Advisories » MGASA-2020-0397

Updated tomcat packages fix a security vulnerability

Publication date: 29 Oct 2020
Modification date: 29 Oct 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-13943

Description

If an HTTP/2 client exceeded the agreed maximum number of concurrent streams
for a connection (in violation of the HTTP/2 protocol), it was possible that a
subsequent request made on that connection could contain HTTP headers -
including HTTP/2 pseudo headers - from a previous request rather than the
intended headers. This could lead to users seeing responses for unexpected
resources (CVE-2020-13943).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=27396
• http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.38
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13943

SRPMS

7/core

• tomcat-9.0.38-1.mga7