UbuntuUpdates.org

Package "tomcat9"

Name: tomcat9

Description:

Apache Tomcat 9 - Servlet and JSP engine

Latest version: 9.0.31-1ubuntu0.1
Release: focal (20.04)
Level: security
Repository: universe
Homepage: http://tomcat.apache.org

Links


Download "tomcat9"


Other versions of "tomcat9" in Focal

Repository Area Version
base universe 9.0.31-1
updates universe 9.0.31-1ubuntu0.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 9.0.31-1ubuntu0.1 2020-10-21 14:06:22 UTC

  tomcat9 (9.0.31-1ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: HTTP/2 Denial of Service
    - debian/patches/CVE-2020-13934.patch: ensure that the HTTP/1.1
      processor is correctly recycled when a direct connection to h2c is
      made
    - CVE-2020-13934
  * SECURITY UPDATE: WebSocket Denial of Service
    - debian/patches/CVE-2020-13935.patch: add additional validation of
      payload length for WebSocket messages
    - CVE-2020-13935
  * SECURITY UPDATE: HTTP/2 Denial of Service
    - debian/patches/CVE-2020-11996.patch: improve performance of closing
      idle HTTP/2 streams
    - CVE-2020-11996
  * SECURITY UPDATE: remote code execution via session persistence
    - debian/patches/CVE-2020-9484.patch: improve validation of storage
      location when using FileStore
    - CVE-2020-9484

 -- Emilia Torino <email address hidden> Tue, 20 Oct 2020 09:27:39 -0300

CVE-2020-13934 An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after
CVE-2020-13935 The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and
CVE-2020-11996 A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger hi
CVE-2020-9484 When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to contr



About   -   Send Feedback to @ubuntu_updates