Version in base suite: 9.0.43-2~deb11u6
Version in overlay suite: 9.0.43-2~deb11u7

Base version: tomcat9_9.0.43-2~deb11u7
Target version: tomcat9_9.0.43-2~deb11u8
Base file: /srv/ftp-master.debian.org/ftp/pool/main/t/tomcat9/tomcat9_9.0.43-2~deb11u7.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/t/tomcat9/tomcat9_9.0.43-2~deb11u8.dsc

 changelog                    |    7 +++++++
 patches/CVE-2023-44487.patch |   15 ++++++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff -Nru tomcat9-9.0.43/debian/changelog tomcat9-9.0.43/debian/changelog
--- tomcat9-9.0.43/debian/changelog	2023-10-10 16:20:19.000000000 +0000
+++ tomcat9-9.0.43/debian/changelog	2023-10-12 15:32:21.000000000 +0000
@@ -1,3 +1,10 @@
+tomcat9 (9.0.43-2~deb11u8) bullseye-security; urgency=high
+
+  * Fixed the HTTP/2 overhead protection triggered on data frames.
+    (Closes: #1053820
+
+ -- Emmanuel Bourg <ebourg@apache.org>  Thu, 12 Oct 2023 17:32:21 +0200
+
 tomcat9 (9.0.43-2~deb11u7) bullseye-security; urgency=high
 
   * Fix CVE-2023-45648: Request smuggling. Tomcat did not correctly parse HTTP
diff -Nru tomcat9-9.0.43/debian/patches/CVE-2023-44487.patch tomcat9-9.0.43/debian/patches/CVE-2023-44487.patch
--- tomcat9-9.0.43/debian/patches/CVE-2023-44487.patch	2023-10-10 15:06:59.000000000 +0000
+++ tomcat9-9.0.43/debian/patches/CVE-2023-44487.patch	2023-10-12 15:32:21.000000000 +0000
@@ -2,6 +2,7 @@
 Origin: backport, https://github.com/apache/tomcat/commit/30cae120a61f075b1712f2e8da4daa23f1135c83
                   https://github.com/apache/tomcat/commit/94480483910f2d19561e88fb194d7b415bb527da
                   https://github.com/apache/tomcat/commit/3f0efca913b09fa3a3d9c246cc29045ac8a2befe
+                  https://github.com/apache/tomcat/commit/c551ecaa1ba4ffe50a67009a9c94efb03439ae8b
                   https://github.com/apache/tomcat/commit/6d1a9fd6642387969e4410b9989c85856b74917a
 --- a/java/org/apache/coyote/http2/Http2Protocol.java
 +++ b/java/org/apache/coyote/http2/Http2Protocol.java
@@ -77,7 +78,7 @@
  
 -    private void reduceOverheadCount() {
 -        overheadCount.decrementAndGet();
-+    private void reduceOverheadCount(FrameType frameType) {
++    void reduceOverheadCount(FrameType frameType) {
 +        // A non-overhead frame reduces the overhead count by
 +        // Http2Protocol.DEFAULT_OVERHEAD_REDUCTION_FACTOR. A simple browser
 +        // request is likely to have one non-overhead frame (HEADERS) and one
@@ -292,3 +293,15 @@
      <attribute name="overheadDataThreshold" required="false">
        <p>The threshold below which the average payload size of the current and
        previous non-final <code>DATA</code> frames will trigger an increase in
+--- a/java/org/apache/coyote/http2/Http2AsyncUpgradeHandler.java
++++ b/java/org/apache/coyote/http2/Http2AsyncUpgradeHandler.java
+@@ -203,6 +203,9 @@
+             log.debug(sm.getString("upgradeHandler.writeBody", connectionId, stream.getIdAsString(),
+                     Integer.toString(len), Boolean.valueOf(finished)));
+         }
++
++        reduceOverheadCount(FrameType.DATA);
++
+         // Need to check this now since sending end of stream will change this.
+         boolean writeable = stream.canWrite();
+         byte[] header = new byte[9];