Due to the current gap in continued funding from the U.S. National Science Foundation (NSF), the NSF Unidata Program Center has temporarily paused most operations. See NSF Unidata Pause in Most Operations for details.
Hello all, Two new high-level CVEs were just issued for Tomcat (CVE-2024-24549 & CVE-2024-23672). Please make sure you are running the latest version. ---------- Forwarded message --------- From: Mark Thomas <markt@xxxxxxxxxx> Date: Wed, Mar 13, 2024 at 9:46 AM Subject: [SECURITY] CVE-2024-24549 Apache Tomcat - Denial of Service To: users@xxxxxxxxxxxxxxxxx <users@xxxxxxxxxxxxxxxxx> Cc: <announce@xxxxxxxxxx>, announce@xxxxxxxxxxxxxxxxx < announce@xxxxxxxxxxxxxxxxx>, Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx> CVE-2024-24549 Apache Tomcat - Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M16 Apache Tomcat 10.1.0-M1 to 10.1.18 Apache Tomcat 9.0.0-M1 to 9.0.85 Apache Tomcat 8.5.0 to 8.5.98 Description: When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M17 or later - Upgrade to Apache Tomcat 10.1.19 or later - Upgrade to Apache Tomcat 9.0.86 or later - Upgrade to Apache Tomcat 8.5.99 or later Credit: This vulnerability was reported responsibly to the Tomcat security team by Bartek Nowotarski (https://nowotarski.info/). History: 2024-03-13 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html -- ------------------------------------------------------------------------------------ Jennifer Oxelson Ganter NSF Unidata Software Engineer IV P.O. Box 3000 oxelson@xxxxxxxx Boulder, CO 80307 ------------------------------------------------------------------------------------
thredds
archives: