Confirm unsubscribe On Wed, Sep 28, 2022 at 8:36 PM Nicholas Ascione <nick.asci...@gmail.com> wrote:
> Confirm unsubscribe > > On Wed, Sep 28, 2022 at 9:01 AM Mark Thomas <ma...@apache.org> wrote: > > > CVE-2021-43980 Apache Tomcat - Information Disclosure > > > > Severity: High > > > > Vendor: The Apache Software Foundation > > > > Versions Affected: > > Apache Tomcat 10.1.0-M1 to 10.1.0-M12 > > Apache Tomcat 10.0.0-M1 to 10.0.18 > > Apache Tomcat 9.0.0-M1 to 9.0.60 > > Apache Tomcat 8.5.0 to 8.5.77 > > > > Description: > > The simplified implementation of blocking reads and writes introduced in > > Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long > > standing (but extremely hard to trigger) concurrency bug that could > > cause client connections to share an Http11Processor instance resulting > > in responses, or part responses, to be received by the wrong client. > > > > Mitigation: > > Users of the affected versions should apply one of the following > > mitigations: > > - Upgrade to Apache Tomcat 10.1.0-M14 or later once released > > - Upgrade to Apache Tomcat 10.0.20 or later once released > > - Upgrade to Apache Tomcat 9.0.62 or later once released > > - Upgrade to Apache Tomcat 8.5.78 or later once released > > - Note 10.1.0-M13, 10.0.19 and 9.0.61 were not released > > > > Credit: > > Thanks to Adam Thomas, Richard Hernandez and Ryan Schmitt for > > discovering the issue and working with the Tomcat security team to > > identify the root cause and appropriate fix. > > > > History: > > 2022-09-28 Original advisory > > > > References: > > [1] https://tomcat.apache.org/security-10.html > > [2] https://tomcat.apache.org/security-9.html > > [3] https://tomcat.apache.org/security-8.html > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > >
