Hi Markus, On Fri, Feb 17, 2017 at 10:19:18PM +0100, Markus Koschany wrote: > On 17.02.2017 22:09, Salvatore Bonaccorso wrote: > > Hi Markus, hi Emmanuel, > > > > On Mon, Feb 13, 2017 at 10:48:20AM +0100, Markus Koschany wrote: > >> On 13.02.2017 08:34, Moritz Mühlenhoff wrote: > >>> On Sun, Feb 12, 2017 at 09:38:31PM +0100, Markus Koschany wrote: > >>>> Hi, > >>>> > >>>> a bug was reported against tomcat8 and tomcat7 in Jessie and it seems > >>>> the issue is related to our latest security updates. We would like to > >>>> address this regression as soon as possible because this one can be > >>>> triggered remotely and cause a denial-of-service. > >>>> > >>>> I have attached the debdiffs for tomcat8 and tomcat7 to this email. I > >>>> will update the changelogs later. > >>> > >>> Thanks, please upload. > >> > >> Thanks. Uploaded. > > > > Btw, I requested a CVE for this issue and it got assigned > > CVE-2017-6056. > > Hi Salvatore, > > Thank you. However apparently the fix was not complete. We received two > reports that the server returns 400 errors under certain circumstances. [1] > We need to prepare a regression update and the suggested fix is [2]. > Sorry for the inconvenience.
No problem. Thanks for noticing, can you let us know as usual when you have a debdiff ready for the regression update? I tend to see this as regression update for the previous DSA, so no need for a new CVE id. But let me know if someone thinks otherwise and I can followup with MITRE. Thanks for your coninous work, Regards, Salvatore