On 20/06/2019 20:35, Amit Pande wrote: > Could you please clarify: > > Affected versions 8.5.0 to 8.5.40 > Mitigation says: 8.5.40 or later > > What am I missing?
Nothing. The affected versions are correct. The mitigation is not. It should be 8.5.41 or later. I'll issue a correction. Thanks for pointing this out. Mark > > >> On Jun 20, 2019, at 2:25 PM, Mark Thomas <ma...@apache.org> wrote: >> >> CVE-2019-10072 Apache Tomcat HTTP/2 DoS >> >> Severity: Important >> >> Vendor: The Apache Software Foundation >> >> Versions Affected: >> Apache Tomcat 9.0.0.M1 to 9.0.19 >> Apache Tomcat 8.5.0 to 8.5.40 >> >> Description: >> The fix for CVE-2019-0199 was incomplete and did not address connection >> window exhaustion on write. By not sending WINDOW_UPDATE messages for >> the connection window (stream 0) clients were able >> to cause server-side threads to block eventually leading to thread >> exhaustion and a DoS. >> >> Mitigation: >> Users of affected versions should apply one of the following mitigations: >> - Upgrade to Apache Tomcat 9.0.20 or later >> - Upgrade to Apache Tomcat 8.5.40 or later >> >> Credit: >> John Simpson of Trend Micro Security Research working with Trend >> Micro's Zero Day Initiative >> >> References: >> [1] http://tomcat.apache.org/security-9.html >> [2] http://tomcat.apache.org/security-8.html >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org