Confirm unsubscribe On Wed, Sep 28, 2022 at 9:01 AM Mark Thomas <ma...@apache.org> wrote:
> CVE-2021-43980 Apache Tomcat - Information Disclosure > > Severity: High > > Vendor: The Apache Software Foundation > > Versions Affected: > Apache Tomcat 10.1.0-M1 to 10.1.0-M12 > Apache Tomcat 10.0.0-M1 to 10.0.18 > Apache Tomcat 9.0.0-M1 to 9.0.60 > Apache Tomcat 8.5.0 to 8.5.77 > > Description: > The simplified implementation of blocking reads and writes introduced in > Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long > standing (but extremely hard to trigger) concurrency bug that could > cause client connections to share an Http11Processor instance resulting > in responses, or part responses, to be received by the wrong client. > > Mitigation: > Users of the affected versions should apply one of the following > mitigations: > - Upgrade to Apache Tomcat 10.1.0-M14 or later once released > - Upgrade to Apache Tomcat 10.0.20 or later once released > - Upgrade to Apache Tomcat 9.0.62 or later once released > - Upgrade to Apache Tomcat 8.5.78 or later once released > - Note 10.1.0-M13, 10.0.19 and 9.0.61 were not released > > Credit: > Thanks to Adam Thomas, Richard Hernandez and Ryan Schmitt for > discovering the issue and working with the Tomcat security team to > identify the root cause and appropriate fix. > > History: > 2022-09-28 Original advisory > > References: > [1] https://tomcat.apache.org/security-10.html > [2] https://tomcat.apache.org/security-9.html > [3] https://tomcat.apache.org/security-8.html > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
