Package: tomcat6 Severity: grave Tags: security Justification: user security hole
Please see http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.28 Important: Remote Denial Of Service and Information Disclosure Vulnerability CVE-2010-2227 Several flaws in the handling of the 'Transfer-Encoding' header were found that prevented the recycling of a buffer. A remote attacker could trigger this flaw which would cause subsequent requests to fail and/or information to leak between requests. This flaw is mitigated if Tomcat is behind a reverse proxy (such as Apache httpd 2.2) as the proxy should reject the invalid transfer encoding header. This was fixed in revision 958977. Cheers, Moritz -- System Information: Debian Release: 5.0.5 APT prefers stable APT policy: (990, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.18 (SMP w/1 CPU core) Locale: lang=de_de.ut...@euro, lc_ctype=de_de.ut...@euro (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.