Your message dated Sun, 03 Dec 2023 13:14:00 +0000
with message-id <[email protected]>
and subject line Bug#1057082: fixed in tomcat10 10.1.16-1
has caused the Debian Bug report #1057082,
regarding tomcat10: CVE-2023-46589
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1057082: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057082
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tomcat10
Version: 10.1.15-1
Severity: important
Tags: security upstream fixed-upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for tomcat10.
CVE-2023-46589[0]:
| Improper Input Validation vulnerability in Apache Tomcat.Tomcat from
| 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from
| 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not
| correctly parse HTTP trailer headers. A trailer header that exceeded
| the header size limit could cause Tomcat to treat a single request
| as multiple requests leading to the possibility of request
| smuggling when behind a reverse proxy. Users are recommended to
| upgrade to version 11.0.0-M11Â onwards, 10.1.16 onwards, 9.0.83
| onwards or 8.5.96 onwards, which fix the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-46589
https://www.cve.org/CVERecord?id=CVE-2023-46589
[1] https://www.openwall.com/lists/oss-security/2023/11/28/2
[2]
https://github.com/apache/tomcat/commit/b5776d769bffeade865061bc8ecbeb2b56167b08
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: tomcat10
Source-Version: 10.1.16-1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
tomcat10, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated tomcat10 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 03 Dec 2023 13:31:22 +0100
Source: tomcat10
Architecture: source
Version: 10.1.16-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 1057082
Changes:
tomcat10 (10.1.16-1) unstable; urgency=medium
.
* New upstream version 10.1.16.
- Fix CVE-2023-46589: potential request smuggling. (Closes: #1057082)
Checksums-Sha1:
cd66e5ba28a55ae1b6a017b2d2f439f931a52c93 2982 tomcat10_10.1.16-1.dsc
4b7c30dc182d70403b900e3d3331f84898ac8670 4023292 tomcat10_10.1.16.orig.tar.xz
4efe5336b236fc457b661b1bb0e55de9448c330d 36720 tomcat10_10.1.16-1.debian.tar.xz
edda31ed3aafb855685d215e45c580f8a9cba695 16427
tomcat10_10.1.16-1_amd64.buildinfo
Checksums-Sha256:
e22dec71c8a6e65157fcd31eb0e3123adfcd65cf2ec5a262c1b0bdc59805136a 2982
tomcat10_10.1.16-1.dsc
9d129f63ffb6bb6535c4ea7a0069a352c6d1bd1f1c04dc1c4aebadd75d6cc617 4023292
tomcat10_10.1.16.orig.tar.xz
38c68004dd3d0c74797590770ed64807f6cf374c5529297d81114d9c93475548 36720
tomcat10_10.1.16-1.debian.tar.xz
13b30e31d9a40facb1c53936ab50e9d84a9e9a4ab0c85b32b16de42b236ca916 16427
tomcat10_10.1.16-1_amd64.buildinfo
Files:
229fd68895dec0bcf34c4a0943d42e47 2982 java optional tomcat10_10.1.16-1.dsc
b2f365f7756856689b8d81d5cf032a02 4023292 java optional
tomcat10_10.1.16.orig.tar.xz
d39cf293b7e3e87aeb4091c83d90845d 36720 java optional
tomcat10_10.1.16-1.debian.tar.xz
65adc5b43f0bdf398ace4579071173fa 16427 java optional
tomcat10_10.1.16-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmVsdedfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkXXMP/1bDteZPnAszm0VJRPHltwEVzFU1YC4UICBY
l6hWZVTbjDNZ+QsFw5pDQ2Bv0OVWBD6BF2tYfCB/WiSz9iPxKasf85dLsaKh4nd3
DxGL3QLBbv+ASPR3cqeL7wMCoIl3FabbDY3x6jjukzgw1+PtfMm5qDHOXZtc0i2/
6F1ZjYCsdgqmux7byE3nYn43QceyBYQ4lckTfUBIyV0pZ8z4DUjiiVyTeRz2TKBG
JnEus2ZE5mHMchkKnw65BT243klgk9oF7X3enDmF8OKlXqdKBLuBrDtKCrT7DwJj
OBpiW2SqaOf6DrL1vnhhYo1Z2Mc59XlDd/ZcFil691EucaGThqH0dJz/oG9mMpQ8
tLXivs8n+6gcudh8U7XPd11txXe5i9XAeQ6NUDEAwnwZB6F5KBHjhVYfpU0U4BWc
7w9Ahzhjseq90t2iMbNdjWeDiyLsP+Ro9ie2K0XaJkE4eRd/iHHNXoxXUfDiz0u9
hUVd2ZCqFIAtf3Ui1RMY5wUNpCQJjFLHC1rK40qTqrdQ8stD3WMCSu0fEPOU61O2
C0rpd4U9XROKyr6WnS5vEn080M+RR6LLjqfW79vvGbolfP+98bzccC5JdybB0BBv
NvICRFg0vOB1WyZIQILfLUbXtKdRl/zcV9IgVQpGovCJBf2apQ16QJJ+EPwsMi/X
wki+17aP
=ZFNf
-----END PGP SIGNATURE-----
--- End Message ---
