[Git][java-team/tomcat10][bookworm] Import Debian changes 10.1.34-0+deb12u2

Markus Koschany (@apo) gitlab at salsa.debian.org
Tue Feb 3 13:13:20 GMT 2026 


Markus Koschany pushed to branch bookworm at Debian Java Maintainers / tomcat10


Commits:
785ab48d by Markus Koschany at 2026-02-03T14:13:10+01:00
Import Debian changes 10.1.34-0+deb12u2

tomcat10 (10.1.34-0+deb12u2) bookworm-security; urgency=high
.
  * Team upload.
  * Fix CVE-2025-24813:
    It was found that a malicious user was able to view security sensitive
    files and/or inject content into those files when writes were enabled for
    the default servlet (disabled by default) and support for partial PUT was
    enabled (default). Under certain circumstances, depending on the
    application in use, remote code execution may have been possible.

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2025-24813.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,15 @@
+tomcat10 (10.1.34-0+deb12u2) bookworm-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2025-24813:
+    It was found that a malicious user was able to view security sensitive
+    files and/or inject content into those files when writes were enabled for
+    the default servlet (disabled by default) and support for partial PUT was
+    enabled (default). Under certain circumstances, depending on the
+    application in use, remote code execution may have been possible.
+
+ -- Markus Koschany <apo at debian.org>  Wed, 01 Apr 2025 23:03:17 +0200
+
 tomcat10 (10.1.34-0+deb12u1) bookworm-security; urgency=high
 
   * Team upload.


=====================================
debian/patches/CVE-2025-24813.patch
=====================================
@@ -0,0 +1,58 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 29 Mar 2025 11:47:08 +0100
+Subject: CVE-2025-24813
+
+Origin: https://github.com/apache/tomcat/commit/eb61aade8f8daccaecabf07d428b877975622f72
+---
+ java/org/apache/catalina/servlets/DefaultServlet.java | 17 +++++++----------
+ 1 file changed, 7 insertions(+), 10 deletions(-)
+
+diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java
+index 2accac4..3186135 100644
+--- a/java/org/apache/catalina/servlets/DefaultServlet.java
++++ b/java/org/apache/catalina/servlets/DefaultServlet.java
+@@ -611,7 +611,7 @@ public class DefaultServlet extends HttpServlet {
+         }
+ 
+         InputStream resourceInputStream = null;
+-
++        File tempContentFile = null;
+         try {
+             // Append data specified in ranges to existing content for this
+             // resource - create a temp. file on the local filesystem to
+@@ -620,8 +620,8 @@ public class DefaultServlet extends HttpServlet {
+             if (range == IGNORE) {
+                 resourceInputStream = req.getInputStream();
+             } else {
+-                File contentFile = executePartialPut(req, range, path);
+-                resourceInputStream = new FileInputStream(contentFile);
++                tempContentFile = executePartialPut(req, range, path);
++                resourceInputStream = new FileInputStream(tempContentFile);
+             }
+ 
+             if (resources.write(path, resourceInputStream, true)) {
+@@ -645,6 +645,9 @@ public class DefaultServlet extends HttpServlet {
+                     // Ignore
+                 }
+             }
++            if (tempContentFile != null) {
++                tempContentFile.delete();
++            }
+         }
+     }
+ 
+@@ -667,13 +670,7 @@ public class DefaultServlet extends HttpServlet {
+         // resource - create a temp. file on the local filesystem to
+         // perform this operation
+         File tempDir = (File) getServletContext().getAttribute(ServletContext.TEMPDIR);
+-        // Convert all '/' characters to '.' in resourcePath
+-        String convertedResourcePath = path.replace('/', '.');
+-        File contentFile = new File(tempDir, convertedResourcePath);
+-        if (contentFile.createNewFile()) {
+-            // Clean up contentFile when Tomcat is terminated
+-            contentFile.deleteOnExit();
+-        }
++        File contentFile = File.createTempFile("put-part-", null, tempDir);
+ 
+         try (RandomAccessFile randAccessContentFile = new RandomAccessFile(contentFile, "rw")) {
+ 


=====================================
debian/patches/series
=====================================
@@ -12,3 +12,4 @@
 0021-dont-test-unsupported-ciphers.patch
 exclude-TestJNDIRealmIntegration.patch
 disable-jacoco.patch
+CVE-2025-24813.patch



View it on GitLab: https://salsa.debian.org/java-team/tomcat10/-/commit/785ab48daf6d9014a78525dfae4a75d3eb18a736

-- 
View it on GitLab: https://salsa.debian.org/java-team/tomcat10/-/commit/785ab48daf6d9014a78525dfae4a75d3eb18a736
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20260203/d3e99b60/attachment.htm>

More information about the pkg-java-commits mailing list