-
tomcat9 (9.0.43-3) unstable; urgency=medium
* Team upload.
* CVE-2021-30640: Fix NullPointerException.
If no userRoleAttribute is specified in the user's Realm configuration its
default value will be null. This will cause a NPE in the methods
doFilterEscaping and doAttributeValueEscaping. This is upstream bug
https://bz.apache.org/bugzilla/show_bug.cgi?id=65308
-- Markus Koschany <email address hidden> Tue, 10 Aug 2021 17:17:56 +0200
-
tomcat9 (9.0.43-2) unstable; urgency=medium
* Team upload.
[ mirabilos ]
* fix /var/log/tomcat9 permissions
fixup for commit 51128fe9fb2d4d0b56be675d845cf92e4301a6c3
[ Markus Koschany ]
* Fix CVE-2021-30640:
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to
authenticate using variations of a valid user name and/or to bypass some of
the protection provided by the LockOut Realm.
* Fix CVE-2021-33037:
Apache Tomcat did not correctly parse the HTTP transfer-encoding request
header in some circumstances leading to the possibility to request
smuggling when used with a reverse proxy. Specifically: - Tomcat
incorrectly ignored the transfer encoding header if the client declared it
would only accept an HTTP/1.0 response; - Tomcat honoured the identify
encoding; and - Tomcat did not ensure that, if present, the chunked
encoding was the final encoding.
(Closes: #991046)
-- Markus Koschany <email address hidden> Sat, 07 Aug 2021 00:11:43 +0200
-
tomcat9 (9.0.43-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
* Rotate the catalina.out log file with the tomcat user (Closes: #971583)
* Switch to debhelper level 13
-- Emmanuel Bourg <email address hidden> Tue, 02 Feb 2021 20:23:51 +0100