Your message dated Mon, 29 Sep 2025 18:04:06 +0200
with message-id <[email protected]>
and subject line Re: Accepted tomcat11 11.0.11-1 (source) into unstable
has caused the Debian Bug report #1111097,
regarding tomcat11: CVE-2025-48989
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1111097: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111097
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tomcat10
Version: 10.1.40-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2
Control: reassign -2 src:tomcat11 11.0.6-1
Control: retitle -2 tomcat11: CVE-2025-48989
Hi,
The following vulnerability was published for tocmat.
CVE-2025-48989[0]:
| Improper Resource Shutdown or Release vulnerability in Apache Tomcat
| made Tomcat vulnerable to the made you reset attack. This issue
| affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1
| through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL
| versions may also be affected. Users are recommended to upgrade to
| one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-48989
https://www.cve.org/CVERecord?id=CVE-2025-48989
[1]
https://github.com/apache/tomcat/commit/f362c8eb3b8ec5b7f312f7f5610731c0fb299a06
https://github.com/apache/tomcat/commit/73c04a10395774bda71a0b37802cf983662ce255
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: tomcat11
Source-Version: 11.0.11-1
On Mon, Sep 29, 2025 at 10:24:02AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Mon, 29 Sep 2025 12:00:39 +0200
> Source: tomcat11
> Architecture: source
> Version: 11.0.11-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Java Maintainers
> <[email protected]>
> Changed-By: Emmanuel Bourg <[email protected]>
> Changes:
> tomcat11 (11.0.11-1) unstable; urgency=medium
> .
> * New upstream release
> - Refreshed the patches
> Checksums-Sha1:
> 98378b803bdabec4f9767417444b8e4700a8b105 2923 tomcat11_11.0.11-1.dsc
> 0256394716b2a063800863b928cc41ffa995bf7c 4879424 tomcat11_11.0.11.orig.tar.xz
> ef2b2b8ec394b5884387a4e68b5a387b970b7c72 33640
> tomcat11_11.0.11-1.debian.tar.xz
> 361a53f33f8a494f3b4a75823d743ae4e9139087 15352
> tomcat11_11.0.11-1_source.buildinfo
> Checksums-Sha256:
> 64d3d655b1d597cce1ccafacda389b8a76d3b5eeba153e6025238b096f3d5b53 2923
> tomcat11_11.0.11-1.dsc
> 846bd41c0bfafb92f0cde6700ca1a3028af0b537c226492e5f1acf4cbecdb092 4879424
> tomcat11_11.0.11.orig.tar.xz
> 699fee23a87813fe88440aeac6330633ae24337544a34bbf6e53367782c490bd 33640
> tomcat11_11.0.11-1.debian.tar.xz
> 309e36bce0e32e219b812555e0e056804cb6144c6880ff99ff0c007dc6ca3cb7 15352
> tomcat11_11.0.11-1_source.buildinfo
> Files:
> fe189feb17529e6b4001786eeeba8a01 2923 java optional tomcat11_11.0.11-1.dsc
> 8e56b67f9f001ae5232d5e56ed575c42 4879424 java optional
> tomcat11_11.0.11.orig.tar.xz
> 28bda7a00ea8633437b0b9679604343f 33640 java optional
> tomcat11_11.0.11-1.debian.tar.xz
> b08c505d30feb14c5a0879379524d490 15352 java optional
> tomcat11_11.0.11-1_source.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAmjaWQQSHGVib3VyZ0Bh
> cGFjaGUub3JnAAoJEPUTxBnkudCshq4QAK5Zwz3Q93rFcJjOnEI9YwdBVYrXcZRH
> h3lHCwb2IWgviyg47crO5I3LHqoyS2DypRzo8el7CVgvtipmA5dECEiPRoXSk0t8
> t7WwIoRwwhm5Ja/B2VmM5PgJn1Ag6cIDkHefvH7+2GOUgDBSz4xIiz9vhmavDTxO
> mkS69sPso4wH/RgJkfiQ5TkvlKhi+cdVw45RxjGnZY0+Cumo1zc2xsCASi6pRhOI
> VpWaILlqLkKIOTNDv4yw2mTePJtBjtUufuWz33+wmY8xf2U+u6mUEn9FmWbUvIp1
> AwqDDPqVMsEw90HGv8ndWiVBLYb9i648VWE1M5uZrESXtnbOxqmHzW2lm2LUfOhc
> 9SUsVsiLvRNh1Jdi6OXW59f+gaMNBtyw9g4P63WV3F2J+78qb43Ei9tElJ6JSdCh
> zLCBnsCGhbBXqbekw8AzfR838aDk7XKVutjjJ2vhZuSclZFONlW1PqyvW7SwaXDk
> DkL6EakrIULNOirqkPCDSeXNv+Y6KKzXyu203mnT5nvkB/bca8lK06BI3ac52HN4
> muQOeOpMTGZHyyXz+2YyHMiSQMcuDRMEhAgREfn36GwOI4obwkGgZnD7ONTOvXjN
> faiyyVtYmOWZ1+vE3TBD8Tg7jLocLFWDzXxobrkYKzon0DVk02XiQVlMKDybijIr
> qDj6Wcuzz6eH
> =Nk+j
> -----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
