Package: tomcat10 Version: 10.1.52-1~deb13u1 Severity: normal X-Debbugs-Cc: [email protected], [email protected]
Dear Maintainer, The security update to tomcat-10.1.52-1~deb13u1 introduced the following new configurable limits: maxPartCount (default: 50) maxPartHeaderSize (default: 512) They were first added upstream in this commit: https://github.com/apache/tomcat/commit/e34fe96ef8ee782b0e56b64358e8dc57cbe336a6, with maxPartCount later raised to default 50. The maxPartCount is used, together with the existing maxParameterCount, to set an upper limit on how many parameters and parts a request can contain, with the lower of the two values being applied to both limits. If the maxPartCount limit is hit, all (!) parameters are removed from the request before it is passed on to the application. Unfortunately, there are many existing applications that have much larger numbers of parameters in a single request, so it is necessary to set higher limits in server.xml. The problem - and the reason for this bug report - is, that: a) There is no mention of these new limits in any change log, except for the original git commit message. b) The current default log configuration on Debian prevents any error message from being logged when that limit is hit, so that it is nearly impossible to find the cause of the seemingly empty requests. I would ask you to: a) Make a new package version b) Have that new version report the (breaking) change via apt-listchanges c) Add the line "maxPartCount=50" and an explanatory text to the default server.xml file. Thank you and best regards Markus -- System Information: Debian Release: 13.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.12.63+deb13-amd64 (SMP w/2 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.utf8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages tomcat10 depends on: ii systemd [systemd-tmpfiles] 257.9-1~deb13u1 ii tomcat10-common 10.1.52-1~deb13u1 ii ucf 3.0052 Versions of packages tomcat10 recommends: ii libtcnative-1 1.3.1-1+b1 Versions of packages tomcat10 suggests: pn tomcat10-admin <none> pn tomcat10-docs <none> pn tomcat10-examples <none> pn tomcat10-user <none> -- Configuration Files: /etc/tomcat10/policy.d/01system.policy [Errno 13] Permission denied: '/etc/tomcat10/policy.d/01system.policy' /etc/tomcat10/policy.d/02debian.policy [Errno 13] Permission denied: '/etc/tomcat10/policy.d/02debian.policy' /etc/tomcat10/policy.d/03catalina.policy [Errno 13] Permission denied: '/etc/tomcat10/policy.d/03catalina.policy' /etc/tomcat10/policy.d/04webapps.policy [Errno 13] Permission denied: '/etc/tomcat10/policy.d/04webapps.policy' /etc/tomcat10/policy.d/50local.policy [Errno 13] Permission denied: '/etc/tomcat10/policy.d/50local.policy' -- no debconf information __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
