[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7ff6a9b1-2c7d-4fd0-9fdc-b079ff3f3556@apache.org>
Date: Wed, 13 Aug 2025 13:40:58 +0100
From: Mark Thomas <markt@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-48989: Apache Tomcat: h2 DoS - Made You Reset
Severity: important
Affected versions:
- Apache Tomcat 11.0.0-M1 through 11.0.9
- Apache Tomcat 10.1.0-M1 through 10.1.43
- Apache Tomcat 9.0.0.M1 through 9.0.107
- Apache Tomcat 8.5.0 through 8.5.100 unknown
Description:
Improper Resource Shutdown or Release vulnerability in Apache Tomcat
made Tomcat vulnerable to the made you reset attack.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from
10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL
versions may also be affected.
Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or
9.0.108 which fix the issue.
Credit:
Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel of Tel Aviv University
(finder)
References:
https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf
https://tomcat.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-48989
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
