On 9 February 2015 at 09:12, Mark Thomas <ma...@apache.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > CVE-2014-0227 Request Smuggling > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: > - - Apache Tomcat 8.0.0-RC1 to 8.0.8 > - - Apache Tomcat 7.0.0 to 7.0.54 > - - Apache Tomcat 6.0.0 to 6.0.41 > > Description: > It was possible to craft a malformed chunk as part of a chucked request
s/chucked/chunked/? > that caused Tomcat to read part of the request body as a new request. > > Mitigation: > Users of affected versions should apply one of the following mitigations > - - Upgrade to Apache Tomcat 8.0.9 or later > - - Upgrade to Apache Tomcat 7.0.55 or later > - - Upgrade to Apache Tomcat 6.0.43 or later > (6.0.42 contains the fix but was not released) > > Credit: > This issue was identified by the Tomcat security team. > > References: > [1] http://tomcat.apache.org/security-8.html > [2] http://tomcat.apache.org/security-7.html > [3] http://tomcat.apache.org/security-6.html > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > > iQIcBAEBAgAGBQJU2HoOAAoJEBDAHFovYFnn/3wP/A3qNw/M6hrPYGtZJGtHmb3b > B7VMHvhW18nTVUIuS6pg/FIcLg//dRpzzosHGAygGZJRTqW6am3TF9IEGrtaqXED > 3cLbIUcIlay8grokG5Ci4fduZ3pouVA8/xbWTW6ND0KORAAsCeeIVVs3+/IdyBrM > hRMST00A/ryXEBCzUdVATjd7bpdOAnRW/lSUI5/Ap+zQN1SR6rBdF224UaWRiZrr > 4t55ZnStDQ10OT5a8R/uSZAftnRD3wRzOCquYHA7PbzpjDDmwbz00BQWErmlmgs/ > ElN9Dmdn+/dFaaU9AGOLEhsse3KajfjgdWVXRoB2BJW3/GFgPT9vcHswINEgAZtp > HoNFavmlZr0bs+1YdSEx8qtitB6Wr4QiwWYzfwLMhZ3qx6g0NSTMY6g+JH7BVIOL > 3xGf1B42LidgMqqpcyddLW3HFICRI6wX1IgK+rF8Obaga6UOCHgmCKTL4YBxe5XK > +YqEgH3HE1jwTL04FGsVMSAUIx4Z5wkm0rXsf3emHsyDytFQOyrJqI8AdGVMyOwO > ZEjqwFDCjW36I2YsoE4HffO/ZnTxJrZzOZOXXt7N7zfFfxXsJsSuBBM3il0VIPyB > AdmOl1RoeGx5Gj2WGIgXjPLCcOHaNTobClasFMvuzgPmxIHPViT1fhM/M41cre8M > v3iXCWFfOe15UtdBy57w > =BK1a > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org