This bug was fixed in the package tomcat6 - 6.0.24-2ubuntu1.10
---
tomcat6 (6.0.24-2ubuntu1.10) lucid-security; urgency=low
* SECURITY UPDATE: denial of service via hash collision and incorrect
handling of large numbers of parameters and parameter values
(LP: #909828)
-
This bug was fixed in the package tomcat6 - 6.0.28-2ubuntu1.6
---
tomcat6 (6.0.28-2ubuntu1.6) maverick-security; urgency=low
* SECURITY UPDATE: denial of service via hash collision and incorrect
handling of large numbers of parameters and parameter values
(LP: #909828)
This bug was fixed in the package tomcat6 - 6.0.32-5ubuntu1.2
---
tomcat6 (6.0.32-5ubuntu1.2) oneiric-security; urgency=low
* SECURITY UPDATE: cross-request information leakage
- debian/patches/0016-CVE-2011-3375.patch: ensure that the request and
response objects are
This bug was fixed in the package tomcat6 - 6.0.28-10ubuntu2.3
---
tomcat6 (6.0.28-10ubuntu2.3) natty-security; urgency=low
* SECURITY UPDATE: denial of service via hash collision and incorrect
handling of large numbers of parameters and parameter values
(LP: #909828)
-
Testing completed in oneiric:
Installed tomcat6
Installed jenkins-tomcat
Installed solr-tomcat
Verified that both jenkins and solr where functional on current
published packages.
Added -proposed and upgraded to version of tomcat6 in -proposed.
Revalidated that both jenkins and solr where still
Testing completed in lucid:
Installed tomcat6
Installed solr-tomcat
Verified that solr was functional on current published packages.
Added -proposed and upgraded to version of tomcat6 in -proposed.
Revalidated that solr was still functional - all looked OK to me.
--
You received this bug
SRU team: This is a security update. If the packages have the required
testing to publish, please let the security team know so we can publish
the USN and push it to -security also. Thanks!
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed
There are now updated tomcat6 packages that fix this issue, and
CVE-2012-0022 in -proposed. Since the patch is quite intrusive, they
will stay in -proposed until they get some testing.
If you would like to help, please enable -proposed, test the updates,
and post your results here.
Thanks.
**
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-4858
** Also affects: tomcat6 (Ubuntu Lucid)
Importance: Undecided
Status: New
** Also affects: tomcat6 (Ubuntu Maverick)
Importance: Undecided
Status: New
** Also affects: tomcat6 (Ubuntu Oneiric)