CVE-2021-25329: Apache Tomcat Incomplete fix for CVE-2020-9484

[Mark Thomas <markt () apache org>]

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 
10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 
7.0.107 with a configuration edge case that was highly unlikely to be 
used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note 
that both the previously published prerequisites for CVE-2020-9484 and 
the previously published mitigations for CVE-2020-9484 also apply to 
this issue.

Credit:

This issue was identified by Trung Pham of Viettel Cyber Security.

References:

https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E