A denial of service (DoS) vulnerability present in the Apache Tomcat package arises from an incomplete cleanup process. Specifically, WebSocket clients can perpetuate WebSocket connections without proper termination, thereby causing a sustained drain on system resources. This vulnerability facilitates the exploitation of Apache Tomcat servers, leading to a scenario where excessive resource consumption occurs due to the prolonged existence of these open WebSocket connections. As a consequence, the server's performance may degrade significantly, resulting in potential service disruption or unresponsiveness.

A vulnerability was found in the Tomcat package due to its handling of HTTP/2 requests. Specifically, when an HTTP/2 request surpasses the predetermined limits for headers configured within the server, the associated HTTP/2 stream isn't reset immediately. Instead, the reset action occurs only after all the headers within the request have been processed. This lapse in resetting the stream exposes the system to potential risks, as it allows malicious actors to exploit the delay in stream reset to carry out various attacks, such as header manipulation or resource exhaustion. Bug Fixes: * Rebase tomcat to version 9.0.87. * Amend tomcat package's changelog so that fixed CVEs are mentioned explicitly.