Tomcat9 package is old version with many security issues

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Status changed to 'Confirmed' because the bug affects multiple users.

In the meantime, several security vulnerabilities have been found with the current version.

https://portswigger.net/daily-swig/http-request-smuggling-vulnerability-in-apache-tomcat-has-been-present-since-2015

Furthermore, you should skip to version 9.0.48 because there is a BUG in connection with HTTP2:

https://bz.apache.org/bugzilla/show_bug.cgi?id=65448

  * SECURITY UPDATE: TLS Denial of Service
    - debian/patches/CVE-2021-41079.patch: Apache Tomcat did not properly
      validate incoming TLS packets. When Tomcat was configured to use
      NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be
      used to trigger an infinite loop resulting in a denial of service.
    - CVE-2021-41079
  * SECURITY UPDATE: Authentication Vulnerability
    - debian/patches/CVE-2021-30640.patch: A vulnerability in the JNDI Realm
      of Apache Tomcat allows an attacker to authenticate using variations of
      a validc user name and/or to bypass some of the protection provided by
      the LockOut Realm.
    - CVE-2021-30640
  * SECURITY UPDATE: Request Smuggling
    - debian/patches/CVE-2021-33037.patch: Apache Tomcat did not correctly
      parse the HTTP transfer-encoding request header in some circumstances
      leading to the possibility to request smuggling when used with a reverse
      proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding
      header if the client declared it would only accept an HTTP/1.0 response;
      - Tomcat honoured the identify encoding; and - Tomcat did not ensure
      that, if present, the chunked encoding was the final encoding.
    - CVE-2021-33037
  * SECURITY UPDATE: remote code execution via session persistence
    - debian/patches/CVE-2021-25329.patch: The fix for CVE-2020-9484 was
      incomplete. When using Apache Tomcat with a configuration edge case that
      was highly unlikely to be used, the Tomcat instance was still vulnerable
      to CVE-2020-9494. Note that both the previously published prerequisites
      for CVE-2020-9484 and the previously published mitigations for
      CVE-2020-9484 also apply to this issue.
    - CVE-2021-25329
  * SECURITY UPDATE: Request Header Duplication
    - debian/patches/CVE-2021-25122.patch: When responding to new h2c
      connection requests, Apache Tomcat could duplicate request headers and a
      limited amount of request body from one request to another meaning user
      A and user B could both see the results of user A's request.
    - CVE-2021-25122
  * SECURITY UPDATE: HTTP/2 request header mix-up
    - debian/patches/CVE-2020-17527.patch: HTTP/2 It was discovered that
      Apache Tomcat could re-use an HTTP request header value from the previous
      stream received on an HTTP/2 connection for the request associated with
      the subsequent stream. While this would most likely lead to an error and
      the closure of the HTTP/2 connection, it is possible that information
      could leak between requests.
    - CVE-2020-17527
  * SECURITY UPDATE: HTTP/2 request mix-up
    - debian/patches/CVE-2020-13943.patch: If an HTTP/2 client exceeded the
      agreed maximum number of concurrent streams for a connection (in
      violation of the HTTP/2 protocol), it was possible that a subsequent
      request made on that connection could contain HTTP headers - including
      HTTP/2 pseudo headers - from a previous request rather than the intended
      headers. This could lead to users seeing responses for unexpected
      resources.
    - CVE-2020-13943

I have built the package and tried it and seemed to be working. The added patches were already in the Debian counterpart, therefore there should not be any problems.

Hello Evren, thanks for the debdiff. I'm using it to build the new release for Focal. I did some checks today and will continue on Monday. If all goes well I think we can have a new package in the archive next week. Meanwhile, I'm working on the bionic version.

Hi Paulo,
Thanks for looking into this and sorry that I forgot bionic actually. Did all go well?
I have some other small bugfixes for this package at #1964881 (although not security related and there are no code changes to source). I am not sure if you would like to combine them or not?
Thanks!

Hello Evren, hmm I just published both bionic (9.0.16-3ubuntu0.18.04.2) and focal (9.0.31-1ubuntu0.2). I finished some tests yesterday. Foi bionic I had to do some changes and add an extra commit to support one of fixes.

Paulo, thank you for the help. Great work!