Debian 10158 Published by

Updated tomcat9 and exim4 packages have been released for Debian GNU/Linux 10 LTS:

[DLA 3707-1] tomcat9 security update
[DLA 3708-1] exim4 security update




[DLA 3707-1] tomcat9 security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3707-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
January 05, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : tomcat9
Version : 9.0.31-1~deb10u11
CVE ID : CVE-2023-46589
Debian Bug : 1057082

Apache Tomcat 9, a Servlet and JSP engine, was vulnerable.

An Improper Input Validation vulnerability was present.
and Tomcat did not correctly parse HTTP trailer headers.
A trailer header that exceeded the header size limit could cause
Tomcat to treat a single request as multiple requests leading to
the possibility of request smuggling when behind a reverse proxy.

For Debian 10 buster, this problem has been fixed in version
9.0.31-1~deb10u11.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat9

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3708-1] exim4 security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3708-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
January 05, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : exim4
Version : 4.92-8+deb10u9
CVE ID : CVE-2023-51766
Debian Bug : 1059387

It was discovered that Exim, a mail transport agent, can be induced to accept a
second message embedded as part of the body of a first message in certain
configurations where PIPELINING or CHUNKING on incoming connections is offered.

For Debian 10 buster, this problem has been fixed in version
4.92-8+deb10u9.

We recommend that you upgrade your exim4 packages.

For the detailed security status of exim4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/exim4

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS