Fwd: [SECURITY] CVE-2016-8747 Apache Tomcat Information Disclosure

> FYI
>
>
> -------- Weitergeleitete Nachricht --------
> Betreff:     [SECURITY] CVE-2016-8747 Apache Tomcat Information Disclosure
> Datum:     Mon, 13 Mar 2017 20:05:14 +0000
> Von:     Mark Thomas <[hidden email]>
> An:     Tomcat Users List <[hidden email]>
> Kopie (CC):     Tomcat Developers List <[hidden email]>, [hidden email] <[hidden email]>, [hidden email]
>
>
>
> CVE-2016-8747 Apache Tomcat Information Disclosure
>
> Severity: Moderate
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 9.0.0.M11 to 9.0.0.M15
> Apache Tomcat 8.5.7 to 8.5.9
>
> Description
> The refactoring to make wider use of ByteBuffer introduced a regression
> that could cause information to leak between requests on the same
> connection. When running behind a reverse proxy, this could result in
> information leakage between users. All HTTP connector variants are
> affected but HTTP/2 and AJP are not affected.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 9.0.0.M17 or later
>   (Apache Tomcat 9.0.0.M16 has the fix but was not released)
> - Upgrade to Apache Tomcat 8.5.11 or later
>   (Apache Tomcat 8.5.10 has the fix but was not released)
> Earlier versions are not affected
>
> Credit:
> This issue was identified by the Tomcat security team.
>
> History:
> 2017-03-13 Original advisory
>
> References:
> [1] http://tomcat.apache.org/security-9.html
> [2] http://tomcat.apache.org/security-8.html
>
>