[arch-security] [ASA-201505-8] tomcat6: denial of service
Arch Linux Security Advisory ASA-201505-8 ========================================= Severity: Low Date : 2015-05-13 CVE-ID : CVE-2014-0230 Package : tomcat6 Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package tomcat6 before version 6.0.44-1 is vulnerable to remote denial of service. Resolution ========== Upgrade to 6.0.44-1. # pacman -Syu "tomcat6>=6.0.44-1" The problem has been fixed upstream in version 6.0.44. Workaround ========== None. Description =========== When a response for a request with a request body is returned to the user agent before the request body is fully read, by default Tomcat swallows the remaining request body so that the next request on the connection may be processed. There was no limit to the size of request body that Tomcat would swallow. This permitted a limited Denial of Service as Tomcat would never close the connection and a processing thread would remain allocated to the connection. Impact ====== A remote attacker can cause a denial of service by preventing a large number of connections from being closed. References ========== https://access.redhat.com/security/cve/CVE-2014-0230 https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.44
participants (1)
-
Remi Gacogne