Package: tomcat9 Version: 9.0.16-4 Severity: important Hi,
tomcat9, as shipped with Debian buster/stable is vulnerable for "ghostcat", see https://www.chaitin.cn/en/ghostcat . PoC exploit code has been published. Specifically, Apache Tomcat 9.x < 9.0.31 is vulnerable. Upstream has published 9.0.31 to fix this vulnerability (and other issues, see https://tomcat.apache.org/tomcat-9.0-doc/changelog.html ). Tomcat as shipped by Debian is likely not vulnerable from the network in the default configuration, since by default Tomcat AJP Connector only listens on localhost:8009, not on *:8009 . See also: https://security-tracker.debian.org/tracker/CVE-2020-1938 https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487 https://www.cnvd.org.cn/webinfo/show/5415 (in chinese) Bye, Joost __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.