Bug 873695 (CVE-2012-2733)
Summary: | CVE-2012-2733 tomcat: HTTP NIO connector OOM DoS via a request with large headers | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | akurtako, aneelica, djorm, dknox, dwalluck, ivan.afonichev, java-sig-commits, jdennis, kdaniel, lfuka, pcheung, sochotni |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Apache Tomcat 6.0.36, Apache Tomcat 7.0.28 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-07-01 00:44:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 873703, 873707, 881602, 881603, 881605 | ||
Bug Blocks: | 873710 |
Description
Jan Lieskovsky
2012-11-06 14:03:22 UTC
This issue affects the version of the tomcat6 package as shipped with JBoss Enterprise Web Server 1.0.2. -- This issue affects the versions of the tomcat6 package, as shipped with Fedora release of 16 and 17. Relevant upstream patch for Tomcat 7: [3] http://svn.apache.org/viewvc?view=rev&rev=1350301 Affected Tomcat 7 versions: From 7.0.0 up to 7.0.27. This issue affects the version of the tomcat package, as shipped with Fedora release of 16. -- This issue did not affect the version of the tomcat package, as shipped with Fedora release of 17 (that version was already updated). Created tomcat6 tracking bugs for this issue Affects: fedora-all [bug 873703] Created tomcat tracking bugs for this issue Affects: fedora-16 [bug 873707] This flaw does not affect jbossweb as the NIO connector is not present. tomcat-7.0.33-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: JBoss Enterprise Web Server 2.0.0 Via RHSA-2013:0265 https://rhn.redhat.com/errata/RHSA-2013-0265.html This issue has been addressed in following products: JBEWS 2 for RHEL 5 JBEWS 2 for RHEL 6 Via RHSA-2013:0266 https://rhn.redhat.com/errata/RHSA-2013-0266.html |