[Secure-testing-team] Bug#588813: CVE-2010-2227: DoS and information disclosure
Moritz Muehlenhoff
jmm at inutil.org
Mon Jul 12 15:21:42 UTC 2010
Package: tomcat6
Severity: grave
Tags: security
Justification: user security hole
Please see
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.28
Important: Remote Denial Of Service and Information Disclosure
Vulnerability CVE-2010-2227
Several flaws in the handling of the 'Transfer-Encoding' header were
found that prevented the recycling of a buffer. A remote attacker
could trigger this flaw which would cause subsequent requests to fail
and/or information to leak between requests. This flaw is mitigated if
Tomcat is behind a reverse proxy (such as Apache httpd 2.2) as the
proxy should reject the invalid transfer encoding header.
This was fixed in revision 958977.
Cheers,
Moritz
-- System Information:
Debian Release: 5.0.5
APT prefers stable
APT policy: (990, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.18 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8 at euro, LC_CTYPE=de_DE.UTF-8 at euro (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
More information about the Secure-testing-team
mailing list