-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5845-1 security@debian.org https://www.debian.org/security/ Markus Koschany January 17, 2025 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tomcat10 CVE ID : CVE-2024-34750 CVE-2024-38286 CVE-2024-50379 CVE-2024-52316 CVE-2024-54677 CVE-2024-56337 Several problems have been addressed in Tomcat 10, a Java based web server, servlet and JSP engine which may lead to a denial-of-service. CVE-2024-38286 Apache Tomcat, under certain configurations, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process. CVE-2024-52316 Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. CVE-2024-50379 / CVE-2024-56337 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). Some users may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat. For Debian 12 "bookworm" the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to false). Most Debian users will not be affected because Debian uses case sensitive file systems by default. CVE-2024-34750 Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. CVE-2024-54677 Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. For the stable distribution (bookworm), these problems have been fixed in version 10.1.34-0+deb12u1. We recommend that you upgrade your tomcat10 packages. For the detailed security status of tomcat10 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat10 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmeKgvtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeT05A//bVEZkCYLHMBYyqsYKcL5XhBMHMh9XBoc4I+ZHFit+1qwQQCaCX8E7Aku rdLHZ37mzOEQxamFAm3v91OwnBhL29WWkU9s276Qy/IZRJZAZ82F+SE67TsakalV oZyJBkB2W+3klkhW+A6UdxiMHj4bX/l6H1c1mYJCOlDGb0/dqzEyQJguOTE9qLCG XBvz6kQp9RRPVlIrMKloivPrgvcF1upWR0Cu+CsSNcJHSkY1C38lt9mIh+v6o9Tm GP0CD8yTxJbp+aLqVFoiFGvwUfuZnYIaAea1GeA+8sk+ukc2f0u7bL6oZTZVAqc6 P1ssriQdtHF/xP/fgCJ2vX0t0oLKm/CJImDP/8BZa7MVMWlN5/Klj0eG6Kpkn3fz YLcn9742Hsdgh5PIyUly219gf8YA0w97/yDMTh6zRolP+WHns56yFmR9GaNIs51P 92QRmyrm6w5LSxqbzupwUwexO0bjwqf7AW6+pz19n2UTtzpXtSyyTnNfY237gnh1 KvRQy4s5rGGHXJQggX47pimopTh91RdcO2iKf5Y7GCmNurOLwvKwBhAeiVuqCIuW Qa3c0sV7jU98fioYPCu25Fp+zzjbhTMnRSwAqPU+blYzd8yjxHODRhhJ4fbWrPLi zqa31uuURRIQoJKKeKe83cLVGyWizdAl58ZE5LFdBXOKtiFqkqU= =E1MS -----END PGP SIGNATURE-----