Author: markt Date: Wed Mar 1 13:48:39 2017 New Revision: 1784933 URL: http://svn.apache.org/viewvc?rev=1784933&view=rev Log: Add info on CVE-2017-6056 to the not a vulnerability in Tomcat section
Modified: tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/xdocs/security-7.xml tomcat/site/trunk/xdocs/security-8.xml Modified: tomcat/site/trunk/docs/security-7.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1784933&r1=1784932&r2=1784933&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-7.html (original) +++ tomcat/site/trunk/docs/security-7.html Wed Mar 1 13:48:39 2017 @@ -2250,6 +2250,46 @@ <p> +<strong>Important: Denial of Service</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6056" rel="nofollow">CVE-2017-6056</a> +</p> + + +<p>In February 2015 a single user reported high CPU usage (<a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=57544">57544</a>) + which was traced to a tight loop. However, it was not clear how the + conditions necessary to enter the loop were being created. There was no + evidence that indicated that the loop was user triggerable. The only + potential paths identified by code inspection depended on application + bugs (retaining references to request objects and accessing after the + request had completed).</p> + + +<p>It was (and still is) believed that an application bug was the most + likely root cause. Therefore, <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=57544">57544</a> was not treated as a DoS + vulnerability.</p> + + +<p>In November 2016, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816" rel="nofollow">CVE-2016-6816</a> was announced. When downstream + distributions, notably Debian, back-ported the fix for + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816" rel="nofollow">CVE-2016-6816</a> they inadvertently make it trivial for users to + trigger the tight loop from <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=57544">57544</a>. This made a DoS attack + trivial to mount and resulted in multiple reports of problems including + <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=60578">60578</a> and <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=60581">60581</a>.</p> + + +<p>Tomcat releases from the Apache Software Foundation were not affected as + the ASF did not release any versions that contained the fix for + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816" rel="nofollow">CVE-2016-6816</a> but not the fix for <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=57544">57544</a>.</p> + + +<p>This issue was first announced on 13 February 2017.</p> + + +<p>Affects: Debian, Ubuntu and potentially other downstream + distributions.</p> + + +<p> <strong>Low: Denial Of Service</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5568" rel="nofollow">CVE-2012-5568</a> </p> Modified: tomcat/site/trunk/docs/security-8.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1784933&r1=1784932&r2=1784933&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-8.html (original) +++ tomcat/site/trunk/docs/security-8.html Wed Mar 1 13:48:39 2017 @@ -1378,6 +1378,46 @@ <p> +<strong>Important: Denial of Service</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6056" rel="nofollow">CVE-2017-6056</a> +</p> + + +<p>In February 2015 a single user reported high CPU usage (<a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=57544">57544</a>) + which was traced to a tight loop. However, it was not clear how the + conditions necessary to enter the loop were being created. There was no + evidence that indicated that the loop was user triggerable. The only + potential paths identified by code inspection depended on application + bugs (retaining references to request objects and accessing after the + request had completed).</p> + + +<p>It was (and still is) believed that an application bug was the most + likely root cause. Therefore, <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=57544">57544</a> was not treated as a DoS + vulnerability.</p> + + +<p>In November 2016, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816" rel="nofollow">CVE-2016-6816</a> was announced. When downstream + distributions, notably Debian, back-ported the fix for + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816" rel="nofollow">CVE-2016-6816</a> they inadvertently make it trivial for users to + trigger the tight loop from <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=57544">57544</a>. This made a DoS attack + trivial to mount and resulted in multiple reports of problems including + <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=60578">60578</a> and <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=60581">60581</a>.