You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2020/06/28 10:48:00 UTC

[jira] [Commented] (OFBIZ-11848) Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)

    [ https://issues.apache.org/jira/browse/OFBIZ-11848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17147309#comment-17147309 ] 

ASF subversion and git services commented on OFBIZ-11848:
---------------------------------------------------------

Commit 0eeaee6a253809ddbd1fd91187f96b8a3cad2162 in ofbiz-framework's branch refs/heads/release17.12 from Michael Brohl
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=0eeaee6 ]

Fixed: Upgrades Tomcat to 9.0.36 due to CVE-2020-11996 (OFBIZ-11848)

> Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)
> -----------------------------------------------------
>
>                 Key: OFBIZ-11848
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11848
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: 18.12.01, 17.12.03, Trunk
>            Reporter: Michael Brohl
>            Assignee: Michael Brohl
>            Priority: Major
>
> CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.0-M5
> Apache Tomcat 9.0.0.M1 to 9.0.35
> Apache Tomcat 8.5.0 to 8.5.55
> Description:
> A specially crafted sequence of HTTP/2 requests could trigger high CPU
> usage for several seconds. If a sufficient number of such requests were
> made on concurrent HTTP/2 connections, the server could become unresponsive.
> Mitigation:
> - Upgrade to Apache Tomcat 10.0.0-M6 or later
> - Upgrade to Apache Tomcat 9.0.36 or later
> - Upgrade to Apache Tomcat 8.5.56 or later
> Credit:
> This issue was reported publicly via the Apache Tomcat Users mailing
> list without reference to the potential for DoS. The DoS risks were
> identified by the Apache Tomcat Security Team.
> References:
> [1] http://tomcat.apache.org/security-10.html
> [2] http://tomcat.apache.org/security-9.html
> [3] http://tomcat.apache.org/security-8.html



--
This message was sent by Atlassian Jira
(v8.3.4#803005)