[Git][security-tracker-team/security-tracker][master] Add CVE-2023-28709/tomcat

Salvatore Bonaccorso (@carnil) carnil at debian.org
Wed May 24 17:44:33 BST 2023 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e27a2356 by Salvatore Bonaccorso at 2023-05-24T18:43:48+02:00
Add CVE-2023-28709/tomcat

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -9304,7 +9304,11 @@ CVE-2023-1553
 CVE-2023-1552 (ToolboxST prior to version 7.10 is affected by a deserialization vulne ...)
 	NOT-FOR-US: ToolboxST
 CVE-2023-28709 (The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2  ...)
-	TODO: check
+	[experimental] - tomcat10 10.1.8-1
+	- tomcat10 <unfixed>
+	- tomcat9 <not-affected> (Incomplete fix for CVE-2023-24998 not applied)
+	NOTE: https://github.com/apache/tomcat/commit/ba848da71c523d94950d3c53c19ea155189df9dc (10.1.8)
+	NOTE: https://github.com/apache/tomcat/commit/fbd81421629afe8b8a3922d59020cde81caea861 (9.0.74)
 CVE-2023-28708 (When using the RemoteIpFilter with requests received from a    reverse ...)
 	{DSA-5381-1 DLA-3384-1}
 	- tomcat10 10.1.6-1
@@ -20392,6 +20396,7 @@ CVE-2023-24998 (Apache Commons FileUpload before 1.5 does not limit the number o
 	NOTE: https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy
 	NOTE: https://github.com/apache/tomcat/commit/8a2285f13affa961cc65595aad999db5efae45ce (10.1.5)
 	NOTE: https://github.com/apache/tomcat/commit/cf77cc545de0488fb89e24294151504a7432df74 (9.0.71)
+	NOTE: When fixing the issue make sure to apply complete fixes to not open  CVE-2023-28709
 CVE-2023-24996 (A vulnerability has been identified in Tecnomatix Plant Simulation (Al ...)
 	NOT-FOR-US: Siemens
 CVE-2023-24995 (A vulnerability has been identified in Tecnomatix Plant Simulation (Al ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e27a2356d3750af5b4620515584e4bc46f5528e0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e27a2356d3750af5b4620515584e4bc46f5528e0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230524/ef191ffc/attachment.htm>

More information about the debian-security-tracker-commits mailing list