</p> + + +<p>Tomcat releases from the Apache Software Foundation were not affected as + the ASF did not release any versions that contained the fix for + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816" rel="nofollow">CVE-2016-6816</a> but not the fix for <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=57544">57544</a>.</p> + + +<p>This issue was first announced on 13 February 2017.</p> + + +<p>Affects: Debian, Ubuntu and potentially other downstream + distributions.</p> + + +<p> <strong>Important: Remote Memory Read</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160" rel="nofollow">CVE-2014-0160</a> (a.k.a. "Heartbleed")</p> Modified: tomcat/site/trunk/xdocs/security-7.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1784933&r1=1784932&r2=1784933&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-7.xml (original) +++ tomcat/site/trunk/xdocs/security-7.xml Wed Mar 1 13:48:39 2017 @@ -1371,6 +1371,37 @@ <section name="Not a vulnerability in Tomcat"> + <p><strong>Important: Denial of Service</strong> + <cve>CVE-2017-6056</cve></p> + + <p>In February 2015 a single user reported high CPU usage (<bug>57544</bug>) + which was traced to a tight loop. However, it was not clear how the + conditions necessary to enter the loop were being created. There was no + evidence that indicated that the loop was user triggerable. The only + potential paths identified by code inspection depended on application + bugs (retaining references to request objects and accessing after the + request had completed).</p> + + <p>It was (and still is) believed that an application bug was the most + likely root cause. Therefore, <bug>57544</bug> was not treated as a DoS + vulnerability.</p> + + <p>In November 2016, <cve>CVE-2016-6816</cve> was announced. When downstream + distributions, notably Debian, back-ported the fix for + <cve>CVE-2016-6816</cve> they inadvertently make it trivial for users to + trigger the tight loop from <bug>57544</bug>. This made a DoS attack + trivial to mount and resulted in multiple reports of problems including + <bug>60578</bug> and <bug>60581</bug>.</p> + + <p>Tomcat releases from the Apache Software Foundation were not affected as + the ASF did not release any versions that contained the fix for + <cve>CVE-2016-6816</cve> but not the fix for <bug>57544</bug>.</p> + + <p>This issue was first announced on 13 February 2017.</p> + + <p>Affects: Debian, Ubuntu and potentially other downstream + distributions.</p> + <p><strong>Low: Denial Of Service</strong> <cve>CVE-2012-5568</cve></p> Modified: tomcat/site/trunk/xdocs/security-8.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1784933&r1=1784932&r2=1784933&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-8.xml (original) +++ tomcat/site/trunk/xdocs/security-8.xml Wed Mar 1 13:48:39 2017 @@ -799,6 +799,37 @@ <section name="Not a vulnerability in Tomcat"> + <p><strong>Important: Denial of Service</strong> + <cve>CVE-2017-6056</cve></p> + + <p>In February 2015 a single user reported high CPU usage (<bug>57544</bug>) + which was traced to a tight loop. However, it was not clear how the + conditions necessary to enter the loop were being created. There was no + evidence that indicated that the loop was user triggerable. The only + potential paths identified by code inspection depended on application + bugs (retaining references to request objects and accessing after the + request had completed).</p> + + <p>It was (and still is) believed that an application bug was the most + likely root cause. Therefore, <bug>57544</bug> was not treated as a DoS + vulnerability.</p> + + <p>In November 2016, <cve>CVE-2016-6816</cve> was announced. When downstream + distributions, notably Debian, back-ported the fix for + <cve>CVE-2016-6816</cve> they inadvertently make it trivial for users to + trigger the tight loop from <bug>57544</bug>. This made a DoS attack + trivial to mount and resulted in multiple reports of problems including + <bug>60578</bug> and <bug>60581</bug>.</p> + + <p>Tomcat releases from the Apache Software Foundation were not affected as + the ASF did not release any versions that contained the fix for + <cve>CVE-2016-6816</cve> but not the fix for <bug>57544</bug>.</p> + + <p>This issue was first announced on 13 February 2017.</p> + + <p>Affects: Debian, Ubuntu and potentially other downstream + distributions.</p> + <p><strong>Important: Remote Memory Read</strong> <cve>CVE-2014-0160</cve> (a.k.a. "Heartbleed")</p> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org