Description: The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.1.0-M6 or later - Upgrade to Apache Tomcat 10.0.12 or later - Upgrade to Apache Tomcat 9.0.54 or later - Upgrade to Apache Tomcat 8.5.72 or later
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a50a82307a43905f0f663dfa0c3e7e024c875dac commit a50a82307a43905f0f663dfa0c3e7e024c875dac Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-10-14 16:23:21 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-10-14 16:24:24 +0000 www-servers/tomcat: removed security affected versions Bug: https://bugs.gentoo.org/818160 Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-servers/tomcat/Manifest | 5 - www-servers/tomcat/tomcat-10.0.10.ebuild | 192 ------------------------------- www-servers/tomcat/tomcat-10.0.11.ebuild | 192 ------------------------------- www-servers/tomcat/tomcat-8.5.71.ebuild | 159 ------------------------- www-servers/tomcat/tomcat-9.0.52.ebuild | 187 ------------------------------ www-servers/tomcat/tomcat-9.0.53.ebuild | 187 ------------------------------ 6 files changed, 922 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=060de4ace6f2d732b38df20f2c871b860314c061 commit 060de4ace6f2d732b38df20f2c871b860314c061 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-10-14 18:08:09 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-10-14 18:08:09 +0000 www-servers/tomcat: removed security affected version Bug: https://bugs.gentoo.org/818160 Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-servers/tomcat/Manifest | 1 - www-servers/tomcat/tomcat-8.5.70.ebuild | 159 -------------------------------- 2 files changed, 160 deletions(-)
all affected versions are gone now. you can proceed. (the stabilization bug is still open, on purpose, as i also used it to stabilize related tomcat-servlet-api versions)
Thanks!
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=a4afff138b8507c9b0b4fdbebda4c8d1935d6238 commit a4afff138b8507c9b0b4fdbebda4c8d1935d6238 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-21 01:35:21 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-08-21 01:40:47 +0000 [ GLSA 202208-34 ] Apache Tomcat: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/773571 Bug: https://bugs.gentoo.org/801916 Bug: https://bugs.gentoo.org/818160 Bug: https://bugs.gentoo.org/855971 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202208-34.xml | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+)
GLSA released, all done!