Описание
ELSA-2025-11333: tomcat security update (IMPORTANT)
[1:9.0.87-1.el8_10.4]
- Resolves: RHEL-91761 tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame (CVE-2025-31650)
- Resolves: RHEL-71971 tomcat: Incomplete fix for CVE-2024-50379 - RCE due to TOCTOU issue in JSP compilation (CVE-2024-56337)
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
tomcat
9.0.87-1.el8_10.4
tomcat-admin-webapps
9.0.87-1.el8_10.4
tomcat-docs-webapp
9.0.87-1.el8_10.4
tomcat-el-3.0-api
9.0.87-1.el8_10.4
tomcat-jsp-2.3-api
9.0.87-1.el8_10.4
tomcat-lib
9.0.87-1.el8_10.4
tomcat-servlet-4.0-api
9.0.87-1.el8_10.4
tomcat-webapps
9.0.87-1.el8_10.4
Oracle Linux x86_64
tomcat
9.0.87-1.el8_10.4
tomcat-admin-webapps
9.0.87-1.el8_10.4
tomcat-docs-webapp
9.0.87-1.el8_10.4
tomcat-el-3.0-api
9.0.87-1.el8_10.4
tomcat-jsp-2.3-api
9.0.87-1.el8_10.4
tomcat-lib
9.0.87-1.el8_10.4
tomcat-servlet-4.0-api
9.0.87-1.el8_10.4
tomcat-webapps
9.0.87-1.el8_10.4
Связанные CVE
Связанные уязвимости
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.