Updated tomcat packages fix security vulnerabilities
Publication date: 26 Mar 2024Modification date: 26 Mar 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-23672 , CVE-2024-24549
Description
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption. (CVE-2024-23672) Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed. (CVE-2024-24549)
References
SRPMS
9/core
- tomcat-9.0.87-1.mga9