On 17.02.2017 22:09, Salvatore Bonaccorso wrote: > Hi Markus, hi Emmanuel, > > On Mon, Feb 13, 2017 at 10:48:20AM +0100, Markus Koschany wrote: >> On 13.02.2017 08:34, Moritz Mühlenhoff wrote: >>> On Sun, Feb 12, 2017 at 09:38:31PM +0100, Markus Koschany wrote: >>>> Hi, >>>> >>>> a bug was reported against tomcat8 and tomcat7 in Jessie and it seems >>>> the issue is related to our latest security updates. We would like to >>>> address this regression as soon as possible because this one can be >>>> triggered remotely and cause a denial-of-service. >>>> >>>> I have attached the debdiffs for tomcat8 and tomcat7 to this email. I >>>> will update the changelogs later. >>> >>> Thanks, please upload. >> >> Thanks. Uploaded. > > Btw, I requested a CVE for this issue and it got assigned > CVE-2017-6056.
Hi Salvatore, Thank you. However apparently the fix was not complete. We received two reports that the server returns 400 errors under certain circumstances. [1] We need to prepare a regression update and the suggested fix is [2]. Sorry for the inconvenience. Regards, Markus [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854551#59 [2] https://github.com/apache/tomcat80/commit/534d62075f8c03cc3e77f301e53be53acdefd1c9.patch
signature.asc
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
