Skip to content

Update from debian/buster for apertis/v2021-updates

Apertis CI robot requested to merge proposed-updates/debian/buster/434c99f8 into apertis/v2021-updates

tomcat9 (9.0.31-1~deb10u3) buster-security; urgency=medium

  • Fixed CVE-2020-13943: HTTP/2 request mix-up. If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.
  • Fixed CVE-2020-17527: HTTP/2 request header mix-up. It was discovered that Apache Tomcat could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

Merge request reports

Apertis Website Terms of Use Privacy Policy