Bug#854551: Bug#851304: tomcat8 use 100% cpu time
Markus Koschany
apo at debian.org
Fri Feb 17 21:19:18 UTC 2017
On 17.02.2017 22:09, Salvatore Bonaccorso wrote:
> Hi Markus, hi Emmanuel,
>
> On Mon, Feb 13, 2017 at 10:48:20AM +0100, Markus Koschany wrote:
>> On 13.02.2017 08:34, Moritz Mühlenhoff wrote:
>>> On Sun, Feb 12, 2017 at 09:38:31PM +0100, Markus Koschany wrote:
>>>> Hi,
>>>>
>>>> a bug was reported against tomcat8 and tomcat7 in Jessie and it seems
>>>> the issue is related to our latest security updates. We would like to
>>>> address this regression as soon as possible because this one can be
>>>> triggered remotely and cause a denial-of-service.
>>>>
>>>> I have attached the debdiffs for tomcat8 and tomcat7 to this email. I
>>>> will update the changelogs later.
>>>
>>> Thanks, please upload.
>>
>> Thanks. Uploaded.
>
> Btw, I requested a CVE for this issue and it got assigned
> CVE-2017-6056.
Hi Salvatore,
Thank you. However apparently the fix was not complete. We received two
reports that the server returns 400 errors under certain circumstances. [1]
We need to prepare a regression update and the suggested fix is [2].
Sorry for the inconvenience.
Regards,
Markus
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854551#59
[2]
https://github.com/apache/tomcat80/commit/534d62075f8c03cc3e77f301e53be53acdefd1c9.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20170217/b093ef11/attachment-0003.sig>
More information about the pkg-java-maintainers
mailing list