Advisories ยป MGASA-2020-0331

Updated tomcat packages fix security vulnerability

Publication date: 18 Aug 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-11996 , CVE-2020-13934 , CVE-2020-13935

Description

A specially crafted sequence of HTTP/2 requests could trigger high CPU usage
for several seconds. If a sufficient number of such requests were made on
concurrent HTTP/2 connections, the server could become unresponsive
(CVE-2020-11996).

An h2c direct connection did not release the HTTP/1.1 processor after the
upgrade to HTTP/2. If a sufficient number of such requests were made, an
OutOfMemoryException could occur leading to a denial of service
(CVE-2020-13934).

The payload length in a WebSocket frame was not correctly validated. Invalid
payload lengths could trigger an infinite loop. Multiple requests with invalid
payload lengths could lead to a denial of service (CVE-2020-13935).
                

References

SRPMS

7/core