Bug#931131: tomcat9: CVE-2019-10072
Salvatore Bonaccorso
carnil at debian.org
Fri Jul 12 22:38:53 BST 2019
Source: tomcat9
Source-Version: 9.0.22-1
On Wed, Jun 26, 2019 at 08:39:00PM +0200, Salvatore Bonaccorso wrote:
> Source: tomcat9
> Version: 9.0.16-4
> Severity: important
> Tags: security upstream
> Control: found -1 9.0.16-1
>
> Hi,
>
> The following vulnerability was published for tomcat9.
>
> CVE-2019-10072[0]:
> | The fix for CVE-2019-0199 was incomplete and did not address HTTP/2
> | connection window exhaustion on write in Apache Tomcat versions
> | 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE
> | messages for the connection window (stream 0) clients were able to
> | cause server-side threads to block eventually leading to thread
> | exhaustion and a DoS.
The issue was fixed upstream in 9.0.20, but the upload to unstable for
9.0.22 did not contain the bug closer. Closing thus manually.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list