| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <53848920.9070009@apache.org> Date: Tue, 27 May 2014 13:46:24 +0100 From: Mark Thomas <markt@...che.org> To: Tomcat Users List <users@...cat.apache.org> Cc: Tomcat Developers List <dev@...cat.apache.org>, fulldisclosure@...lists.org, announce@...cat.apache.org, bugtraq@...urityfocus.com, announce@...che.org Subject: [FD] [SECURITY] CVE-2014-0095 Apache Tomcat denial of service CVE-2014-0095 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC2 to 8.0.3 Description: A regression was introduced in revision 1519838 that caused AJP requests to hang if an explicit content length of zero was set on the request. The hanging request consumed a request processing thread which could lead to a denial of service. Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.5 or later (8.0.4 contains the fix but was not released) Credit: This issue was reported as a possible bug via the Tomcat users mailing list and the security implications were identified by theTomcat security team. References: [1] http://tomcat.apache.org/security-8.html _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists