Your message dated Tue, 03 Feb 2026 12:19:16 +0100
with message-id <[email protected]>
and subject line Re: tomcat11: CVE-2025-61795
has caused the Debian Bug report #1119293,
regarding tomcat11: CVE-2025-61795
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1119293: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119293
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tomcat11
Version: 11.0.11-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2
Control: reassign -2 src:tomcat10 10.1.46-1
Control: retitle -2 tomcat10: CVE-2025-61795
Hi,
The following vulnerability was published for Apache Tomcat.
CVE-2025-61795[0]:
| Improper Resource Shutdown or Release vulnerability in Apache
| Tomcat. If an error occurred (including exceeding limits) during
| the processing of a multipart upload, temporary copies of the
| uploaded parts written to disc were not cleaned up immediately but
| left for the garbage collection process to delete. Depending on JVM
| settings, application memory usage and application load, it was
| possible that space for the temporary copies of uploaded parts would
| be filled faster than GC cleared it, leading to a DoS. This issue
| affects Apache Tomcat: from 11.0.0-M1 through 11.0.11, from
| 10.1.0-M1 through 10.1.46, from 9.0.0.M1 through 9.0.109. The
| following versions were EOL at the time the CVE was created but are
| known to be affected: 8.5.0 though 8.5.100. Other, older, EOL
| versions may also be affected. Users are recommended to upgrade to
| version 11.0.12 or later, 10.1.47 or later or 9.0.110 or later which
| fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-61795
https://www.cve.org/CVERecord?id=CVE-2025-61795
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Version: 11.0.15-1
This issue was fixed in 11.0.12, first version in Debian was 11.0.15-1.
Closing.
signature.asc
Description: This is a digitally signed message part
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
