NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
Hello all, A couple of new CVEs were issued for Tomcat, including one with a severity designation of 'important' (see below). Please be sure to keep your Tomcat installations up-to-date with the most current version available. Cheers, Jennifer CVE-2021-25122 h2c request mix-up > Severity: Important > Vendor: The Apache Software Foundation > Versions Affected: > Apache Tomcat 10.0.0-M1 to 10.0.0 > Apache Tomcat 9.0.0.M1 to 9.0.41 > Apache Tomcat 8.5.0 to 8.5.61 > Description: > When responding to new h2c connection requests, Apache Tomcat could > duplicate request headers and a limited amount of request body from one > request to another meaning user A and user B could both see the results > of user A's request. > Mitigation: > Users of the affected versions should apply one of the following > mitigations: > - Upgrade to Apache Tomcat 10.0.2 or later > - Upgrade to Apache Tomcat 9.0.43 or later > - Upgrade to Apache Tomcat 8.5.63 or later > Note that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release > votes for those versions did not pass. > Credit: > This issue was identified by the Apache Tomcat Security Team. > History: > 2021-03-01 Original advisory > References: > [1] https://tomcat.apache.org/security-10.html > [2] https://tomcat.apache.org/security-9.html > [3] https://tomcat.apache.org/security-8.html > [4] https://tomcat.apache.org/security-7.html
thredds archives: