Bug 23779 - CVE-2010-2227: Remote Denial Of Service and Information Disclosure Vulnerability
Summary: CVE-2010-2227: Remote Denial Of Service and Information Disclosure Vulnerability
Status: CLOSED FIXED
Alias: None
Product: Sisyphus
Classification: Development
Component: tomcat6 (show other bugs)
Version: unstable
Hardware: all Linux
: P3 major
Assignee: Nobody's working on this, feel free to take it
QA Contact: qa-sisyphus
URL: http://cve.mitre.org/cgi-bin/cvename....
Keywords: security
Depends on:
Blocks:
 
Reported: 2010-07-16 19:04 MSD by Slava Semushin
Modified: 2010-10-18 05:02 MSD (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Slava Semushin 2010-07-16 19:04:25 MSD
Several flaws in the handling of the 'Transfer-Encoding' header were found that prevented the recycling of a buffer. A remote attacker could trigger this flaw which would cause subsequent requests to fail and/or information to leak between requests. This flaw is mitigated if Tomcat is behind a reverse proxy (such as Apache httpd 2.2) as the proxy should reject the invalid transfer encoding header.


Одним словом предлагаю обновить Tomcat до 6.0.28, который также зафиксит #23500
Comment 1 Repository Robot 2010-10-18 05:02:33 MSD
tomcat6-0:6.0.26-alt2_11jpp6 -> sisyphus:

* Mon Oct 18 2010 Igor Vlasenko <viy@altlinux> 0:6.0.26-alt2_11jpp6
- CVE-2010-2227 fix (closes: 23779)