[
https://issues.apache.org/jira/browse/OFBIZ-12165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Brohl updated OFBIZ-12165:
----------------------------------
Affects Version/s: (was: 17.12.03)
(was: 18.12.01)
> Upgrade Tomcat from 9.0.41 to 9.0.43
> ------------------------------------
>
> Key: OFBIZ-12165
> URL:
https://issues.apache.org/jira/browse/OFBIZ-12165> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: Trunk
> Reporter: Michael Brohl
> Assignee: Michael Brohl
> Priority: Major
> Fix For: 18.12.01, Release Branch 17.12, Upcoming Branch
>
>
> CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.0-M5
> Apache Tomcat 9.0.0.M1 to 9.0.35
> Apache Tomcat 8.5.0 to 8.5.55
> Description:
> A specially crafted sequence of HTTP/2 requests could trigger high CPU
> usage for several seconds. If a sufficient number of such requests were
> made on concurrent HTTP/2 connections, the server could become unresponsive.
> Mitigation:
> - Upgrade to Apache Tomcat 10.0.0-M6 or later
> - Upgrade to Apache Tomcat 9.0.36 or later
> - Upgrade to Apache Tomcat 8.5.56 or later
> Credit:
> This issue was reported publicly via the Apache Tomcat Users mailing
> list without reference to the potential for DoS. The DoS risks were
> identified by the Apache Tomcat Security Team.
> References:
> [1]
http://tomcat.apache.org/security-10.html> [2]
http://tomcat.apache.org/security-9.html> [3]
http://tomcat.apache.org/security-8.html--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
