Описание
ELSA-2025-11332: tomcat9 security update (IMPORTANT)
[1:9.0.87-5.1]
- Resolves: RHEL-91765 tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame (CVE-2025-31650)
- Resolves: RHEL-71981 tomcat: Incomplete fix for CVE-2024-50379 - RCE due to TOCTOU issue in JSP compilation (CVE-2024-56337)
Обновленные пакеты
Oracle Linux 10
Oracle Linux aarch64
tomcat9
9.0.87-5.el10_0.1
tomcat9-admin-webapps
9.0.87-5.el10_0.1
tomcat9-docs-webapp
9.0.87-5.el10_0.1
tomcat9-el-3.0-api
9.0.87-5.el10_0.1
tomcat9-jsp-2.3-api
9.0.87-5.el10_0.1
tomcat9-lib
9.0.87-5.el10_0.1
tomcat9-servlet-4.0-api
9.0.87-5.el10_0.1
tomcat9-webapps
9.0.87-5.el10_0.1
Oracle Linux x86_64
tomcat9
9.0.87-5.el10_0.1
tomcat9-admin-webapps
9.0.87-5.el10_0.1
tomcat9-docs-webapp
9.0.87-5.el10_0.1
tomcat9-el-3.0-api
9.0.87-5.el10_0.1
tomcat9-jsp-2.3-api
9.0.87-5.el10_0.1
tomcat9-lib
9.0.87-5.el10_0.1
tomcat9-servlet-4.0-api
9.0.87-5.el10_0.1
tomcat9-webapps
9.0.87-5.el10_0.1
Связанные CVE
Связанные уязвимости
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.