Source: tomcat9 Source-Version: 9.0.22-1 On Wed, Jun 26, 2019 at 08:39:00PM +0200, Salvatore Bonaccorso wrote: > Source: tomcat9 > Version: 9.0.16-4 > Severity: important > Tags: security upstream > Control: found -1 9.0.16-1 > > Hi, > > The following vulnerability was published for tomcat9. > > CVE-2019-10072[0]: > | The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 > | connection window exhaustion on write in Apache Tomcat versions > | 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE > | messages for the connection window (stream 0) clients were able to > | cause server-side threads to block eventually leading to thread > | exhaustion and a DoS.
The issue was fixed upstream in 9.0.20, but the upload to unstable for 9.0.22 did not contain the bug closer. Closing thus manually. Regards, Salvatore