tomcat9 (9.0.107-0+deb10u1) buster-security; urgency=medium

  To remediate vulnerabilities in the Tomcat 9 server stack,
  an upgrade was performed instead of applying minimal patching.
  .
  The following notworthy changes where identified:
  - Tomcat 9.0.33, Hardened AJP connector: secretRequired
    defaults to true. A workarround is to requires explicit config:
    secretRequired="false" or set a secret
  - Tomcat 9.0.65, Deprecated RemoteAddrFilter and RemoteHostFilter.
    You may migrate to RemoteCIDRFilter and RemoteCIDRValve
  - Tomcat 9.0.69, fix Session ID propagation for SSO Valve.
    This may break SSO.

 -- Bastien Roucariès <rouca@debian.org>  Sat, 25 Oct 2025 22:08:32 +0200
