Re: [SECURITY] CVE-2014-0227 Apache Tomcat Request Smuggling

Mon, 09 Feb 2015 03:25:40 -0800 

On 9 February 2015 at 09:12, Mark Thomas <ma...@apache.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> CVE-2014-0227 Request Smuggling
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> - - Apache Tomcat 8.0.0-RC1 to 8.0.8
> - - Apache Tomcat 7.0.0 to 7.0.54
> - - Apache Tomcat 6.0.0 to 6.0.41
>
> Description:
> It was possible to craft a malformed chunk as part of a chucked request

s/chucked/chunked/?

> that caused Tomcat to read part of the request body as a new request.
>
> Mitigation:
> Users of affected versions should apply one of the following mitigations
> - - Upgrade to Apache Tomcat 8.0.9 or later
> - - Upgrade to Apache Tomcat 7.0.55 or later
> - - Upgrade to Apache Tomcat 6.0.43 or later
>   (6.0.42 contains the fix but was not released)
>
> Credit:
> This issue was identified by the Tomcat security team.
>
> References:
> [1] http://tomcat.apache.org/security-8.html
> [2] http://tomcat.apache.org/security-7.html
> [3] http://tomcat.apache.org/security-6.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
>
> iQIcBAEBAgAGBQJU2HoOAAoJEBDAHFovYFnn/3wP/A3qNw/M6hrPYGtZJGtHmb3b
> B7VMHvhW18nTVUIuS6pg/FIcLg//dRpzzosHGAygGZJRTqW6am3TF9IEGrtaqXED
> 3cLbIUcIlay8grokG5Ci4fduZ3pouVA8/xbWTW6ND0KORAAsCeeIVVs3+/IdyBrM
> hRMST00A/ryXEBCzUdVATjd7bpdOAnRW/lSUI5/Ap+zQN1SR6rBdF224UaWRiZrr
> 4t55ZnStDQ10OT5a8R/uSZAftnRD3wRzOCquYHA7PbzpjDDmwbz00BQWErmlmgs/
> ElN9Dmdn+/dFaaU9AGOLEhsse3KajfjgdWVXRoB2BJW3/GFgPT9vcHswINEgAZtp
> HoNFavmlZr0bs+1YdSEx8qtitB6Wr4QiwWYzfwLMhZ3qx6g0NSTMY6g+JH7BVIOL
> 3xGf1B42LidgMqqpcyddLW3HFICRI6wX1IgK+rF8Obaga6UOCHgmCKTL4YBxe5XK
> +YqEgH3HE1jwTL04FGsVMSAUIx4Z5wkm0rXsf3emHsyDytFQOyrJqI8AdGVMyOwO
> ZEjqwFDCjW36I2YsoE4HffO/ZnTxJrZzOZOXXt7N7zfFfxXsJsSuBBM3il0VIPyB
> AdmOl1RoeGx5Gj2WGIgXjPLCcOHaNTobClasFMvuzgPmxIHPViT1fhM/M41cre8M
> v3iXCWFfOe15UtdBy57w
> =BK1a
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to