[arch-security] [ASA-201505-8] tomcat6: denial of service
rgacogne at archlinux.org
Wed May 13 11:41:17 UTC 2015
Arch Linux Security Advisory ASA-201505-8
Date : 2015-05-13
CVE-ID : CVE-2014-0230
Package : tomcat6
Type : denial of service
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package tomcat6 before version 6.0.44-1 is vulnerable to remote
denial of service.
Upgrade to 6.0.44-1.
# pacman -Syu "tomcat6>=6.0.44-1"
The problem has been fixed upstream in version 6.0.44.
When a response for a request with a request body is returned to the
user agent before the request body is fully read, by default Tomcat
swallows the remaining request body so that the next request on the
connection may be processed. There was no limit to the size of request
body that Tomcat would swallow. This permitted a limited Denial of
Service as Tomcat would never close the connection and a processing
thread would remain allocated to the connection.
A remote attacker can cause a denial of service by preventing a large
number of connections from being closed.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: OpenPGP digital signature
More information about the arch-security