Your message dated Sat, 06 Apr 2024 12:21:29 +0000
with message-id <e1rt533-0024zv...@fasolo.debian.org>
and subject line Bug#1066878: fixed in tomcat10 10.1.20-1
has caused the Debian Bug report #1066878,
regarding tomcat10: CVE-2024-24549
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1066878: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066878
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: tomcat10
Version: 10.1.16-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for tomcat10.
CVE-2024-24549[0]:
| Denial of Service due to improper input validation vulnerability for
| HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request,
| if the request exceeded any of the configured limits for headers,
| the associated HTTP/2 stream was not reset until after all of the
| headers had been processed.This issue affects Apache Tomcat: from
| 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from
| 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are
| recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or
| 8.5.99 which fix the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-24549
https://www.cve.org/CVERecord?id=CVE-2024-24549
[1] https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: tomcat10
Source-Version: 10.1.20-1
Done: Markus Koschany <a...@debian.org>
We believe that the bug you reported is fixed in the latest version of
tomcat10, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1066...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <a...@debian.org> (supplier of updated tomcat10 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 06 Apr 2024 13:43:19 +0200
Source: tomcat10
Architecture: source
Version: 10.1.20-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Markus Koschany <a...@debian.org>
Closes: 1066877 1066878
Changes:
tomcat10 (10.1.20-1) unstable; urgency=high
.
* New upstream version 10.1.20.
- Fix CVE-2024-24549: Denial of Service due to improper input validation
vulnerability. (Closes: #1066878)
- Fix CVE-2024-23672: Denial of Service via incomplete cleanup
vulnerability. (Closes: #1066877)
* Remove obsolete dependency on lsb-base from tomcat10 binary package.
Checksums-Sha1:
133357fea4ff5d111927f152c513e467cc152179 2982 tomcat10_10.1.20-1.dsc
6f598d68a306ecf85420b82bc59fbaa03d811dcf 4045252 tomcat10_10.1.20.orig.tar.xz
27f6a7a10a8babb1534baa003cefafec772679b3 36832 tomcat10_10.1.20-1.debian.tar.xz
ac9c22b2fe2c3cbba9dad1da9370662bd546518b 16741
tomcat10_10.1.20-1_amd64.buildinfo
Checksums-Sha256:
9bf13e950be9045ec5f6aef375f4ca93a2ba2a50f7452cae089fc3e578a11bb2 2982
tomcat10_10.1.20-1.dsc
35f6966065c77de6785e5002b3745bd388d169ced4e4beb8d2f908d98eaa8969 4045252
tomcat10_10.1.20.orig.tar.xz
57776897862bcc416aa059d35bd04a30eb73be58dfe35b7b7d37d00a09c7f4b6 36832
tomcat10_10.1.20-1.debian.tar.xz
5b4fe7b64bd097ae26fca31f709d8ca5aa62cd174b436a98123cfaa567c5fcc9 16741
tomcat10_10.1.20-1_amd64.buildinfo
Files:
29927bc8821131930531197ba0dd39db 2982 java optional tomcat10_10.1.20-1.dsc
f6b238c3f28196f1ea27a6f9213085ee 4045252 java optional
tomcat10_10.1.20.orig.tar.xz
028489e456cf4d67a3f7760c6ddec556 36832 java optional
tomcat10_10.1.20-1.debian.tar.xz
7c85908c95811529be3dcb24a011f7ac 16741 java optional
tomcat10_10.1.20-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmYROOBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk2oMP/jbh9+v3Fd/SX2AY7wWj6h5FBa7UesfroUDb
4Y07AbaN+gO63VO2mEWCKWtbZoeAa2b5VmCH4kD/lPaYYVTrDIXADrtu5bbrRvSJ
EO/h6cl7mOGtjSzISFithpNevpLBROeh/oxgnqroZ3g8TrGofFisKJtULf4kONYi
98//hAxgCAu6sVK1mXZ7cuY7m3+/sLY04+qb1C4nNtGkXzTtqfGKkuvYgLDEhql4
FX2oGKFQ1Qi6lmMFB4L1mnTx6sUk32cO/KsQu8PXpdKKZ0D3XeZMZPw8CqTOako7
eHGxSN3ox0ySzNi9DrVNS3cF86XeOKRBblak6EgGNYbRbuIJSLRN7r1wcdtbT3lG
uaF00fUU6Yt0Zd3FvwcDXcN6+RFZtImC1eJ4/sjMk13s80B+uH7OBAGOCATtnEKX
v1pTCA2v/jU2mtPMu9mk0CIc/c86h/DtmIO7qducuO6zI+Y7Jf1CbPBA2qTWuIaJ
jAll9IX6BkIcMN5IoruDrVHFMxuWlzIHqg8bC98SDxh/Rmbo0gV2IziaHJQ8DbCb
1UeI33RO81UxCJfeezYnGDGUhOiFbDr3ONimcp7J33L6hQgNXAsqJQAbeQnrDFl2
DwhlMUVGd/1vpqfO0vM6KXPsUSniUY71pMpbgZkK0XgmkGCg/vHyiGxPBXwQHc6N
h0sdqFZq
=G7AX
-----END PGP SIGNATURE-----
pgpgffsGbv4bu.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
debian-j...@lists.debian.org for discussions and questions.
