[ 
https://issues.apache.org/jira/browse/OFBIZ-10517?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux reassigned OFBIZ-10517:
---------------------------------------

    Assignee: Jacques Le Roux

> Update Apache Tomcat to 9.0.10 because of CVE-2018-8037
> -------------------------------------------------------
>
>                 Key: OFBIZ-10517
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10517
>             Project: OFBiz
>          Issue Type: Task
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>
> If an async request was completed by the application at the same time as the 
> container triggered the async timeout, a race condition existed that could 
> result in a user seeing a response intended for a different user. An 
> additional issue was present in the NIO and NIO2 connectors that did not 
> correctly track the closure of the connection when an async request was 
> completed by the application and timed out by the container at the same time. 
> This could also result in a user seeing a response intended for another user. 
>  
> Mitigation: 
> Users of the affected versions should apply one of the following mitigations: 
> - Upgrade to Apache Tomcat 9.0.10 or later. 
> - Upgrade to Apache Tomcat 8.5.32 or later. 
>  
> History: 
> 2018-07-22 Original advisory 
> 2018-08-09 Update description 
>  
> References: 
> [1] [http://tomcat.apache.org/security-9.html]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to