Advisories » MGASA-2024-0090

Updated tomcat packages fix security vulnerabilities

Publication date: 26 Mar 2024
Modification date: 26 Mar 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-23672 , CVE-2024-24549

Description

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat.
It was possible for WebSocket clients to keep WebSocket connections open
leading to increased resource consumption. (CVE-2024-23672)
Denial of Service due to improper input validation vulnerability for
HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if
the request exceeded any of the configured limits for headers, the
associated HTTP/2 stream was not reset until after all of the headers
had been processed. (CVE-2024-24549)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=32980
• https://www.openwall.com/lists/oss-security/2024/03/13/3
• https://www.openwall.com/lists/oss-security/2024/03/13/4
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23672
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24549

SRPMS

9/core

• tomcat-9.0.87-1.mga9