Apache Tomcat 6.0.32 was released [1] to fix, among other things, a security flaw in the NIO connector. The NIO connector would expand its buffer endlessly while reading in the request line, effectively ignoring the maxHttpHeaderSize setting. The upstream commit to fix the issue is in r1066313 [2] and there is a corresponding bugzilla entry [3]. By the indications upstream, this only affects Tomcat 6.x and 7.x, although it does not specifically mention that 5.x is not vulnerable. [1] http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.32 [2] http://svn.apache.org/viewvc?view=revision&revision=1066313 [3] https://issues.apache.org/bugzilla/show_bug.cgi?id=50631
The upstream mail sent to the mailing lists has further details on this issue. It only affects Tomcat 6.0.0 to 6.0.30 and Tomcat 7.0.0 to 7.0.6: http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0076.html
Created tomcat6 tracking bugs for this issue Affects: fedora-all [bug 675794]
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0335 https://rhn.redhat.com/errata/RHSA-2011-0335.html
This issue has been addressed in following products: JBEWS 1.0 for RHEL 4 JBEWS 1.0 for RHEL 5 Via RHSA-2011:0348 https://rhn.redhat.com/errata/RHSA-2011-0348.html
This issue has been addressed in following products: JBoss Enterprise Web Server 1.0 Via RHSA-2011:0350 https://rhn.redhat.com/errata/RHSA-2011-0350.html