Sync updates from Debian Buster
requested to merge wip/ritesh/merge-buster-updates.apertis/v2020-security into apertis/v2020-security
tomcat9 (9.0.31-1~deb10u3) buster-security; urgency=medium
- Fixed CVE-2020-13943: HTTP/2 request mix-up. If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.
- Fixed CVE-2020-17527: HTTP/2 request header mix-up. It was discovered that Apache Tomcat could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.