Bug 432332 (CVE-2007-6286)

Summary: CVE-2007-6286 Tomcat5 Data integrity
Product: [Other] Security Response Reporter: Marc Schoenefeld <mschoene>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED RAWHIDE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: kreilly, osoukup
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://tomcat.apache.org/security-6.html
Whiteboard:
Fixed In Version: 5.5.26-1jpp.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-03 07:38:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 432474, 432475, 432476, 433610, 433611    
Bug Blocks:    

Description Marc Schoenefeld 2008-02-11 10:57:54 UTC 
important: Data integrity   CVE-2007-6286

When using the native (APR based) connector, connecting to the SSL port using
netcat and then disconnecting without sending any data will cause tomcat to
handle a duplicate copy of one of the recent requests.

Affects: 6.0.0-6.0.15
Comment 3 Fedora Update System 2008-02-12 20:32:01 UTC 
tomcat5-5.5.26-1jpp.2.fc8 has been submitted as an update for Fedora 8
Comment 4 Fedora Update System 2008-02-12 20:34:08 UTC 
tomcat5-5.5.26-1jpp.2.fc7 has been submitted as an update for Fedora 7
Comment 5 Fedora Update System 2008-02-13 04:54:23 UTC 
tomcat5-5.5.26-1jpp.2.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2008-02-13 05:14:05 UTC 
tomcat5-5.5.26-1jpp.2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.