Due to the current gap in continued funding from the U.S. National Science Foundation (NSF), the NSF Unidata Program Center has temporarily paused most operations. See NSF Unidata Pause in Most Operations for details.
If you are running a version of tomcat that is several revs behind the latest release, this will apply to you. ---------- Forwarded message --------- From: Mark Thomas <markt@xxxxxxxxxx> Date: Mon, Sep 23, 2024 at 6:57 AM Subject: [SECURITY] CVE-2024-38286 Apache Tomcat - Denial of Service To: Tomcat Users List <users@xxxxxxxxxxxxxxxxx> Cc: <announce@xxxxxxxxxx>, announce@xxxxxxxxxxxxxxxxx < announce@xxxxxxxxxxxxxxxxx>, Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx> CVE-2024-38286 Apache Tomcat - Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M20 Apache Tomcat 10.1.0-M1 to 10.1.24 Apache Tomcat 9.0.13 to 9.0.89 Description: Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M21 or later - Upgrade to Apache Tomcat 10.1.25 or later - Upgrade to Apache Tomcat 9.0.90 or later Credit: This vulnerability was reported responsibly to the Tomcat security team by Ozaki, North Grid Corporation History: 2024-07-03 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html -- ------------------------------------------------------------------------------------ Jennifer Oxelson Ganter NSF Unidata Software Engineer IV P.O. Box 3000 oxelson@xxxxxxxx Boulder, CO 80307 ------------------------------------------------------------------------------------
thredds
archives: