Bug#785312: tomcat6: CVE-2014-0227: HTTP request smuggling or DoS by streaming malformed data
Santiago Ruano Rincón
santiagorr at riseup.net
Thu May 14 14:48:23 UTC 2015
Source: tomcat6
Version: 6.0.35-6+deb7u1
Severity: important
Tags: security patch upstream fixed-upstream
Hi there,
The following vulnerability affects current tomcat 6.x in squeeze and wheezy.
According to CVE-2014-0227 [cve], "Apache Tomcat 6.x before 6.0.42, 7.x before
7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue
reading data after an error has occurred, which allows remote attackers to
conduct HTTP request smuggling attacks or cause a denial of service (resource
consumption) by streaming data with malformed chunked transfer coding".
I have prepared the attached patch, based on [fix].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
[cve] https://security-tracker.debian.org/tracker/CVE-2014-0227
[fix] https://svn.apache.org/viewvc?view=revision&revision=1603628
Please adjust the affected versions in the BTS as needed.
Cheers,
Santiago
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2014-0227.patch
Type: text/x-diff
Size: 14891 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20150514/5affc45f/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20150514/5affc45f/attachment.sig>
More information about the pkg-java-maintainers
mailing list