Описание
ELSA-2025-11332: tomcat9 security update (IMPORTANT)
[1:9.0.87-5.1]
- Resolves: RHEL-91765 tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame (CVE-2025-31650)
- Resolves: RHEL-71981 tomcat: Incomplete fix for CVE-2024-50379 - RCE due to TOCTOU issue in JSP compilation (CVE-2024-56337)
Обновленные пакеты
Oracle Linux 10
Oracle Linux aarch64
tomcat9
9.0.87-5.el10_0.1
tomcat9-admin-webapps
9.0.87-5.el10_0.1
tomcat9-docs-webapp
9.0.87-5.el10_0.1
tomcat9-el-3.0-api
9.0.87-5.el10_0.1
tomcat9-jsp-2.3-api
9.0.87-5.el10_0.1
tomcat9-lib
9.0.87-5.el10_0.1
tomcat9-servlet-4.0-api
9.0.87-5.el10_0.1
tomcat9-webapps
9.0.87-5.el10_0.1
Oracle Linux x86_64
tomcat9
9.0.87-5.el10_0.1
tomcat9-admin-webapps
9.0.87-5.el10_0.1
tomcat9-docs-webapp
9.0.87-5.el10_0.1
tomcat9-el-3.0-api
9.0.87-5.el10_0.1
tomcat9-jsp-2.3-api
9.0.87-5.el10_0.1
tomcat9-lib
9.0.87-5.el10_0.1
tomcat9-servlet-4.0-api
9.0.87-5.el10_0.1
tomcat9-webapps
9.0.87-5.el10_0.1
Связанные CVE
Связанные уязвимости
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.