Hi, I have looked at the commits and all have in changes http2. Is this an issue in case we don't use http2?
Thank you. Regards, Zdenek Henek On Mon, Apr 28, 2025 at 7:12 PM Mark Thomas <ma...@apache.org> wrote: > CVE-2025-31650 Apache Tomcat - DoS via invalid HTTP prioritization header > > Severity: High > > Vendor: The Apache Software Foundation > > Versions Affected: > Apache Tomcat 11.0.0-M2 to 11.0.5 > Apache Tomcat 10.1.10 to 10.1.39 > Apache Tomcat 9.0.76 to 9.0.102 > > Description: > Incorrect error handling for some invalid HTTP priority headers resulted > in incomplete clean-up of the failed request which created a memory > leak. A large number of such requests could trigger an > OutOfMemoryException resulting in a denial of service. > > Mitigation: > Users of the affected versions should apply one of the following > mitigations: > - Upgrade to Apache Tomcat 11.0.6 or later > - Upgrade to Apache Tomcat 10.1.40 or later > - Upgrade to Apache Tomcat 9.0.104 or later > > Note: This issue was fixed in Apache Tomcat 9.0.103 but the release vote > for the 9.0.103 release candidate did not pass. Therefore, although > users must download 9.0.104 to obtain a version that includes a fix for > this issue, version 9.0.103 is not included in the list of affected > versions. > > Credit: > The vulnerability was identified by the Tomcat security team. > > History: > 2025-04-28 Original advisory > > References: > [1] https://tomcat.apache.org/security-11.html > [2] https://tomcat.apache.org/security-10.html > [3] https://tomcat.apache.org/security-9.html > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
