Packages
Details
It was discovered that Tomcat did not include the secure attribute for
session cookies when using the RemoteIpFilter with requests from a reverse
proxy. An attacker could possibly use this issue to leak sensitive
information. This issue was fixed for tomcat8 on Ubuntu 18.04 LTS and for
tomcat9 on Ubuntu 24.04 LTS, Ubuntu 24.10, and Ubuntu 25.04.
(CVE-2023-28708)
It was discovered that Tomcat incorrectly recycled
certain objects, which could lead to information leaking from one request
to the next. An attacker could potentially use this issue to leak sensitive
information. This issue was fixed for tomcat8 on Ubuntu 18.04 LTS and for
tomcat9 on Ubuntu 24.04 LTS, Ubuntu 24.10, and Ubuntu 25.04.
(CVE-2023-42795)
It was discovered that Tomcat incorrectly handled HTTP
trailer headers. A remote attacker could possibly use this issue to...
It was discovered that Tomcat did not include the secure attribute for
session cookies when using the RemoteIpFilter with requests from a reverse
proxy. An attacker could possibly use this issue to leak sensitive
information. This issue was fixed for tomcat8 on Ubuntu 18.04 LTS and for
tomcat9 on Ubuntu 24.04 LTS, Ubuntu 24.10, and Ubuntu 25.04.
(CVE-2023-28708)
It was discovered that Tomcat incorrectly recycled
certain objects, which could lead to information leaking from one request
to the next. An attacker could potentially use this issue to leak sensitive
information. This issue was fixed for tomcat8 on Ubuntu 18.04 LTS and for
tomcat9 on Ubuntu 24.04 LTS, Ubuntu 24.10, and Ubuntu 25.04.
(CVE-2023-42795)
It was discovered that Tomcat incorrectly handled HTTP
trailer headers. A remote attacker could possibly use this issue to perform
HTTP request smuggling. This issue was fixed for tomcat8 on Ubuntu 18.04
LTS and for tomcat9 on Ubuntu 24.04 LTS, Ubuntu 24.10, and Ubuntu 25.04.
(CVE-2023-45648)
It was discovered that Tomcat incorrectly handled
incomplete POST requests, which could cause error responses to contain data
from previous requests. An attacker could potentially use this issue to
leak sensitive information. This issue was fixed for tomcat8 on Ubuntu
18.04 LTS and for tomcat9 on Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2024-21733)
It was discovered that Tomcat incorrectly handled socket
cleanup, which could lead to websocket connections staying open. An
attacker could possibly use this issue to cause a denial of service. This
issue was fixed for tomcat8 on Ubuntu 18.04 LTS, tomcat9 on Ubuntu 24.04
LTS, Ubuntu 24.10, and Ubuntu 25.04, and for tomcat10 on Ubuntu 24.04 LTS.
(CVE-2024-23672)
It was discovered that Tomcat incorrectly handled HTTP/2
requests that exceeded configured header limits. An attacker could possibly
use this issue to cause a denial of service. (CVE-2024-24549)
It was discovered that Tomcat incorrectly handled some cases of excessive HTTP
headers when processing HTTP/2 streams. This led to miscounting of active
streams and incorrect timeout handling. An attacker could possibly use this
issue to cause connections to remain open indefinitely, leading to a denial
of service. This issue was fixed for tomcat9 on Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, Ubuntu 24.10, and Ubuntu 25.04, and for tomcat10 on Ubuntu
24.04 LTS. (CVE-2024-34750)
It was discovered that Tomcat incorrectly
handled TLS handshake processes under certain configurations. An attacker
could possibly use this issue to cause a denial of service. This issue was
fixed for tomcat9 on Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS,
Ubuntu 24.04 LTS, Ubuntu 24.10, and Ubuntu 25.04, and for tomcat10 on
Ubuntu 24.04 LTS. (CVE-2024-38286)
Update instructions
In general, a standard system update will make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 25.04 plucky | libtomcat9-java – 9.0.70-2ubuntu1.25.04.2 | ||
| 24.10 oracular | libtomcat9-java – 9.0.70-2ubuntu1.24.10.2 | ||
| 24.04 noble | libtomcat10-java – 10.1.16-1ubuntu0.1~esm2 | ||
| libtomcat9-java – 9.0.70-2ubuntu0.1+esm2 | |||
| tomcat10 – 10.1.16-1ubuntu0.1~esm2 | |||
| 22.04 jammy | libtomcat9-java – 9.0.58-1ubuntu0.2+esm3 | ||
| tomcat9 – 9.0.58-1ubuntu0.2+esm3 | |||
| 20.04 focal | libtomcat9-java – 9.0.31-1ubuntu0.9+esm2 | ||
| tomcat9 – 9.0.31-1ubuntu0.9+esm2 | |||
| 18.04 bionic | libtomcat8-java – 8.5.39-1ubuntu1~18.04.3+esm5 | ||
| libtomcat9-java – 9.0.16-3ubuntu0.18.04.2+esm7 | |||
| tomcat8 – 8.5.39-1ubuntu1~18.04.3+esm5 | |||
| tomcat9 – 9.0.16-3ubuntu0.18.04.2+esm7 | |||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.