#23779 – CVE-2010-2227: Remote Denial Of Service and Information Disclosure Vulnerability

Bug 23779 - CVE-2010-2227: Remote Denial Of Service and Information Disclosure Vulnerability

Summary: CVE-2010-2227: Remote Denial Of Service and Information Disclosure Vulnerability

Status:	CLOSED FIXED

Alias:	None

Product:	Sisyphus
Classification:	Development
Component:	tomcat6 (show other bugs)
Version:	unstable
Hardware:	all Linux

Importance:	P3 major
Assignee:	Nobody's working on this, feel free to take it
QA Contact:	qa-sisyphus

URL:	http://cve.mitre.org/cgi-bin/cvename....
Keywords:	security

Depends on:
Blocks:

Reported:	2010-07-16 19:04 MSD by Slava Semushin
Modified:	2010-10-18 05:02 MSD (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Slava Semushin 2010-07-16 19:04:25 MSD

Several flaws in the handling of the 'Transfer-Encoding' header were found that prevented the recycling of a buffer. A remote attacker could trigger this flaw which would cause subsequent requests to fail and/or information to leak between requests. This flaw is mitigated if Tomcat is behind a reverse proxy (such as Apache httpd 2.2) as the proxy should reject the invalid transfer encoding header.


Одним словом предлагаю обновить Tomcat до 6.0.28, который также зафиксит #23500

Comment 1 Repository Robot 2010-10-18 05:02:33 MSD

tomcat6-0:6.0.26-alt2_11jpp6 -> sisyphus:

* Mon Oct 18 2010 Igor Vlasenko <viy@altlinux> 0:6.0.26-alt2_11jpp6
- CVE-2010-2227 fix (closes: 23779)