This bug was fixed in the package tomcat9 - 9.0.95-1ubuntu1
---------------
tomcat9 (9.0.95-1ubuntu1) questing; urgency=medium
* Merge with Debian unstable. (LP: #2116267) Remaning changes:
- d/p/CVE-2025-24813.patch: Enhance lifecycle of
temporary files used by partial PUT and use File.createTempFile()
instead of custom naming based on resource path conversion in
java/org/apache/catalina/servlets/DefaultServlet.java
* Dropped changes, superseded upstream:
- d/p/CVE-2023-46589_1.patch: Differentiate request cancellation
- d/p/CVE-2023-46589_2.patch: Ensure IOException on request read
always triggers error handling.
- d/p/CVE-2023-28708.patch: Fix BZ 66471 - JSessionId
secure attribute missing with RemoteIpFilter and X-Forwarded-Proto
set to https
- d/p/CVE-2023-42795.patch: Improve handling of failures during
recycle() methods
- d/p/CVE-2023-45648.patch: Align processing of trailer headers with
standard processing
- d/p/CVE-2024-23672-pre-1.patch: Rename prior to extending with
additional tests
- d/p/CVE-2024-23672-pre-2.patch: Add test util getter for root
context with class path scanning disabled
- d/p/CVE-2024-23672.patch: Refactor WebSocket close for suspend/resume
- d/p/CVE-2024-24549.patch: Report HTTP/2 header parsing
errors earlier
- d/p/CVE-2024-24549-post-1.patch: Make recycled streams eligible for
GC immediately. Improves scalability.
- d/p/CVE-2024-24549-post-2.patch: Update tests after HTTP/2
improvements
- d/p/CVE-2024-34750-pre-1.patch: Fix 66530 - Regression in fix for
BZ 66442. Ensure count is decremented
- d/p/CVE-2024-34750-pre-2.patch: Refactor decrement using a common
method
- d/p/CVE-2024-34750.patch: Make counting of active streams more robust
- d/p/CVE-2024-38286.patch: Add support for re-keying with TLS 1.3
- Search for the appropriate JDT jar according to new project
structure. This is was fixed in debian unstable in
d/p/0030-eclipse-jdt-classpath.patch
-- Eduardo Barretto <[email protected]> Wed, 09 Jul 2025
17:12:14 +0200
** Changed in: tomcat9 (Ubuntu)
Status: In Progress => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-28708
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-42795
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-45648
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-46589
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-23672
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-24549
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-34750
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38286
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-24813
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2116267
Title:
Please merge tomcat9 from Debian Unstable for Questing
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/2116267/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
