Source: tomcat11 Version: 11.0.11-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: clone -1 -2 Control: reassign -2 src:tomcat10 10.1.46-1 Control: retitle -2 tomcat10: CVE-2025-61795
Hi, The following vulnerability was published for Apache Tomcat. CVE-2025-61795[0]: | Improper Resource Shutdown or Release vulnerability in Apache | Tomcat. If an error occurred (including exceeding limits) during | the processing of a multipart upload, temporary copies of the | uploaded parts written to disc were not cleaned up immediately but | left for the garbage collection process to delete. Depending on JVM | settings, application memory usage and application load, it was | possible that space for the temporary copies of uploaded parts would | be filled faster than GC cleared it, leading to a DoS. This issue | affects Apache Tomcat: from 11.0.0-M1 through 11.0.11, from | 10.1.0-M1 through 10.1.46, from 9.0.0.M1 through 9.0.109. The | following versions were EOL at the time the CVE was created but are | known to be affected: 8.5.0 though 8.5.100. Other, older, EOL | versions may also be affected. Users are recommended to upgrade to | version 11.0.12 or later, 10.1.47 or later or 9.0.110 or later which | fixes the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-61795 https://www.cve.org/CVERecord?id=CVE-2025-61795 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
