CVE-2019-0199 (retired)

Priority
Description
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to
8.5.37 accepted streams with excessive numbers of SETTINGS frames and also
permitted clients to keep streams open without reading/writing
request/response data. By keeping streams open for requests that utilised
the Servlet API's blocking I/O, clients were able to cause server-side
threads to block eventually leading to thread exhaustion and a DoS.
Notes
Package
Upstream:released (8.5.38-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not present)
Ubuntu 18.04 LTS (Bionic Beaver):released (8.5.39-1ubuntu1~18.04.1)
Ubuntu 19.04 (Disco Dingo):DNE
Package
Upstream:released (9.0.16-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (9.0.16-3~18.04.1)
Ubuntu 19.04 (Disco Dingo):not-affected (9.0.16-3)
More Information

Updated: 2019-10-09 08:04:51 UTC (commit 33aea848a182c0afcd0a3f927a01a7ecd9a061ee)