[GHSA-qcxh-w3j9-58qr] Apache Tomcat Denial of Service vulnerability#7516
[GHSA-qcxh-w3j9-58qr] Apache Tomcat Denial of Service vulnerability#7516aruneko wants to merge 1 commit intoaruneko/advisory-improvement-7516from
Conversation
github-actions
Bot
changed the base branch from
main
to
aruneko/advisory-improvement-7516
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates the GHSA advisory for CVE-2019-0199 (Apache Tomcat DoS) by expanding the set of affected Maven artifacts and adjusting metadata to reflect the change.
Changes:
- Added
org.apache.tomcat:tomcat-coyoteas an affected package with fixed versions for the 8.x and 9.x lines. - Updated the advisory
modifiedtimestamp.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }, | ||
| { | ||
| "package": { | ||
| "ecosystem": "Maven", | ||
| "name": "org.apache.tomcat:tomcat-coyote" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "9.0.0" | ||
| }, | ||
| { | ||
| "fixed": "9.0.16" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "package": { | ||
| "ecosystem": "Maven", | ||
| "name": "org.apache.tomcat:tomcat-coyote" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "8.0.0" | ||
| }, | ||
| { | ||
| "fixed": "8.5.38" | ||
| } | ||
| ] | ||
| } | ||
| ] |
There was a problem hiding this comment.
Having two separate affected entries with the exact same package can be risky for downstream tooling that deduplicates/keys by package coordinates (some pipelines may accidentally drop one range). Consider representing tomcat-coyote as a single affected item with multiple ranges entries (one for 8.x and one for 9.x) so all vulnerable intervals are guaranteed to be preserved.
Updates
Comments
fix affected packages depends on patch codes