The simplified implementation of blocking reads and writes introduced in
Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long
standing (but extremely hard to trigger) concurrency bug in Apache
Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60
and 8.5.0 to 8.5.77 that could cause client connections to share an
Http11Processor instance resulting in responses, or part responses, to
be received by the wrong client.
Thanks to Adam Thomas, Richard Hernandez and Ryan Schmitt for
discovering the issue and working with the Tomcat security team to
identify the root cause and appropriate fix.
Created tomcat tracking bugs for this issue:
Affects: epel-all [bug 2133649]
Affects: fedora-all [bug 2133650]