it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
- From: Markus Koschany <apo AT debian.org>
- To: debian-security-announce AT lists.debian.org
- Subject: [IT-SecNots] [SECURITY] [DSA 5845-1] tomcat10 security update
- Date: Fri, 17 Jan 2025 16:21:41 +0000
- Authentication-results: lists.piratenpartei.de; dkim=none; spf=none (lists.piratenpartei.de: domain of "bounce-debian-security-announce=it-securitynotifies=lists.piratenpartei.de AT lists.debian.org" has no SPF policy when checking 2001:41b8:202:deb:216:36ff:fe40:4002) smtp.mailfrom="bounce-debian-security-announce=it-securitynotifies=lists.piratenpartei.de AT lists.debian.org"; dmarc=none
- List-archive: https://lists.debian.org/msgid-search/Z4qDlUnCC1ZGyDCR AT seger.debian.org
- List-id: <debian-security-announce.lists.debian.org>
- List-url: <http://lists.debian.org/debian-security-announce/>
- Old-dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.seger; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date :Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: In-Reply-To:References; bh=Xe6fs+N23Z6qvYEsc6q2Q2UwUloeMMXcwafOgkHvi+M=; b=Ih wrzv8fksoI59c9dsrk3mvdARzC9OtPgyuRdJfJ2jqe6kAoApO9Zjk/M1jhGkQKqVLapLyF/i9i0Se iVimqJHl3UkhHDmSVvStZjgx89eebiT1F8RS76BrsXbWY0iWCv85AkPJbxIaJWETKHQhoSBiWeR0y tZW464+xhAGKurfKyFrUInPY/y5c9hwzOaRgTB39NK+zBFaNklFMwGsvBHtK8IgdMUWaYNj2Y1wCo XniunV51JR2ZzNQPapRn6DHXYiP4IBzYUBQyk4Lxt252CHIwg5nOBz9HUe/jZAjKDd2GNMKp1Z/vd WJ68dLbGLPjrai4yOrnDsCVqaW63+XnQ==;
- Old-return-path: <apo AT seger.debian.org>
- Priority: urgent
- Resent-date: Fri, 17 Jan 2025 16:39:12 +0000 (UTC)
- Resent-from: debian-security-announce AT lists.debian.org
- Resent-message-id: <GeTR7MvxQsJ.A.3VNO.weoinB@bendel>
- Resent-sender: debian-security-announce-request AT lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5845-1 security AT debian.org
https://www.debian.org/security/ Markus Koschany
January 17, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : tomcat10
CVE ID : CVE-2024-34750 CVE-2024-38286 CVE-2024-50379 CVE-2024-52316
CVE-2024-54677 CVE-2024-56337
Several problems have been addressed in Tomcat 10, a Java based web server,
servlet and JSP engine which may lead to a denial-of-service.
CVE-2024-38286
Apache Tomcat, under certain configurations, allows an attacker to cause
an
OutOfMemoryError by abusing the TLS handshake process.
CVE-2024-52316
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is
configured to use a custom Jakarta Authentication (formerly JASPIC)
ServerAuthContext component which may throw an exception during the
authentication process without explicitly setting an HTTP status to
indicate failure, the authentication may not fail, allowing the user to
bypass the authentication process. There are no known Jakarta
Authentication components that behave in this way.
CVE-2024-50379 / CVE-2024-56337
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP
compilation in Apache Tomcat permits an RCE on case insensitive file
systems when the default servlet is enabled for write (non-default
configuration).
Some users may need additional configuration to fully mitigate
CVE-2024-50379 depending on which version of Java they are using with
Tomcat. For Debian 12 "bookworm" the system property
sun.io.useCanonCaches must be explicitly set to false (it defaults to
false). Most Debian users will not be affected because Debian uses case
sensitive file systems by default.
CVE-2024-34750
Improper Handling of Exceptional Conditions, Uncontrolled Resource
Consumption vulnerability in Apache Tomcat. When processing an HTTP/2
stream, Tomcat did not handle some cases of excessive HTTP headers
correctly. This led to a miscounting of active HTTP/2 streams which in
turn
led to the use of an incorrect infinite timeout which allowed connections
to remain open which should have been closed.
CVE-2024-54677
Uncontrolled Resource Consumption vulnerability in the examples web
application provided with Apache Tomcat leads to denial of service.
For the stable distribution (bookworm), these problems have been fixed in
version 10.1.34-0+deb12u1.
We recommend that you upgrade your tomcat10 packages.
For the detailed security status of tomcat10 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat10
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce AT lists.debian.org
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmeKgvtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeT05A//bVEZkCYLHMBYyqsYKcL5XhBMHMh9XBoc4I+ZHFit+1qwQQCaCX8E7Aku
rdLHZ37mzOEQxamFAm3v91OwnBhL29WWkU9s276Qy/IZRJZAZ82F+SE67TsakalV
oZyJBkB2W+3klkhW+A6UdxiMHj4bX/l6H1c1mYJCOlDGb0/dqzEyQJguOTE9qLCG
XBvz6kQp9RRPVlIrMKloivPrgvcF1upWR0Cu+CsSNcJHSkY1C38lt9mIh+v6o9Tm
GP0CD8yTxJbp+aLqVFoiFGvwUfuZnYIaAea1GeA+8sk+ukc2f0u7bL6oZTZVAqc6
P1ssriQdtHF/xP/fgCJ2vX0t0oLKm/CJImDP/8BZa7MVMWlN5/Klj0eG6Kpkn3fz
YLcn9742Hsdgh5PIyUly219gf8YA0w97/yDMTh6zRolP+WHns56yFmR9GaNIs51P
92QRmyrm6w5LSxqbzupwUwexO0bjwqf7AW6+pz19n2UTtzpXtSyyTnNfY237gnh1
KvRQy4s5rGGHXJQggX47pimopTh91RdcO2iKf5Y7GCmNurOLwvKwBhAeiVuqCIuW
Qa3c0sV7jU98fioYPCu25Fp+zzjbhTMnRSwAqPU+blYzd8yjxHODRhhJ4fbWrPLi
zqa31uuURRIQoJKKeKe83cLVGyWizdAl58ZE5LFdBXOKtiFqkqU=
=E1MS
-----END PGP SIGNATURE-----
- [IT-SecNots] [SECURITY] [DSA 5845-1] tomcat10 security update, Markus Koschany, 17.01.2025
Archiv bereitgestellt durch MHonArc 2.6.19+.