| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4D9CA2C5.8070608@apache.org> Date: Wed, 06 Apr 2011 18:28:37 +0100 From: Mark Thomas <markt@...che.org> To: Tomcat Users List <users@...cat.apache.org> Cc: Tomcat Developers List <dev@...cat.apache.org>, Tomcat Announce List <announce@...cat.apache.org>, announce@...che.org, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: [SECURITY] CVE-2011-1475 Apache Tomcat information disclosure CVE-2011-1475 Apache Tomcat information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.11 - Earlier versions are not affected Description: Changes introduced to the HTTP BIO connector to support Servlet 3.0 asynchronous requests did not fully account for HTTP pipelining. As a result, when using HTTP pipelining a range of unexpected behaviours occurred including the mixing up of responses between requests. While the mix-up in responses was only observed between requests from the same user, a mix-up of responses for requests from different users may also be possible. Mitigation: Users of affected versions should apply one of the following mitigations: - Upgrade to a Tomcat 7.0.12 or later - Switch to the NIO or APR/native HTTP connectors that do not exhibit this issue Credit: This issue was identified by Brad Piles and reported via the public ASF Bugzilla issue tracking system. The Apache Tomcat security team requests that security vulnerability reports are made privately to security@...cat.apache.org in the first instance. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html
Powered by blists - more mailing lists