Apache has issued an advisory today (October 12):
The issue is fixed upstream in 9.0.38.
Mageia 7 is also affected.
Done for both Cauldron and mga7!
Updated tomcat packages fix security vulnerability:
If an HTTP/2 client exceeded the agreed maximum number of concurrent streams
for a connection (in violation of the HTTP/2 protocol), it was possible that a
subsequent request made on that connection could contain HTTP headers -
including HTTP/2 pseudo headers - from a previous request rather than the
intended headers. This could lead to users seeing responses for unexpected
Updated packages in core/updates_testing: