[ https://issues.apache.org/jira/browse/OFBIZ-11848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17487484#comment-17487484 ]
Michael Brohl commented on OFBIZ-11848: --------------------------------------- Hi Jacques, I don't remember, the commit is 1,5 years old. I have to check this. Any reasons why you are pushing commits towards the old OFBIZ-11407, which is nearly 2 years old and closed? Shouldn't they go to a new Jira? > Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) > ----------------------------------------------------- > > Key: OFBIZ-11848 > URL: https://issues.apache.org/jira/browse/OFBIZ-11848 > Project: OFBiz > Issue Type: Sub-task > Components: framework > Affects Versions: 17.12.03, Trunk, 18.12.01 > Reporter: Michael Brohl > Assignee: Michael Brohl > Priority: Major > Fix For: Release Branch 17.12, 18.12.01 > > > CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service > Severity: Important > Vendor: The Apache Software Foundation > Versions Affected: > Apache Tomcat 10.0.0-M1 to 10.0.0-M5 > Apache Tomcat 9.0.0.M1 to 9.0.35 > Apache Tomcat 8.5.0 to 8.5.55 > Description: > A specially crafted sequence of HTTP/2 requests could trigger high CPU > usage for several seconds. If a sufficient number of such requests were > made on concurrent HTTP/2 connections, the server could become unresponsive. > Mitigation: > - Upgrade to Apache Tomcat 10.0.0-M6 or later > - Upgrade to Apache Tomcat 9.0.36 or later > - Upgrade to Apache Tomcat 8.5.56 or later > Credit: > This issue was reported publicly via the Apache Tomcat Users mailing > list without reference to the potential for DoS. The DoS risks were > identified by the Apache Tomcat Security Team. > References: > [1] http://tomcat.apache.org/security-10.html > [2] http://tomcat.apache.org/security-9.html > [3] http://tomcat.apache.org/security-8.html -- This message was sent by Atlassian Jira (v8.20.1#820001)