Release date:
2026-04-27 20:21:07 UTC
Description:
* SECURITY UPDATE: Denial of Service caused by unbounded TLS handshake
wrap queue in SecureNio2Channel / SecureNioChannel. Backport upstream
fix from 9.0.x commit 76c5cce6f0bcef14b0c21c38910371ca7d322d13.
- debian/patches/CVE-2024-38286.patch: cap the handshake wrap queue at
HANDSHAKE_WRAP_QUEUE_LENGTH_LIMIT (100) and close the connection
with a localised error message if the cap is exceeded, covering
both Nio2 and Nio connector variants. Also includes upstream
follow-up bfa5de95ad ("Avoid possible lost update") which converts
the SecureNio2Channel counter to AtomicInteger and resets it in
reset() to prevent a non-atomic read-modify-write race.
- CVE-2024-38286
Updated packages:
-
libtomcat9-embed-java_9.0.31-1ubuntu0.9+tuxcare.els3_all.deb
sha:9d9bac67ec702ce130bd725a04bc4c7b84b4fa64
-
libtomcat9-java_9.0.31-1ubuntu0.9+tuxcare.els3_all.deb
sha:9ea9001494a5d805153d85a8b28214c3ea0011b3
-
tomcat9_9.0.31-1ubuntu0.9+tuxcare.els3_all.deb
sha:120fe3f77807b58ec2aaab5c9de13334df9cb6d8
-
tomcat9-admin_9.0.31-1ubuntu0.9+tuxcare.els3_all.deb
sha:cb36ab4c4b56489c817bca9376ac90ecf7545519
-
tomcat9-common_9.0.31-1ubuntu0.9+tuxcare.els3_all.deb
sha:e97fbc52c26d8dddba23d06756908ecee9efe80a
-
tomcat9-docs_9.0.31-1ubuntu0.9+tuxcare.els3_all.deb
sha:ec3779a4423f364cebe02d315ad5fcd20e3430bb
-
tomcat9-examples_9.0.31-1ubuntu0.9+tuxcare.els3_all.deb
sha:12bd4df126432c253258fe4f93800e456ff8e1bf
-
tomcat9-user_9.0.31-1ubuntu0.9+tuxcare.els3_all.deb
sha:5c00ff394a1b7e0ee8bedc5e086f9e9f37c46e18
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
