Your message dated Mon, 29 Sep 2025 18:05:26 +0200
with message-id <[email protected]>
and subject line Re: Accepted tomcat10 10.1.46-1 (source) into unstable
has caused the Debian Bug report #1111098,
regarding tomcat10: CVE-2025-55668
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1111098: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111098
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tomcat10
Version: 10.1.40-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2
Control: reassign -2 src:tomcat11 11.0.6-1
Control: retitle -2 tomcat11: CVE-2025-5566
Hi,
The following vulnerability was published for tocmat.
CVE-2025-55668[0]:
| Session Fixation vulnerability in Apache Tomcat via rewrite valve.
| This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7,
| from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.
| Older, EOL versions may also be affected. Users are recommended to
| upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-55668
https://www.cve.org/CVERecord?id=CVE-2025-55668
[2] https://lists.apache.org/thread/v6bknr96rl7l1qxkl1c03v0qdvbbqs47
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: tomcat10
Source-Version: 10.1.46-1
On Mon, Sep 29, 2025 at 12:08:12PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Mon, 29 Sep 2025 13:43:22 +0200
> Source: tomcat10
> Architecture: source
> Version: 10.1.46-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Java Maintainers
> <[email protected]>
> Changed-By: Emmanuel Bourg <[email protected]>
> Changes:
> tomcat10 (10.1.46-1) unstable; urgency=medium
> .
> * New upstream release
> - Refreshed the patches
> Checksums-Sha1:
> 62053cd6609336858351bcdd0ae25375f1cd289d 2911 tomcat10_10.1.46-1.dsc
> 0294f80b81f32431b72e324b55b3f0093baf0757 4946348 tomcat10_10.1.46.orig.tar.xz
> 0735466389fb4a68c88bac07a0fab295c48c88de 37032
> tomcat10_10.1.46-1.debian.tar.xz
> 0fdbabd4450ae06da43649603ecb6a63cfc44d14 15352
> tomcat10_10.1.46-1_source.buildinfo
> Checksums-Sha256:
> c76670affd2d5587ee5c01095f85b93532a6a2debe4a84eb27c2be3fb692e66d 2911
> tomcat10_10.1.46-1.dsc
> cb650c8473fd84b9c7f62a813f1ef2bf566cbbad9a3b32d67a37814777e4c523 4946348
> tomcat10_10.1.46.orig.tar.xz
> 1fd0d136bc59e2bb06becbdc83a13222a9e7934efb66d7330b19f099dba5c7f0 37032
> tomcat10_10.1.46-1.debian.tar.xz
> 717de284dc52a95961c1b6fbe021b458df06b28c490babf72b5b6e7ab24f856f 15352
> tomcat10_10.1.46-1_source.buildinfo
> Files:
> a76e28bda21302d7efd35ba40e351a37 2911 java optional tomcat10_10.1.46-1.dsc
> 05f16f2808ae363e13b5e4c24a262f55 4946348 java optional
> tomcat10_10.1.46.orig.tar.xz
> 7c5778104404e7c1ca92e93342bbcc30 37032 java optional
> tomcat10_10.1.46-1.debian.tar.xz
> 5248bc987d258d16856dff6f6355ce92 15352 java optional
> tomcat10_10.1.46-1_source.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAmjacPwSHGVib3VyZ0Bh
> cGFjaGUub3JnAAoJEPUTxBnkudCsegAQAKlFuDF6sjchR6+VrRi+MOuu/lbydFW0
> 9n4A8z+8QWO+QyMsIHW2f1UTwMffVV9a5pJ+IyAUP+1EaYACaVmtb6iGgp7rHwdN
> nKhalsrU+nXRxF9LUnNrSMoLATvs0EXLCfnEGC8D8ND057TCEW4TtxHpcomEXueN
> pz7IKcjcqWhbDhy1tA6oJclqGHU/9TC3UHnaliX+H2Md3Ak+gyLaP0WVgS2vbMEv
> oyjPMJqr7RbfTVs1jmmr/cyuUxOIPxDkzO+KSSZpDhIvd3EDiw/ccXRmkdMDgXwO
> a92YvkTedzEw6sdRAeHkotsboNudhZXGtzqnkcoCRBz8YK+6slC5bx95jklTGu6N
> rDySSyIraAAsSZ+4wZxFLpPwpKrN3zeO20bI93tcmh10Pv9vS89h+MGy6tZ7O8ky
> 2qTxncq4n+HYQRIleaPPTTfyKD1G8XVk5ZoTbzHJQ3+nMRNDp4eMzmbive3MK8gP
> EtNXoaGNLxcZCN5lU0i6BamqkGd9L2KlZ8jz5g5ftY9y7Pn1/mf60xRHOzr+k3Rj
> MA3oKxExDCJt4XTFt8B4TJG8cG1iZ+4MO3JBaqfQ0GH63RHmBuYd+HuHHhf+iNRN
> xRybYk4kM3s/exsm36sdAqbWKtjohQT4I5EFrxQPoSXweOvSUyh8ueLBYRm31kon
> M/hRMp07L8Sn
> =9fxz
> -----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
