Hello, I presume this only affects setups using AJP connectors - right?
Thanks George On Wed, 21 Jun 2023 at 13:21, Mark Thomas <ma...@apache.org> wrote: > CVE-2023-34981 Apache Tomcat - Information disclosure > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: > Apache Tomcat 11.0.0-M5 > Apache Tomcat 10.1.8 > Apache Tomcat 9.0.74 > Apache Tomcat 8.5.88 > > Description: > The fix for bug 66512 introduced a regression that was fixed as bug > 66591. The regression meant that, if a response did not have any HTTP > headers set, no AJP SEND_HEADERS message would be sent which in turn > meant that at least one AJP based proxy (mod_proxy_ajp) would use the > response headers from the previous request for the current request > leading to an information leak. > > Mitigation: > Users of the affected versions should apply one of the following > mitigations: > - Upgrade to Apache Tomcat 11.0.0-M6 or later > - Upgrade to Apache Tomcat 10.1.9 or later > - Upgrade to Apache Tomcat 9.0.75 or later > - Upgrade to Apache Tomcat 8.5.89 or later > > Credit: > Hidenobu Hayashi and Yuichiro Fukubayashi of M3, Inc. > > History: > 2023-06-21 Original advisory > > References: > [1] https://tomcat.apache.org/security-11.html > [2] https://tomcat.apache.org/security-10.html > [3] https://tomcat.apache.org/security-9.html > [4] https://tomcat.apache.org/security-8.html > [5] https://bz.apache.org/bugzilla/show_bug.cgi?id=66512 > [6] https://bz.apache.org/bugzilla/show_bug.cgi?id=66591 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
