| Package | tomcat7 |
|---|---|
| Version | 7.0.56-3+really7.0.109-1+deb8u5 (jessie) |
| Related CVEs | CVE-2023-42795 CVE-2023-45648 |
Two security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.
CVE-2023-42795
Information Disclosure. When recycling various internal objects, including
the request and the response, prior to re-use by the next request/response,
an error could cause Tomcat to skip some parts of the recycling process
leading to information leaking from the current request/response to the
next.
CVE-2023-45648
Request smuggling. Tomcat did not correctly parse HTTP trailer headers. A
specially crafted, invalid trailer header could cause Tomcat to treat a
single request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.
For Debian 8 jessie, these problems have been fixed in version 7.0.56-3+really7.0.109-1+deb8u5.
We recommend that you upgrade your tomcat7 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.