{"id":"MGASA-2019-0260","summary":"Updated tomcat packages fix security vulnerabilities","details":"Updated tomcat packages fix security vulnerabilities:\n\nThe HTTP/2 implementation accepted streams with excessive numbers of\nSETTINGS frames and also permitted clients to keep streams open without\nreading/writing request/response data. By keeping streams open for\nrequests that utilised the Servlet API's blocking I/O, clients were able\nto cause server-side threads to block eventually leading to thread\nexhaustion and a DoS (CVE-2019-0199).\n\nThe SSI printenv command echoes user provided data without escaping and\nis, therefore, vulnerable to XSS. SSI is disabled by default. The printenv\ncommand is intended for debugging and is unlikely to be present in a\nproduction website (CVE-2019-0221).\n\nThe fix for CVE-2019-0199 was incomplete and did not address HTTP/2\nconnection window exhaustion on write. By not sending WINDOW_UPDATE\nmessages for the connection window (stream 0) clients were able to cause\nserver-side threads to block eventually leading to thread exhaustion and\na DoS (CVE-2019-10072).\n\nThe tomcat package has been updated to version 9.0.21 to fix these issues.\nThe tomcat-native package has also been updated to version 1.2.23.\n","modified":"2026-04-16T00:11:09.363566620Z","published":"2019-09-08T14:09:05Z","upstream":["CVE-2019-0199","CVE-2019-0221","CVE-2019-10072"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2019-0260.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=24799"},{"type":"WEB","url":"https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.16"},{"type":"WEB","url":"https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.19"},{"type":"WEB","url":"https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.20"},{"type":"WEB","url":"https://tomcat.apache.org/native-doc/miscellaneous/changelog.html"}],"affected":[{"package":{"name":"tomcat","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/tomcat?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.21-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2019-0260.json"}},{"package":{"name":"tomcat-native","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/tomcat-native?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.2.23-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2019-0260.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}