi6u9562SETtji1TguR
xDKfF3cvXRlAqm9VMzOyzjzHBAasnG503hvxnAZ94jgzEiq/h3KoqpujwTeVtWhc
yGLIzpYGZJgEeZqfmdI3LHeAOqIiY7pHGf/jyIkvOKl134zduZQ=
=RY6B
-----END PGP SIGNATURE-----