-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 17 Jan 2025 00:33:16 CET
Source: tomcat10
Architecture: source
Version: 10.1.34-0+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
 1d1ef8fe9974b1773c02ec1dd5a9aa4062bfd317 3014 tomcat10_10.1.34-0+deb12u1.dsc
 392a1dda8a1c6de8ac066117f5a3f04c1c2a476a 4706224 tomcat10_10.1.34.orig.tar.xz
 5a79e435f5feab95db8dcdb877122270cdbb7a22 51256 tomcat10_10.1.34-0+deb12u1.debian.tar.xz
 c575d97ff98d0d06320dd6441dc96858e345a4ee 16788 tomcat10_10.1.34-0+deb12u1_amd64.buildinfo
Checksums-Sha256:
 3aa02ff00c46891ede32b9dbd6bb25b2f40e034b242d11837e33055e8c966682 3014 tomcat10_10.1.34-0+deb12u1.dsc
 a56c7fb9a822f44b3cd104ec2be0c892084c991ae839394166dc772a2b272a54 4706224 tomcat10_10.1.34.orig.tar.xz
 2a7067524b9ae7f7fd3fe32943b77e0681b78a9f337b310cf02caab8190523da 51256 tomcat10_10.1.34-0+deb12u1.debian.tar.xz
 898aed9896f71f68d994aead75f59331df80a86a88bc9b9519d76fa1227b28ee 16788 tomcat10_10.1.34-0+deb12u1_amd64.buildinfo
Changes:
 tomcat10 (10.1.34-0+deb12u1) bookworm-security; urgency=high
 .
   * Team upload.
   * Backport 10.1.34 to bookworm to fix open CVE and improve HTTP/2
     functionality.
   * Fix CVE-2024-52316:
     Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is
     configured to use a custom Jakarta Authentication (formerly JASPIC)
     ServerAuthContext component which may throw an exception during the
     authentication process without explicitly setting an HTTP status to
     indicate failure, the authentication may not fail, allowing the user to
     bypass the authentication process. There are no known Jakarta
     Authentication components that behave in this way.
   * Fix CVE-2024-38286:
     Apache Tomcat, under certain configurations, allows an attacker to cause an
     OutOfMemoryError by abusing the TLS handshake process.
   * Fix CVE-2024-50379 / CVE-2024-56337:
     Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP
     compilation in Apache Tomcat permits an RCE on case insensitive file
     systems when the default servlet is enabled for write (non-default
     configuration).
     Some users may need additional configuration to fully mitigate
     CVE-2024-50379 depending on which version of Java they are using with
     Tomcat. For Debian 12 "bookworm" the system property sun.io.useCanonCaches
     must be explicitly set to false (it defaults to false). Most Debian users
     will not be affected because Debian uses case sensitive file systems by
     default.
   * Fix CVE-2024-34750:
     Improper Handling of Exceptional Conditions, Uncontrolled Resource
     Consumption vulnerability in Apache Tomcat. When processing an HTTP/2
     stream, Tomcat did not handle some cases of excessive HTTP headers
     correctly. This led to a miscounting of active HTTP/2 streams which in turn
     led to the use of an incorrect infinite timeout which allowed connections
     to remain open which should have been closed.
   * Fix CVE-2024-54677:
     Uncontrolled Resource Consumption vulnerability in the examples web
     application provided with Apache Tomcat leads to denial of service.
Files:
 91dfa2ccfd1d361328bb11d9e6dcd445 3014 java optional tomcat10_10.1.34-0+deb12u1.dsc
 cfa998de0b5116ef8d9bbab6905e145e 4706224 java optional tomcat10_10.1.34.orig.tar.xz
 2f6ddf934c19e392651d074fe5d3c876 51256 java optional tomcat10_10.1.34-0+deb12u1.debian.tar.xz
 95e3fbf30359bddacae579cf72dcde1f 16788 java optional tomcat10_10.1.34-0+deb12u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmeJl6RfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkJIwP/ip5arKF0rSlwKZ8Ftmt3rs/kY5JBLl2+bsI
jBKn45//qX9CAkIisV5jaPpn5nD7ewXE8I+eG6jc/ECwc4J4l8cjFA80t9OvLmMA
t0I+QaJU1qBGlKyLEDk8BUAxe06JdlPqUqdHLf3Ii0GVaohs6PJH8aOg1UPbvcbG
Hiyj4BI2u37vcZCOW2IuIPy3NM8d1Waecdlv5O2HIajBZYOQ0wg03oQSoj9iH40C
fIyixfDqFjOpLHssZUjvvgtZmxOOi12MZatUteUdqg+Rxnya0gCsO8gJFkUHyjB1
XIcoeirnJmzeJxPmbf1FuZ55iwkbr1UakqqkF+HIVInW+iSrzRSTwj7tQ5prkv74
aSweEceKyYXyYU2erxvflrOKsAbijX8syC+hUn8GIVS70fLUdY617GFIOteWanQ2
7JSet+oDVFuQSG6xJOh7zNATpqASoWC6lgmuDDiwDB+L9LjKUdn6tfmINA+WTdI2
QZvnGCWHB9pY+Kqi8Y45RsKQ4PdzZn9MyYOAeHAaCYmh60po2ng7mdjE/ZDWGi3Z
eCGHkcdAMZ/o2nB6mkwdTWeT3bmiPyrIkiNQPRaLSXWPAmqL6VBduIiGF38PczlE
Ieay++eLc4Sr2cKVKY/lSuH7UnytbgYmd/OZfCcnrHJGUjxTMS7lWJxM3CgVT13J
85Fnz8HG
=XwsC
-----END PGP SIGNATURE-----