Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 612799 - (CVE-2010-2227) CVE-2010-2227 tomcat: information leak vulnerability in the handling of 'Transfer-Encoding' header
CVE-2010-2227 tomcat: information leak vulnerability in the handling of 'Tran...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
public=20100708,reported=20100708,sou...
: Security
Depends On: 613004 613005 613944 613945 613946 613948 614422 614424 616750 616751 617501 632313 632314
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-09 00:17 EDT by Vincent Danen
Modified: 2012-08-16 14:36 EDT (History)
26 users (show)

See Also:
Fixed In Version: tomcat5 5.5.30, tomcat6 6.0.28
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-16 14:36:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0580 normal SHIPPED_LIVE Important: tomcat5 security update 2010-08-02 16:00:06 EDT
Red Hat Product Errata RHSA-2010:0581 normal SHIPPED_LIVE Important: tomcat5 and tomcat6 security update 2010-08-02 16:39:04 EDT
Red Hat Product Errata RHSA-2010:0582 normal SHIPPED_LIVE Important: tomcat5 security update 2010-08-02 16:17:44 EDT
Red Hat Product Errata RHSA-2010:0583 normal SHIPPED_LIVE Important: tomcat5 security update 2010-08-02 16:17:39 EDT
Red Hat Product Errata RHSA-2010:0584 normal SHIPPED_LIVE Important: jbossweb security update 2010-08-02 16:18:02 EDT
Red Hat Product Errata RHSA-2010:0693 normal SHIPPED_LIVE Important: tomcat5 security update 2010-09-10 04:37:13 EDT

  None (edit)
Description Vincent Danen 2010-07-09 00:17:46 EDT
A flaw in the handling of the 'Transfer-Encoding' header was found. A
remote attacker could trigger this flaw which would cause subsequent
requests to fail or information to leak between requests. This flaw is
mitigated if Tomcat is behind a proxy as the proxy should reject the
invalid transfer encoding header.

This was fixed in r958977:

http://svn.apache.org/viewvc?view=revision&revision=958977

Upstream 6.0.28 corrects this flaw as noted:

http://tomcat.apache.org/security-6.html

There is no upstream indication that this has been fixed in Tomcat5, however the patches mostly apply (a few rejects) with fuzz.
Comment 4 Vincent Danen 2010-07-09 11:47:38 EDT
Tomcat 5.5.30 is available to fix this flaw:

http://tomcat.apache.org/security-5.html

And the svn revision (patches) to correct it:

http://svn.apache.org/viewvc?view=revision&revision=959428
Comment 18 Jan Lieskovsky 2010-07-27 04:00:51 EDT
This flaw affects the version of the tomcat5 package, as shipped
with Red Hat Enterprise Linux 5.

This flaw affects the version of the tomcat5 package, as shipped
with Red Hat Application Server v2.

This flaw affects the versions of the tomcat5 and tomcat6 packages,
as shipped with JBoss Enterprise Web Server 1.0.1 for Red Hat
Enterprise Linux 4 and 5.

This flaw affects the version of the tomcat5 package, as shipped
with Red Hat Developer Suite 3.
Comment 21 errata-xmlrpc 2010-08-02 16:00:09 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0580 https://rhn.redhat.com/errata/RHSA-2010-0580.html
Comment 22 errata-xmlrpc 2010-08-02 16:17:47 EDT
This issue has been addressed in following products:

  RHAPS Version 2 for RHEL 4

Via RHSA-2010:0582 https://rhn.redhat.com/errata/RHSA-2010-0582.html
Comment 23 errata-xmlrpc 2010-08-02 16:17:58 EDT
This issue has been addressed in following products:

  Red Hat Developer Suite V.3

Via RHSA-2010:0583 https://rhn.redhat.com/errata/RHSA-2010-0583.html
Comment 24 errata-xmlrpc 2010-08-02 16:18:05 EDT
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 4
  JBEAP 4.3.0 for RHEL 4
  JBEAP 4.2.0 for RHEL 5
  JBEAP 4.3.0 for RHEL 5

Via RHSA-2010:0584 https://rhn.redhat.com/errata/RHSA-2010-0584.html
Comment 25 errata-xmlrpc 2010-08-02 16:39:07 EDT
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 4
  JBEWS 1.0 for RHEL 5

Via RHSA-2010:0581 https://rhn.redhat.com/errata/RHSA-2010-0581.html
Comment 26 Vincent Danen 2010-09-09 12:51:23 EDT
Created tomcat6 tracking bugs for this issue

Affects: fedora-all [bug 632313]
Comment 27 Vincent Danen 2010-09-09 12:51:31 EDT
Created tomcat5 tracking bugs for this issue

Affects: fedora-all [bug 632314]
Comment 28 errata-xmlrpc 2010-09-10 04:37:20 EDT
This issue has been addressed in following products:

  Red Hat Certificate System 7.3

Via RHSA-2010:0693 https://rhn.redhat.com/errata/RHSA-2010-0693.html
Comment 29 David Jorm 2012-03-27 20:18:50 EDT
This issue has been addressed in an asynchronous patch to JBoss Enterprise Application Platform 5.0.1, available here (login required):

https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=3683&product=appplatform&version=5.0.1&downloadType=securityPatches

It is also fixed in all subsequent versions of JBoss Enterprise Application Platform 5.

Note You need to log in before you can comment on or make changes to this bug.