Bug#930873: marked as done (tomcat8: CVE-2019-10072)

Mon, 13 Jul 2020 04:01:07 -0700 

Your message dated Mon, 13 Jul 2020 12:56:40 +0200
with message-id <[email protected]>
and subject line Re: tomcat9: CVE-2019-10072
has caused the Debian Bug report #930873,
regarding tomcat8: CVE-2019-10072
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
930873: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930873
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: tomcat9
Version: 9.0.16-4
Severity: important
Tags: security upstream
Control: clone -1 -2
Control: reassign -2 src:tomcat8 8.5.39-1
Control: retitle -2 tomcat8: CVE-2019-10072

Hi,

The following vulnerability was published for tomcat9.

CVE-2019-10072[0]:
| The fix for CVE-2019-0199 was incomplete and did not address HTTP/2
| connection window exhaustion on write in Apache Tomcat versions
| 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE
| messages for the connection window (stream 0) clients were able to
| cause server-side threads to block eventually leading to thread
| exhaustion and a DoS.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-10072
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10072
[1] 
https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Closing because the incomplete fix for CVE-2019-0199 was never applied
in Debian.

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---

Reply via email to