Several vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in HTTP request smuggling, code execution in the AJP connector (disabled by default in Debian) or a man-in-the-middle attack against the JMX interface.
For the stable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u1. The fix for CVE-2020-1938 may require configuration changes when Tomcat is used with the AJP connector, e.g. in combination with libapache-mod-jk. For instance the attribute "secretRequired" is set to true by default now. For affected setups it's recommended to review https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html before the deploying the update.
We recommend that you upgrade your tomcat9 packages.