| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5098445A.3020407@apache.org> Date: Mon, 05 Nov 2012 22:57:30 +0000 From: Mark Thomas <markt@...che.org> To: Tomcat Users List <users@...cat.apache.org> Cc: Tomcat Developers List <dev@...cat.apache.org>, full-disclosure@...ts.grok.org.uk, Tomcat Announce List <announce@...cat.apache.org>, bugtraq@...urityfocus.com, announce@...che.org Subject: [SECURITY] CVE-2012-2733 Apache Tomcat Denial of Service -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2012-2733 Apache Tomcat Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.27 - - Tomcat 6.0.0 to 6.0.35 Description: The checks that limited the permitted size of request headers were implemented too late in the request parsing process for the HTTP NIO connector. This enabled a malicious user to trigger an OutOfMemoryError by sending a single request with very large headers. Mitigation: Users of affected versions should apply one of the following mitigations: - - Tomcat 7.0.x users should upgrade to 7.0.28 or later - - Tomcat 6.0.x users should upgrade to 6.0.36 or later Credit: This issue was identified by Josh Spiewak. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQmERaAAoJEBDAHFovYFnnn3MQAOpo2bXRZqp7m6B9Baixivr3 XsahCY6g+lk1G9PZewYirHQ9I8rX0Zte0c+7M+D0jfn5kxDsvOzHGSHxn9IMQkYU 4dRKYrSi75b2RvwxWB1AT0PMDLEk6ttaPLSlA0/JdnPluh54dzVJ+4DPCm1NDfzh 7+UTGSIXESstOo9ogJG8oslXdv5m4aYscMdxrJMEDe3SeHp/vtphY8JfO5F8aGlF zUVrl/JY8lXl0UH79dMUHoyFbVeLLfv5vyNauSEQZKIa/2y58B9396H4sMlfAXoe +NcVTo9vb419CQs6I0G4qiN15lZKQk9+bF5hgjTX0GSxi3E88ZJMGuk9rCK8MXr+ XfTTX+YjnRfSjRlrbbd4zejovFUJukVGqkbmXj01Zm42kDmqQnem5lsKWo8IrmCJ Qe9gQstoqfWUY+gBAJ2msfg3HkJkPvehYYvmVO+pIdI7EemOAKOfgGxSjg947gtd gf97Z2BOmpWHUH8+erZ3ro8OaOdhHa9ixmDl2EZxZwjngAn59f9P/srBwmPtTsbh o9GYr3KgU7rfEVOgsZN1aUXvTFjwF50Ju8Yz4D+PagLPnGaraQLIkFc/MdvAFRm6 VP/UxJCRJDdxwjU/cj9jx6/6ZS99JL1ItfYF/v+v/0GCsERcKLphKNzhYpcY888u gpYL4yE7b4ZmqBUuoK1T =+jW7 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists