[Git][security-tracker-team/security-tracker][master] Reserve DLA-4244-1 for tomcat9

[Markus Koschany (@apo)]

Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
85ad107d by Markus Koschany at 2025-07-21T12:09:18+02:00
Reserve DLA-4244-1 for tomcat9

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -15536,7 +15536,6 @@ CVE-2025-46701 (Improper Handling of Case Sensitivity vulnerability in Apache To
 	- tomcat11 <unfixed> (bug #1106821)
 	- tomcat10 <unfixed> (bug #1106820)
 	- tomcat9 9.0.70-2
-	[bullseye] - tomcat9 <postponed> (Minor issue, unlikely access control bypass, fix along with next DLA)
 	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
 	NOTE: https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j
 	NOTE: https://github.com/apache/tomcat/commit/fab7247d2f0e3a29d5daef565f829f383e10e5e2 (11.0.7)
@@ -26063,7 +26062,6 @@ CVE-2025-31651 (Improper Neutralization of Escape, Meta, or Control Sequences vu
 	- tomcat11 11.0.6-1
 	- tomcat10 10.1.40-1
 	- tomcat9 9.0.70-2
-	[bullseye] - tomcat9 <postponed> (Minor issue, unlikely access control bypass, fix along with next DLA)
 	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
 	NOTE: Fixed by: https://github.com/apache/tomcat/commit/fbecc915a10c5a3d634c5e2c6ced4ff479ce9953 (11.0.6)
 	NOTE: Fixed by: https://github.com/apache/tomcat/commit/066bf6b6a15a4e7e0941d4acf096841165b97098 (10.1.40)
@@ -26073,7 +26071,6 @@ CVE-2025-31650 (Improper Input Validation vulnerability in Apache Tomcat. Incorr
 	- tomcat11 11.0.6-1
 	- tomcat10 10.1.40-1
 	- tomcat9 9.0.70-2
-	[bullseye] - tomcat9 <postponed> (Minor issue, DoS, fix along with next DLA)
 	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
 	NOTE: https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826
 	NOTE: Fixed by: https://github.com/apache/tomcat/commit/75554da2fc5574862510ae6f0d7b3d78937f1d40 (11.0.6)
@@ -68294,7 +68291,6 @@ CVE-2024-54677 (Uncontrolled Resource Consumption vulnerability in the examples
 	{DSA-5845-1}
 	- tomcat10 10.1.34-1
 	- tomcat9 9.0.70-2
-	[bullseye] - tomcat9 <ignored> (Minor issue)
 	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
 	NOTE: https://lists.apache.org/thread/tdtbbxpg5trdwc2wnopcth9ccvdftq2n
 	NOTE: https://github.com/apache/tomcat/commit/f57a9d9847c1038be61f5818d73b8be907c460d4 (10.1.34)
@@ -112525,7 +112521,6 @@ CVE-2024-34750 (Improper Handling of Exceptional Conditions, Uncontrolled Resour
 	{DSA-5845-1}
 	- tomcat10 10.1.25-1
 	- tomcat9 9.0.70-2
-	[bullseye] - tomcat9 <postponed> (Minor issue, fixed along in next DSA)
 	NOTE: https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l
 	NOTE: https://github.com/apache/tomcat/commit/2afae300c9ac9c0e516e2e9de580847d925365c3 (10.1.25)
 	NOTE: https://github.com/apache/tomcat/commit/9fec9a82887853402833a80b584e3762c7423f5f (9.0.90)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[21 Jul 2025] DLA-4244-1 tomcat9 - security update
+	{CVE-2024-34750 CVE-2024-54677 CVE-2025-31650 CVE-2025-31651 CVE-2025-46701 CVE-2025-48976 CVE-2025-48988 CVE-2025-49125 CVE-2025-52434 CVE-2025-52520 CVE-2025-53506}
+	[bullseye] - tomcat9 9.0.107-0+deb11u1
 [20 Jul 2025] DLA-4243-1 batik - security update
 	{CVE-2020-11987 CVE-2022-38398 CVE-2022-38648 CVE-2022-40146}
 	[bullseye] - batik 1.12-4+deb11u3


=====================================
data/dla-needed.txt
=====================================
@@ -393,9 +393,6 @@ systemd (charles)
   NOTE: 20250717: Will prepare the buffer overflow fix and publish next week
   NOTE: 20250717: after Debconf.
 --
-tomcat9 (Markus Koschany)
-  NOTE: 20250613: Added by maintainer (apo)
---
 trafficserver
   NOTE: 20241120: Added by Front-Desk (Beuc)
   NOTE: 20241120: Upcoming DSA (Beuc/front-desk)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85ad107d161cb76810803de178124147061da9f5

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85ad107d161cb76810803de178124147061da9f5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250721/26f015b0/attachment-0001.htm>