From: public@wernig.net   
      
   Package: tomcat10   
   Version: 10.1.52-1~deb13u1   
   Severity: normal   
   X-Debbugs-Cc: public@wernig.net, team@security.debian.org   
      
   Dear Maintainer,   
      
   The security update to tomcat-10.1.52-1~deb13u1 introduced the following   
   new configurable limits:   
      
   maxPartCount (default: 50)   
   maxPartHeaderSize (default: 512)   
      
   They were first added upstream in this commit:   
   https://github.com/apache/tomcat/commit/e34fe96ef8ee782b0e56b643   
   8e8dc57cbe336a6,   
   with maxPartCount later raised to default 50.   
      
   The maxPartCount is used, together with the existing maxParameterCount,   
   to set an upper limit on how many parameters and parts a request can   
   contain, with the lower of the two values being applied to both limits.   
   If the maxPartCount limit is hit, all (!) parameters are removed from   
   the request before it is passed on to the application.   
      
   Unfortunately, there are many existing applications that have much larger   
   numbers   
   of parameters in a single request, so it is necessary to set higher limits in   
   server.xml.   
      
   The problem - and the reason for this bug report - is, that:   
   a) There is no mention of these new limits in any change log, except for   
   the original git commit message.   
   b) The current default log configuration on Debian prevents any error   
   message from being logged when that limit is hit, so that it is nearly   
   impossible to find the cause of the seemingly empty requests.   
      
   I would ask you to:   
   a) Make a new package version   
   b) Have that new version report the (breaking) change via apt-listchanges   
   c) Add the line "maxPartCount=50" and an explanatory text to the default   
   server.xml file.   
      
   Thank you and best regards   
      
   Markus   
      
      
   -- System Information:   
   Debian Release: 13.3   
     APT prefers stable-updates   
     APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,   
   'stable')   
   Architecture: amd64 (x86_64)   
      
   Kernel: Linux 6.12.63+deb13-amd64 (SMP w/2 CPU threads; PREEMPT)   
   Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE   
   Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored:   
   LC_ALL set to en_US.utf8), LANGUAGE=en_US:en   
   Shell: /bin/sh linked to /usr/bin/dash   
   Init: systemd (via /run/systemd/system)   
   LSM: AppArmor: enabled   
      
   Versions of packages tomcat10 depends on:   
   ii  systemd [systemd-tmpfiles]  257.9-1~deb13u1   
   ii  tomcat10-common             10.1.52-1~deb13u1   
   ii  ucf                         3.0052   
      
   Versions of packages tomcat10 recommends:   
   ii  libtcnative-1  1.3.1-1+b1   
      
   Versions of packages tomcat10 suggests:   
   pn  tomcat10-admin        
   pn  tomcat10-docs         
   pn  tomcat10-examples     
   pn  tomcat10-user         
      
   -- Configuration Files:   
   /etc/tomcat10/policy.d/01system.policy [Errno 13] Permission denied:   
   '/etc/tomcat10/policy.d/01system.policy'   
   /etc/tomcat10/policy.d/02debian.policy [Errno 13] Permission denied:   
   '/etc/tomcat10/policy.d/02debian.policy'   
   /etc/tomcat10/policy.d/03catalina.policy [Errno 13] Permission denied:   
   '/etc/tomcat10/policy.d/03catalina.policy'   
   /etc/tomcat10/policy.d/04webapps.policy [Errno 13] Permission denied:   
   '/etc/tomcat10/policy.d/04webapps.policy'   
   /etc/tomcat10/policy.d/50local.policy [Errno 13] Permission denied:   
   '/etc/tomcat10/policy.d/50local.policy'   
      
   -- no debconf information   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)