security-9.xml

markt Thu, 20 Jun 2019 12:20:34 -0700

Author: markt
Date: Thu Jun 20 19:20:22 2019
New Revision: 1861711

URL: http://svn.apache.org/viewvc?rev=1861711&view=rev
Log:
Add CVE-2019-10072


Modified:
    tomcat/site/trunk/docs/security-8.html
    tomcat/site/trunk/docs/security-9.html
    tomcat/site/trunk/xdocs/security-8.xml
    tomcat/site/trunk/xdocs/security-9.xml

Modified: tomcat/site/trunk/docs/security-8.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1861711&r1=1861710&r2=1861711&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-8.html (original)
+++ tomcat/site/trunk/docs/security-8.html Thu Jun 20 19:20:22 2019
@@ -216,6 +216,9 @@
 <a href="#Apache_Tomcat_8.x_vulnerabilities">Apache Tomcat 8.x 
vulnerabilities</a>
 </li>
 <li>
+<a href="#Fixed_in_Apache_Tomcat_8.5.41">Fixed in Apache Tomcat 8.5.41</a>
+</li>
+<li>
 <a href="#Fixed_in_Apache_Tomcat_8.5.40">Fixed in Apache Tomcat 8.5.40</a>
 </li>
 <li>
@@ -381,6 +384,39 @@
 
   
 </div>
+<h3 id="Fixed_in_Apache_Tomcat_8.5.41">
+<span class="pull-right">13 May 2019</span> Fixed in Apache Tomcat 8.5.41</h3>
+<div class="text">
+
+    
+<p>
+<strong>Important: Denial of Service</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10072"; 
rel="nofollow">CVE-2019-10072</a>
+</p>
+
+    
+<p>The fix for <a 
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0199"; 
rel="nofollow">CVE-2019-0199</a> was incomplete and did not address
+       HTTP/2 connection window exhaustion on write. By not sending
+       WINDOW_UPDATE messages for the connection window (stream 0) clients were
+       able to cause server-side threads to block eventually leading to thread
+       exhaustion and a DoS.</p>
+
+    
+<p>This was fixed with commits
+       <a href="https://github.com/apache/tomcat/commit/0bcd69c";>0bcd69c</a> 
and
+       <a 
href="https://github.com/apache/tomcat/commit/8d14c6f";>8d14c6f</a>.</p>
+
+    
+<p>This issue was reported to the Apache Tomcat Security Team by John
+       Simpson of Trend Micro Security Research working with Trend Micro's Zero
+       Day Initiative on 26 April 2019. The issue was made public on 20 June
+       2019.</p>
+
+    
+<p>Affects: 8.5.0 to 8.5.40</p>
+
+  
+</div>
 <h3 id="Fixed_in_Apache_Tomcat_8.5.40">
 <span class="pull-right">12 April 2019</span> Fixed in Apache Tomcat 
8.5.40</h3>
 <div class="text">

Modified: tomcat/site/trunk/docs/security-9.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-9.html?rev=1861711&r1=1861710&r2=1861711&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-9.html (original)
+++ tomcat/site/trunk/docs/security-9.html Thu Jun 20 19:20:22 2019
@@ -216,6 +216,9 @@
 <a href="#Apache_Tomcat_9.x_vulnerabilities">Apache Tomcat 9.x 
vulnerabilities</a>
 </li>
 <li>
+<a href="#Fixed_in_Apache_Tomcat_9.0.20">Fixed in Apache Tomcat 9.0.20</a>
+</li>
+<li>
 <a href="#Fixed_in_Apache_Tomcat_9.0.19">Fixed in Apache Tomcat 9.0.19</a>
 </li>
 <li>
@@ -321,6 +324,39 @@
 
