Debian: Security Advisory for tomcat9 (DSA-4680-1)

The remote host is missing an update for the 'tomcat9' package(s) announced via the DSA-4680-1 advisory.

Several vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in HTTP request smuggling, code execution in the AJP connector (disabled by default in Debian) or a man-in-the-middle attack against the JMX interface.

'tomcat9' package(s) on Debian Linux.

Checks if a vulnerable package version is present on the target host.

For the stable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u1. The fix for CVE-2020-1938 may require configuration changes when Tomcat is used with the AJP connector, e.g. in combination with libapache-mod-jk. For instance the attribute secretRequired is set to true by default now. For affected setups it's recommended to review [link moved to references] before the deploying the update. We recommend that you upgrade your tomcat9 packages.