Your message dated Mon, 29 Sep 2025 18:04:06 +0200
with message-id <[email protected]>
and subject line Re: Accepted tomcat11 11.0.11-1 (source) into unstable
has caused the Debian Bug report #1109113,
regarding tomcat11: CVE-2025-53506
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109113: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109113
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tomcat11
Version: 11.0.6-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2
Control: reassign -2 src:tomcat10 10.1.40-1
Control: retitle -2 tomcat10: CVE-2025-53506
Hi,
The following vulnerability was published for tomcat11.
CVE-2025-53506[0]:
| Uncontrolled Resource Consumption vulnerability in Apache Tomcat if
| an HTTP/2 client did not acknowledge the initial settings frame that
| reduces the maximum permitted concurrent streams. This issue
| affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1
| through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are
| recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which
| fix the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-53506
https://www.cve.org/CVERecord?id=CVE-2025-53506
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: tomcat11
Source-Version: 11.0.11-1
On Mon, Sep 29, 2025 at 10:24:02AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Mon, 29 Sep 2025 12:00:39 +0200
> Source: tomcat11
> Architecture: source
> Version: 11.0.11-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Java Maintainers
> <[email protected]>
> Changed-By: Emmanuel Bourg <[email protected]>
> Changes:
> tomcat11 (11.0.11-1) unstable; urgency=medium
> .
> * New upstream release
> - Refreshed the patches
> Checksums-Sha1:
> 98378b803bdabec4f9767417444b8e4700a8b105 2923 tomcat11_11.0.11-1.dsc
> 0256394716b2a063800863b928cc41ffa995bf7c 4879424 tomcat11_11.0.11.orig.tar.xz
> ef2b2b8ec394b5884387a4e68b5a387b970b7c72 33640
> tomcat11_11.0.11-1.debian.tar.xz
> 361a53f33f8a494f3b4a75823d743ae4e9139087 15352
> tomcat11_11.0.11-1_source.buildinfo
> Checksums-Sha256:
> 64d3d655b1d597cce1ccafacda389b8a76d3b5eeba153e6025238b096f3d5b53 2923
> tomcat11_11.0.11-1.dsc
> 846bd41c0bfafb92f0cde6700ca1a3028af0b537c226492e5f1acf4cbecdb092 4879424
> tomcat11_11.0.11.orig.tar.xz
> 699fee23a87813fe88440aeac6330633ae24337544a34bbf6e53367782c490bd 33640
> tomcat11_11.0.11-1.debian.tar.xz
> 309e36bce0e32e219b812555e0e056804cb6144c6880ff99ff0c007dc6ca3cb7 15352
> tomcat11_11.0.11-1_source.buildinfo
> Files:
> fe189feb17529e6b4001786eeeba8a01 2923 java optional tomcat11_11.0.11-1.dsc
> 8e56b67f9f001ae5232d5e56ed575c42 4879424 java optional
> tomcat11_11.0.11.orig.tar.xz
> 28bda7a00ea8633437b0b9679604343f 33640 java optional
> tomcat11_11.0.11-1.debian.tar.xz
> b08c505d30feb14c5a0879379524d490 15352 java optional
> tomcat11_11.0.11-1_source.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAmjaWQQSHGVib3VyZ0Bh
> cGFjaGUub3JnAAoJEPUTxBnkudCshq4QAK5Zwz3Q93rFcJjOnEI9YwdBVYrXcZRH
> h3lHCwb2IWgviyg47crO5I3LHqoyS2DypRzo8el7CVgvtipmA5dECEiPRoXSk0t8
> t7WwIoRwwhm5Ja/B2VmM5PgJn1Ag6cIDkHefvH7+2GOUgDBSz4xIiz9vhmavDTxO
> mkS69sPso4wH/RgJkfiQ5TkvlKhi+cdVw45RxjGnZY0+Cumo1zc2xsCASi6pRhOI
> VpWaILlqLkKIOTNDv4yw2mTePJtBjtUufuWz33+wmY8xf2U+u6mUEn9FmWbUvIp1
> AwqDDPqVMsEw90HGv8ndWiVBLYb9i648VWE1M5uZrESXtnbOxqmHzW2lm2LUfOhc
> 9SUsVsiLvRNh1Jdi6OXW59f+gaMNBtyw9g4P63WV3F2J+78qb43Ei9tElJ6JSdCh
> zLCBnsCGhbBXqbekw8AzfR838aDk7XKVutjjJ2vhZuSclZFONlW1PqyvW7SwaXDk
> DkL6EakrIULNOirqkPCDSeXNv+Y6KKzXyu203mnT5nvkB/bca8lK06BI3ac52HN4
> muQOeOpMTGZHyyXz+2YyHMiSQMcuDRMEhAgREfn36GwOI4obwkGgZnD7ONTOvXjN
> faiyyVtYmOWZ1+vE3TBD8Tg7jLocLFWDzXxobrkYKzon0DVk02XiQVlMKDybijIr
> qDj6Wcuzz6eH
> =Nk+j
> -----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