   
 </div>
+<h3 id="Fixed_in_Apache_Tomcat_9.0.20">
+<span class="pull-right">13 May 2019</span> Fixed in Apache Tomcat 9.0.20</h3>
+<div class="text">
+
+    
+<p>
+<strong>Important: Denial of Service</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10072"; 
rel="nofollow">CVE-2019-10072</a>
+</p>
+
+    
+<p>The fix for <a 
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0199"; 
rel="nofollow">CVE-2019-0199</a> was incomplete and did not address
+       HTTP/2 connection window exhaustion on write. By not sending
+       WINDOW_UPDATE messages for the connection window (stream 0) clients were
+       able to cause server-side threads to block eventually leading to thread
+       exhaustion and a DoS.</p>
+
+    
+<p>This was fixed with commits
+       <a href="https://github.com/apache/tomcat/commit/7f748eb";>7f748eb</a> 
and
+       <a 
href="https://github.com/apache/tomcat/commit/ada725a";>ada725a</a>.</p>
+
+    
+<p>This issue was reported to the Apache Tomcat Security Team by John
+       Simpson of Trend Micro Security Research working with Trend Micro's Zero
+       Day Initiative on 26 April 2019. The issue was made public on 20 June
+       2019.</p>
+
+    
+<p>Affects: 9.0.0.M1 to 9.0.19</p>
+
+  
+</div>
 <h3 id="Fixed_in_Apache_Tomcat_9.0.19">
 <span class="pull-right">13 April 2019</span> Fixed in Apache Tomcat 
9.0.19</h3>
 <div class="text">

Modified: tomcat/site/trunk/xdocs/security-8.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1861711&r1=1861710&r2=1861711&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-8.xml (original)
+++ tomcat/site/trunk/xdocs/security-8.xml Thu Jun 20 19:20:22 2019
@@ -50,6 +50,30 @@
 
   </section>
 
+  <section name="Fixed in Apache Tomcat 8.5.41" rtext="13 May 2019">
+
+    <p><strong>Important: Denial of Service</strong>
+       <cve>CVE-2019-10072</cve></p>
+
+    <p>The fix for <cve>CVE-2019-0199</cve> was incomplete and did not address
+       HTTP/2 connection window exhaustion on write. By not sending
+       WINDOW_UPDATE messages for the connection window (stream 0) clients were
+       able to cause server-side threads to block eventually leading to thread
+       exhaustion and a DoS.</p>
+
+    <p>This was fixed with commits
+       <hashlink hash="0bcd69c">0bcd69c</hashlink> and
+       <hashlink hash="8d14c6f">8d14c6f</hashlink>.</p>
+
+    <p>This issue was reported to the Apache Tomcat Security Team by John
+       Simpson of Trend Micro Security Research working with Trend Micro's Zero
+       Day Initiative on 26 April 2019. The issue was made public on 20 June
+       2019.</p>
+
+    <p>Affects: 8.5.0 to 8.5.40</p>
+
+  </section>
+  
   <section name="Fixed in Apache Tomcat 8.5.40" rtext="12 April 2019">
 
     <p><strong>Important: Remote Code Execution on Windows</strong>

Modified: tomcat/site/trunk/xdocs/security-9.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-9.xml?rev=1861711&r1=1861710&r2=1861711&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-9.xml (original)
+++ tomcat/site/trunk/xdocs/security-9.xml Thu Jun 20 19:20:22 2019
@@ -50,6 +50,30 @@
 
   </section>
 
+  <section name="Fixed in Apache Tomcat 9.0.20" rtext="13 May 2019">
+
+    <p><strong>Important: Denial of Service</strong>
+       <cve>CVE-2019-10072</cve></p>
+
+    <p>The fix for <cve>CVE-2019-0199</cve> was incomplete and did not address
+       HTTP/2 connection window exhaustion on write. By not sending
+       WINDOW_UPDATE messages for the connection window (stream 0) clients were
+       able to cause server-side threads to block eventually leading to thread
+       exhaustion and a DoS.</p>
+
+    <p>This was fixed with commits
+       <hashlink hash="7f748eb">7f748eb</hashlink> and
+       <hashlink hash="ada725a">ada725a</hashlink>.</p>
+
+    <p>This issue was reported to the Apache Tomcat Security Team by John
+       Simpson of Trend Micro Security Research working with Trend Micro's Zero
+       Day Initiative on 26 April 2019. The issue was made public on 20 June
+       2019.</p>
+
+    <p>Affects: 9.0.0.M1 to 9.0.19</p>
+
+  </section>
+  
   <section name="Fixed in Apache Tomcat 9.0.19" rtext="13 April 2019">
 
     <p><i>Note: The issues below were fixed in Apache Tomcat 9.0.18 but the



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1861711 - in /tomcat/site/trunk: docs/security-8.html docs/security-9.html xdocs/security-8.xml xdocs/security-9.xml

Reply via email to