The fix for bug 66512 introduced a regression that was fixed as bug 66591. The regression meant that, if a response did not have any HTTP headers set, no AJP SEND_HEADERS message would be sent which in turn meant that at least one AJP based proxy (mod_proxy_ajp) would use the response headers from the previous request for the current request leading to an information leak. This was fixed with commit 2214c803. This issue was reported to the Tomcat Security Team on 24 May 2023. The issue was made public on 21 June 2023. Affects: 8.5.88
Created tomcat tracking bugs for this issue: Affects: fedora-37 [bug 2216886] Affects: fedora-38 [bug 2216887]