Your message dated Wed, 28 Jan 2026 04:35:40 +0000
with message-id <[email protected]>
and subject line Bug#1111096: fixed in tomcat10 10.1.52-1
has caused the Debian Bug report #1111096,
regarding tomcat10: CVE-2025-48989
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1111096: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111096
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tomcat10
Version: 10.1.40-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2
Control: reassign -2 src:tomcat11 11.0.6-1
Control: retitle -2 tomcat11: CVE-2025-48989
Hi,
The following vulnerability was published for tocmat.
CVE-2025-48989[0]:
| Improper Resource Shutdown or Release vulnerability in Apache Tomcat
| made Tomcat vulnerable to the made you reset attack. This issue
| affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1
| through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL
| versions may also be affected. Users are recommended to upgrade to
| one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-48989
https://www.cve.org/CVERecord?id=CVE-2025-48989
[1]
https://github.com/apache/tomcat/commit/f362c8eb3b8ec5b7f312f7f5610731c0fb299a06
https://github.com/apache/tomcat/commit/73c04a10395774bda71a0b37802cf983662ce255
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: tomcat10
Source-Version: 10.1.52-1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
tomcat10, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated tomcat10 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 28 Jan 2026 04:45:47 +0100
Source: tomcat10
Architecture: source
Version: 10.1.52-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 1111096 1119294
Changes:
tomcat10 (10.1.52-1) unstable; urgency=medium
.
* New upstream version 10.1.52.
- Fix CVE-2025-61795: denial-of-service (Closes: #1119294)
- Fix CVE-2025-48989: "made you reset attack" (Closes: #1111096)
* Declare compliance with Debian Policy 4.7.3.
* Refresh the patches.
Checksums-Sha1:
aae03b0d05fb9e18aff01dc5331e400ce07d0c17 3037 tomcat10_10.1.52-1.dsc
2e1309f9ae2114ff28293bc0f7a877360d529984 4952520 tomcat10_10.1.52.orig.tar.xz
eaf6e16f7509996fec63df2630a0f7267b9193f4 37612 tomcat10_10.1.52-1.debian.tar.xz
c41b73d90a36be77958fcafad18e334609e5e23d 14840
tomcat10_10.1.52-1_source.buildinfo
Checksums-Sha256:
1eae2d7f90ca27a760888f61fdce0f1a3fcb682a957a8d78713decec1ea64ea1 3037
tomcat10_10.1.52-1.dsc
34218636f749ab70d6074dc7ba7b1b7128b6ab8626b28a76f5a034f975689ac2 4952520
tomcat10_10.1.52.orig.tar.xz
07e0b7dd80016b14e65df4ec87af4bf447177b4f638d5330fbe13155344c2cf5 37612
tomcat10_10.1.52-1.debian.tar.xz
85b51b5d990bf70a1a2017b089edd224e8b504b30cfa6e6c0dded7a991ccbacf 14840
tomcat10_10.1.52-1_source.buildinfo
Files:
8c9bda55f6e1ac3f9116acae8d5d4294 3037 java optional tomcat10_10.1.52-1.dsc
7cd90ce5ac465d0819471b7ce6295ec0 4952520 java optional
tomcat10_10.1.52.orig.tar.xz
a7e0145a304a0792b5425793857dd3e4 37612 java optional
tomcat10_10.1.52-1.debian.tar.xz
0953fd98f7316100f9e80c9b25a3a73e 14840 java optional
tomcat10_10.1.52-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAml5jgFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkA8gQAIagTFcKXmjf4F5ofOoCxrTHs88pi8umasp7
0HWqQFGdVbRmQVGgmoVDvsGSFALg2yyaXxyrM+zq+pOMKzkpT46LVNF6njmztPh2
nG8lcxANVVFEHTJOpU4c48dzK8HAvRZku9gzSgaT5EyOAHdtU3K4GwIuxwTnRe7V
i0q531GYEC5H0GvQ0F1HGNYC5Gzscacl4P/fGROsadcEm9fGVBRyheiOrP9iWB/E
0frW4u/aSVEzfzYqT6dFSDvtg2eR71vMdA+YaabSAbQeHCbpYy3QTz/2LyB2p1RH
UkF0Eyyt1b2pVVPs+kx5RHdjOD0Udx0okTHJFVIW7nA+RX5Bqp8i2KtjdxZr4WKJ
u360zM64xD2+8dGoE+pk4YldfOKwQrDCZ1LjaF9e8MKWnvyQRLr+Rq3mDuw27a1k
HlEcZoE8aZ7Q1TiDuUtC3EFrhNodX6uBIk2ShbP5fSwYcKbHf9tRADWt4ahL0dui
MV0FuRxwsKl0qhZkMoNnDrw+crCtF93eTemIbZ5b4pBOMMUuohC6AgSchGJFIF7D
2TiEyUJMc6oCLXOvx7bgjfv7BFtToR1tw3FHA8cc+NQDByobMTWE11Av7Stgw1dI
n/kvgTsvWlxmfUEFB11FhdWid82zzXBB5YyPz99O/5/YU59oGOjiIdg9RUXPN+pv
/5+NhmVI
=Pdi6
-----END PGP SIGNATURE-----
pgpsMcxqLMAPG.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
