Your message dated Sat, 06 Apr 2024 12:21:29 +0000 with message-id <e1rt533-0024zq...@fasolo.debian.org> and subject line Bug#1066877: fixed in tomcat10 10.1.20-1 has caused the Debian Bug report #1066877, regarding tomcat10: CVE-2024-23672 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1066877: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066877 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: tomcat10 Version: 10.1.16-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for tomcat10. CVE-2024-23672[0]: | Denial of Service via incomplete cleanup vulnerability in Apache | Tomcat. It was possible for WebSocket clients to keep WebSocket | connections open leading to increased resource consumption.This | issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from | 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 | through 8.5.98. Users are recommended to upgrade to version | 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-23672 https://www.cve.org/CVERecord?id=CVE-2024-23672 [1] https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: tomcat10 Source-Version: 10.1.20-1 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of tomcat10, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1066...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated tomcat10 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 06 Apr 2024 13:43:19 +0200 Source: tomcat10 Architecture: source Version: 10.1.20-1 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 1066877 1066878 Changes: tomcat10 (10.1.20-1) unstable; urgency=high . * New upstream version 10.1.20. - Fix CVE-2024-24549: Denial of Service due to improper input validation vulnerability. (Closes: #1066878) - Fix CVE-2024-23672: Denial of Service via incomplete cleanup vulnerability. (Closes: #1066877) * Remove obsolete dependency on lsb-base from tomcat10 binary package. Checksums-Sha1: 133357fea4ff5d111927f152c513e467cc152179 2982 tomcat10_10.1.20-1.dsc 6f598d68a306ecf85420b82bc59fbaa03d811dcf 4045252 tomcat10_10.1.20.orig.tar.xz 27f6a7a10a8babb1534baa003cefafec772679b3 36832 tomcat10_10.1.20-1.debian.tar.xz ac9c22b2fe2c3cbba9dad1da9370662bd546518b 16741 tomcat10_10.1.20-1_amd64.buildinfo Checksums-Sha256: 9bf13e950be9045ec5f6aef375f4ca93a2ba2a50f7452cae089fc3e578a11bb2 2982 tomcat10_10.1.20-1.dsc 35f6966065c77de6785e5002b3745bd388d169ced4e4beb8d2f908d98eaa8969 4045252 tomcat10_10.1.20.orig.tar.xz 57776897862bcc416aa059d35bd04a30eb73be58dfe35b7b7d37d00a09c7f4b6 36832 tomcat10_10.1.20-1.debian.tar.xz 5b4fe7b64bd097ae26fca31f709d8ca5aa62cd174b436a98123cfaa567c5fcc9 16741 tomcat10_10.1.20-1_amd64.buildinfo Files: 29927bc8821131930531197ba0dd39db 2982 java optional tomcat10_10.1.20-1.dsc f6b238c3f28196f1ea27a6f9213085ee 4045252 java optional tomcat10_10.1.20.orig.tar.xz 028489e456cf4d67a3f7760c6ddec556 36832 java optional tomcat10_10.1.20-1.debian.tar.xz 7c85908c95811529be3dcb24a011f7ac 16741 java optional tomcat10_10.1.20-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmYROOBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk2oMP/jbh9+v3Fd/SX2AY7wWj6h5FBa7UesfroUDb 4Y07AbaN+gO63VO2mEWCKWtbZoeAa2b5VmCH4kD/lPaYYVTrDIXADrtu5bbrRvSJ EO/h6cl7mOGtjSzISFithpNevpLBROeh/oxgnqroZ3g8TrGofFisKJtULf4kONYi 98//hAxgCAu6sVK1mXZ7cuY7m3+/sLY04+qb1C4nNtGkXzTtqfGKkuvYgLDEhql4 FX2oGKFQ1Qi6lmMFB4L1mnTx6sUk32cO/KsQu8PXpdKKZ0D3XeZMZPw8CqTOako7 eHGxSN3ox0ySzNi9DrVNS3cF86XeOKRBblak6EgGNYbRbuIJSLRN7r1wcdtbT3lG uaF00fUU6Yt0Zd3FvwcDXcN6+RFZtImC1eJ4/sjMk13s80B+uH7OBAGOCATtnEKX v1pTCA2v/jU2mtPMu9mk0CIc/c86h/DtmIO7qducuO6zI+Y7Jf1CbPBA2qTWuIaJ jAll9IX6BkIcMN5IoruDrVHFMxuWlzIHqg8bC98SDxh/Rmbo0gV2IziaHJQ8DbCb 1UeI33RO81UxCJfeezYnGDGUhOiFbDr3ONimcp7J33L6hQgNXAsqJQAbeQnrDFl2 DwhlMUVGd/1vpqfO0vM6KXPsUSniUY71pMpbgZkK0XgmkGCg/vHyiGxPBXwQHc6N h0sdqFZq =G7AX -----END PGP SIGNATURE-----pgpgToBcO9Doq.pgp
Description: PGP signature
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.