{"id":"MGASA-2023-0191","summary":"Updated tomcat packages fix security vulnerability","details":"The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to\n11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If\nnon-default HTTP connector settings were used such that the\nmaxParameterCount could be reached using query string parameters and a\nrequest was submitted that supplied exactly maxParameterCount parameters\nin the query string, the limit for uploaded request parts could be\nbypassed with the potential for a denial of service to occur.\n(CVE-2023-28709)\n","modified":"2026-04-16T04:40:46.267825298Z","published":"2023-05-31T06:41:32Z","upstream":["CVE-2023-28709"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2023-0191.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=31951"},{"type":"WEB","url":"https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.74"}],"affected":[{"package":{"name":"tomcat","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/tomcat?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.74-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2023-0191.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}