Bug#854551: Bug#851304: tomcat8 use 100% cpu time
Salvatore Bonaccorso
carnil at debian.org
Sat Feb 18 12:21:35 UTC 2017
Hi Markus,
On Fri, Feb 17, 2017 at 10:19:18PM +0100, Markus Koschany wrote:
> On 17.02.2017 22:09, Salvatore Bonaccorso wrote:
> > Hi Markus, hi Emmanuel,
> >
> > On Mon, Feb 13, 2017 at 10:48:20AM +0100, Markus Koschany wrote:
> >> On 13.02.2017 08:34, Moritz Mühlenhoff wrote:
> >>> On Sun, Feb 12, 2017 at 09:38:31PM +0100, Markus Koschany wrote:
> >>>> Hi,
> >>>>
> >>>> a bug was reported against tomcat8 and tomcat7 in Jessie and it seems
> >>>> the issue is related to our latest security updates. We would like to
> >>>> address this regression as soon as possible because this one can be
> >>>> triggered remotely and cause a denial-of-service.
> >>>>
> >>>> I have attached the debdiffs for tomcat8 and tomcat7 to this email. I
> >>>> will update the changelogs later.
> >>>
> >>> Thanks, please upload.
> >>
> >> Thanks. Uploaded.
> >
> > Btw, I requested a CVE for this issue and it got assigned
> > CVE-2017-6056.
>
> Hi Salvatore,
>
> Thank you. However apparently the fix was not complete. We received two
> reports that the server returns 400 errors under certain circumstances. [1]
> We need to prepare a regression update and the suggested fix is [2].
> Sorry for the inconvenience.
No problem. Thanks for noticing, can you let us know as usual when you
have a debdiff ready for the regression update?
I tend to see this as regression update for the previous DSA, so no
need for a new CVE id. But let me know if someone thinks otherwise and
I can followup with MITRE.
Thanks for your coninous work,
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list