A tomcat8 security update has been released for Debian GNU/Linux 8 and 9 Extended LTS to address a flaw where session cookies created by Apache Tomcat did not include the secure attribute.

ELA-830-1 tomcat8 security update

Package : tomcat8
Version : 8.0.14-1+deb8u25 (jessie), 8.5.54-0+deb9u10 (stretch)

Related CVEs :
CVE-2023-28708

A flaw has been found in the Tomcat servlet and JSP engine. When using the
RemoteIpFilter with requests received from a reverse proxy via HTTP that
include the X-Forwarded-Proto header set to https, session cookies created by
Apache Tomcat did not include the secure attribute. This could result in the
user agent transmitting the session cookie over an insecure channel.

  ELA-830-1 tomcat8 security update