[ASA-202006-16] tomcat8: denial of service
foxboron at archlinux.org
Tue Jun 30 20:33:13 UTC 2020
Arch Linux Security Advisory ASA-202006-16
Date : 2020-06-28
CVE-ID : CVE-2020-11996
Package : tomcat8
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-1197
The package tomcat8 before version 8.5.56-1 is vulnerable to denial of
Upgrade to 8.5.56-1.
# pacman -Syu "tomcat8>=8.5.56-1"
The problem has been fixed upstream in version 8.5.56.
A denial of service has been found in Apache Tomcat before 9.0.36 and
8.5.56, where a specially crafted sequence of HTTP/2 requests could
trigger high CPU usage for several seconds. If a sufficient number of
such requests were made on concurrent HTTP/2 connections, the server
could become unresponsive.
A remote attacker might be able to cause a denial of service via a
specially crafted sequence of HTTP/2 requests.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the arch-security