[Git][security-tracker-team/security-tracker][master] Add two new tomcat issues

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9986fe53 by Salvatore Bonaccorso at 2025-04-28T22:35:38+02:00
Add two new tomcat issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -84,9 +84,29 @@ CVE-2025-32471 (The device\u2019s passwords have not been adequately salted, mak
 CVE-2025-32470 (A remote unauthenticated attacker may be able to change the IP adress  ...)
 	NOT-FOR-US: SICK AG
 CVE-2025-31651 (Improper Neutralization of Escape, Meta, or Control Sequences vulnerab ...)
-	TODO: check
+	- tomcat11 11.0.6-1
+	- tomcat10 10.1.40-1
+	- tomcat9 9.0.70-2
+	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/fbecc915a10c5a3d634c5e2c6ced4ff479ce9953 (11.0.6)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/066bf6b6a15a4e7e0941d4acf096841165b97098 (10.1.40)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/ee3ab548e92345eca0cbd1f01649eb36c6f29454 (9.0.104)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/175dc75fc428930034a6c93fb52f830d955d8e64 (9.0.104)
 CVE-2025-31650 (Improper Input Validation vulnerability in Apache Tomcat. Incorrect er ...)
-	TODO: check
+	- tomcat11 11.0.6-1
+	- tomcat10 10.1.40-1
+	- tomcat9 9.0.70-2
+	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
+	NOTE: https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/75554da2fc5574862510ae6f0d7b3d78937f1d40 (11.0.6)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/f619e6a05029538886d5a9d987925d573b5bb8c2 (11.0.6)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/ded0285b96b4d3f5560dfc8856ad5ec4a9b50ba9 (11.0.6)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/cba1a0fe1289ee7f5dd46c61c38d1e1ac5437bff (10.1.40)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/1eef1dc459c45f1e421d8bd25ef340fc1cc34edc (10.1.40)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/8cc3b8fb3f2d8d4d6a757e014f19d1fafa948a60 (10.1.40)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/40ae788c2e64d018b4e58cd4210bb96434d0100d (9.0.104)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/b98e74f517b36929f4208506e5adad22cb767baa (9.0.104)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/b7674782679e1514a0d154166b1d04d38aaac4a9 (9.0.104)
 CVE-2025-25776 (Cross-Site Scripting (XSS) vulnerability exists in the User Registrati ...)
 	NOT-FOR-US: CodeAstro
 CVE-2025-23377 (Dell PowerProtect Data Manager Reporting, version(s) 19.17, 19.18 cont ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9986fe53c29f6088262514e43582e45e6ba1222d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9986fe53c29f6088262514e43582e45e6ba1222d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250428/ef1c3519/attachment-0001.htm>