[SECURITY] [DSA 5665-1] tomcat10 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5665-1 secur...@debian.org https://www.debian.org/security/ Markus Koschany April 17, 2024https://www.debian.org/security/faq - - Package: tomcat10 CVE ID : CVE-2023-46589 CVE-2024-23672 CVE-2024-24549 Debian Bug : 1057082 1066877 1066878 Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2023-46589 Tomcat 10 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. CVE-2024-24549 Denial of Service due to improper input validation vulnerability for HTTP/2. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed. CVE-2024-23672 Denial of Service via incomplete cleanup vulnerability. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption. For the stable distribution (bookworm), these problems have been fixed in version 10.1.6-1+deb12u2. We recommend that you upgrade your tomcat10 packages. For the detailed security status of tomcat10 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat10 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmYgQdpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeRxWg/9HomYTHhhPpVv0BwAECG399S7910TgHArULALOMKdpHjJLmi4PvNoB/u+ 7KwKWdpULjOr4z0YMmxyI6eMHYEgJAEHlZpSzGRt2Sue12g0ouSLJ7//jvfJcI6b 5JnzFdZQQYoGocfIgHczcKGooMDjaujmTuf/bA2tVV+X5gO0QYWGnbr7MLd0y4PC a8KaLGNJcGDSkN2nCFgEi2mMBZP++sEA+TyJJV6cOHyvnXEoD9/wk6IwFos4kDQT y3qbYtRGUwtg/frQ7iS8EtkpK8vHcjflPrtQTvfGLALdXV50RpOOgeIIKOecFs2v PtJp3dEg4L/cWNlPwLVsisYN6gC+pa6z3GoAg5J2O5d9xar+pJQeYLx9WozlGvkL NVVzvj6p30yQOxINtes2xG9pqPOM7alLQl6VjUxm8DVSCne4NKlK32HAyh8Uxi4R V+3nqTPRNeN+3bLeztCOeo/9oxSTkXDDqB9TT3rFooZpP3bpaUH2B37lOONcg/55 +WTTgh8bM8f8MlmOMYqz3IihrxW0WJlgE5oR2vCNwxb8a3ec4GhwdCV5/Sr3LxEJ YkURiWyUE37/OuZB/TnTg26HWcctJJpV+//JOTslRWBr0qXIg6PrMIwYYtTYZwXp U8mmX8cIQVdHQoFvYrJuQz4J74sjDRIddo5rWB7bXXJQEuxcBrs= =WEw1 -END PGP SIGNATURE-
[SECURITY] [DSA 5664-1] jetty9 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5664-1 secur...@debian.org https://www.debian.org/security/ Markus Koschany April 17, 2024https://www.debian.org/security/faq - - Package: jetty9 CVE ID : CVE-2024-22201 Jetty 9 is a Java based web server and servlet engine. It was discovered that remote attackers may leave many HTTP/2 connections in ESTABLISHED state (not closed), TCP congested and idle. Eventually the server will stop accepting new connections from valid clients which can cause a denial of service. For the oldstable distribution (bullseye), this problem has been fixed in version 9.4.50-4+deb11u2. For the stable distribution (bookworm), this problem has been fixed in version 9.4.50-4+deb12u3. We recommend that you upgrade your jetty9 packages. For the detailed security status of jetty9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jetty9 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmYgPqhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeS8Wg/+JvDyNdRq1Tu6rEqfHprMuxVifvPSH4RefpWMVY1MUIwRSxCyL9GEKCtu q0a+Vf/JycNVbTcRB0n/UpgFdCCWE6dUngLIoYX/SmA+dXKLN9a+FIKj/aivOvOr CUEkaJiVBjARYoBxDzoLG8STAJkxJvCAIduOSZ4Pr3iaZ+3+mHLpz38aAHz7QCXS NoqaD66hMTCVPnVTTr3CvrhCIjcdxQRteJwkJ0XxT5WxYSBmVuB+zEAxHUt6ocv2 5bMel+B4OMcNrRrdQiUtqAF2i7ktAPO2HUo5+9kxYCwkB1DbgIEhdtkA6aBtTYZ0 ZJbx4kV206DrQO7PjLzbY6RA2o2EiNb1zEZlaaFuGq6ctIpR52PplC0sEPUTVbDH LlDAQUIXzmmJGhD2etF5dpknbBTcAhUjGebCiasqwZ8HWiVUeIEwi89je7+CThjB 3phSjyzqZivdkpYiZTApy3UU3lzXHViCtTIverkaQNoYExWVCKihvMRtSAlhw4b0 ukEt+PNzrgl2N0M3bYh1oEh+TGqiP961Je38l5756wKLSxgzfTwTlrPmH6BFwhkF EnMxzjX4jvRWkVC2Yz4/DiJnRnAEjS3iOsvvDnP/lZkWZOXMT3TY0bRJSwUuEgCc NPF/PE/q6KRtzyxJLuTOFRwk/xob/q4GucD+RuqwHEC2w3fN7WE= =HK3G -END PGP SIGNATURE-
[SECURITY] [DSA 5663-1] firefox-esr security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5663-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 17, 2024https://www.debian.org/security/faq - - Package: firefox-esr CVE ID : CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854 CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or clickjacking. For the oldstable distribution (bullseye), these problems have been fixed in version 115.10.0esr-1~deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 115.10.0esr-1~deb12u1. We recommend that you upgrade your firefox-esr packages. For the detailed security status of firefox-esr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/firefox-esr Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYgA9AACgkQEMKTtsN8 TjbBUhAAl/geju5M86Ho+fhEGd2/QmcBQ/XikOAU7GaPpvWJuNA0oMLuHg49NtH8 crvGXpFX/bTYzfMP5VDDPI0aGNJN93R3Jld7dnPya2K9N2zuF+7YURaTIz7V+P4M 5vRsZWlaNEYXpKHfoaIKzF9La8PBaqEKJIU3MRzakp8X0QqLwzd/PKcvP6VBkNiN mqGcVskMmlsnxKlv0K9IpzrNqPGnlLQHY60x1CoP0IWSHEmIfoTfuvsxClCP0dA7 O0DHp7qgafeJ3SiOx72fo6mkocA5ll7IsWeIt9cq65gPqNlXJnJUn4qEdh4zP8EF KPRNddY15oxm4+BAd7U38IW7JB1UVCta57ldShUo73NhMZPcI04gnDqbijCya/KS gAhYgqhpgzB5MzeHQbeJ54aeb3LLjgyT4q+Fy7HmTp9JKK+Ic8hfG9kyYX0/X+Ql 7LzWyXtl+Z8iK4nXAlO+EmZurijrBpzM7XTqRR993ezz0cNvAl2t8DkZ930Jt1Dy EOmVWbjmJl5NerY7qBjA86ttkzcTQ03JdTksorY8qeNu+gbUc195e6buRBBmMfOG B+i+0gmf9Xdm6nfHY2BPytHXmjAOs8+kmAx/0cW5zju1nzX8CiQ0+L+NGcfK0dVm 5axSlYwNwFM/FKVbGstZSfyJ0dfCp/33HOX4ZXGOsg2kmsfnJxU= =7/dJ -END PGP SIGNATURE-
