This update for tomcat fixes the following issues:
- CVE-2024-24549: Fixed denial of service during header validation for HTTP/2 stream (bsc#1221386)
- CVE-2024-23672: Fixed denial of service due to malicious WebSocket client keeping connection open (bsc#1221385)
Other fixes:
- Update to Tomcat 9.0.87
- Catalina
- Fix: Minor performance improvement for building filter chains. Based
on ideas from #702 by Luke Miao. (remm)
- Fix: Align error handling for Writer and OutputStream. Ensure use of
either once the response has been recycled triggers a
NullPointerException provided that discardFacades is configured with
the default value of true. (markt)
- Fix: 68692: The standard thread pool implementations that are configured
using the Executor element now implement ExecutorService for better
support NIO2. (remm)
- Fix: 68495: When restoring a saved POST request after a successful FORM
authentication, ensure that neither the URI, the query string nor the
protocol are corrupted when restoring the request body. (markt)
- Fix: 68721: Workaround a possible cause of duplicate class definitions
when using ClassFileTransformers and the transformation of a class also
triggers the loading of the same class. (markt)
- Fix: The rewrite valve should not do a rewrite if the output is
identical to the input. (remm)
- Update: Add a new valveSkip (or VS) rule flag to the rewrite valve to
allow skipping over the next valve in the Catalina pipeline. (remm)
- Fix: Correct JPMS and OSGi meta-data for tomcat-enbed-core.jar by
removing reference to org.apache.catalina.ssi package that is no longer
included in the JAR. Based on pull request #684 by Jendrik Johannes.
(markt)
- Fix: Fix ServiceBindingPropertySource so that trailing \r\n sequences
are correctly removed from files containing property values when
configured to do...