Bug#1087884: marked as done (tomcat10: CVE-2024-52318: XSS in generated JSPs)

[Debian Bug Tracking System]

Your message dated Sat, 23 Nov 2024 20:35:57 +0100
with message-id <z0iunbeukbxqb...@eldamar.lan>
and subject line [ftpmas...@ftp-master.debian.org: Accepted tomcat10 10.1.33-1 
(source) into unstable]
has caused the Debian Bug report #1087884,
regarding tomcat10: CVE-2024-52318: XSS in generated JSPs
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1087884: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087884
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: tomcat10
Version: 10.1.31-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for tomcat10.

CVE-2024-52318[0]:
| Incorrect object recycling and reuse vulnerability in Apache Tomcat.
| This issue affects Apache Tomcat: 11.0.0, 10.1.31, 9.0.96.  Users
| are recommended to upgrade to version 11.0.1, 10.1.32 or 9.0.97,
| which fixes the issue.

AFAIU this affects just the listed versions but not previous releases.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-52318
    https://www.cve.org/CVERecord?id=CVE-2024-52318
[1] https://lists.apache.org/thread/co243cw1nlh6p521c5265cm839wkqdp9 

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: tomcat10
Source-Version: 10.1.33-1

----- Forwarded message from Debian FTP Masters 
<ftpmas...@ftp-master.debian.org> -----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 23 Nov 2024 19:37:37 +0100
Source: tomcat10
Architecture: source
Version: 10.1.33-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebo...@apache.org>
Changes:
 tomcat10 (10.1.33-1) unstable; urgency=medium
 .
   * New upstream release
     - Refreshed the patches
Checksums-Sha1:
 7f10cf43287f9dc8e0d22d44b9e04d96f02fad32 2910 tomcat10_10.1.33-1.dsc
 b1ae172dfb240df89f201f3903fe16c2b5bc6329 4693844 tomcat10_10.1.33.orig.tar.xz
 472d79a3f59008b74d0649a43f33bb9caa55ec6f 37128 tomcat10_10.1.33-1.debian.tar.xz
 de8cdd29502b094da6178273e18202196dabafa7 16092 
tomcat10_10.1.33-1_source.buildinfo
Checksums-Sha256:
 ef79a77e8bba9b4bcd19c114adde2ec4d5a9f7029453e82bb546361fd252e969 2910 
tomcat10_10.1.33-1.dsc
 b3fcccb04f5a4ad096b4b3affc6653acdae830128ab45de7c7223d159890c55c 4693844 
tomcat10_10.1.33.orig.tar.xz
 a9144e8dd5bc3788f6565b3bb76d94f239911dcce72aa05950065d52f7b104a4 37128 
tomcat10_10.1.33-1.debian.tar.xz
 8fa05e282525465d2718413fb6a6f63368bd46589d53e8dfec7fcefd91aad8de 16092 
tomcat10_10.1.33-1_source.buildinfo
Files:
 a30d64f08b01b16847ea45b860f0d0bc 2910 java optional tomcat10_10.1.33-1.dsc
 e473f64bf64b90412687cb5fa7ab34fc 4693844 java optional 
tomcat10_10.1.33.orig.tar.xz
 7b398b85ca74dbe01955e80afcb71e99 37128 java optional 
tomcat10_10.1.33-1.debian.tar.xz
 2ba1560d29dadfaab9b3968677a52eff 16092 java optional 
tomcat10_10.1.33-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAmdCIRYSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCs50MQAIs8jnYiKVJe9lykEpHHSkgZ1u3AoVpV
0Lo+nclzsAr5H2VIa8Jf7nM8LNDC8whfNM1VFRI3HOFatjVDrd7otHtmZ4R+2jpS
pEejWIKI9boV3xboLcgVhQr82RTdBd49WnKqv5Bd/w7vyAxMekZ5mZ/CPhijlOSH
HKmnGxoLSzD8LfKQzU/IsmI576qfDrMImRjHmB6gU7Ev03xqaprlbwlc41c88PcM
i1vcIpdp8EV2XWipDOmtanPgyNurgZr6m/UqKvU12D5yt+DzEz/l5Pd2h0H6uDE8
4gzwpvOw770Wx0k+x8wveH6ZlyLqg/GulJCGZsSdQw1KqzR9Rv7ipvczAp1HjtC7
jlKkf54Is34ZxWgNNm4UkcOBDFTbPicUCAbXgBVecRyhk8/oWp5mFbu8bk00gVc8
H2P8sMgUkEsdPShYYIEKNCEKehuaLjLsgDoeAYs2DdMkxoigCF2ECx7fsh4uVXCC
/fo6zsrzqNTXYUDAo3R6A+SjouFRxxW8cd5YwPaiuqBK2dAaeVNgVYRahQOc0yH9
J+UaxMKtqLf4SuHIzviKcc1yGENe/d+BgKreBVbaL00QZvK7M59tVN3YsqmT+rjJ
ZzuY53lHGDdwWlhLm57fgLUQw97w05DAl1pz+rVyMyWqvBfXZJmyzaYRJbFfmw42
MXQDpNm9Wtx1
=nZtk
-----END PGP SIGNATURE-----

----- End forwarded message -----

--- End Message ---

__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
 Please use
debian-j...@lists.debian.org for discussions and questions.