Re: [SECURITY] CVE-2014-0099 Apache Tomcat information disclosure

CORRECTION: This is CVE-2014-0099 *NOT* -0097 Apologies for the typo On 27/05/2014 13:46, Mark Thomas wrote: CVE-2014-0099 Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.3 - Apache

Re: [SECURITY] CVE-2014-0099 Apache Tomcat information disclosure

On 27/05/2014 14:05, André Warnier wrote: Mark Thomas wrote: CVE-2014-0099 Information Disclosure ... Description: The code used to parse the request content length header did not check for overflow in the result. This exposed a request smuggling vulnerability when Tomcat was located

Re: [SECURITY] CVE-2014-0099 Apache Tomcat information disclosure

Mark Thomas wrote: On 27/05/2014 14:05, André Warnier wrote: Mark Thomas wrote: CVE-2014-0099 Information Disclosure ... Description: The code used to parse the request content length header did not check for overflow in the result. This exposed a request smuggling vulnerability when

Re: [SECURITY] CVE-2014-0099 Apache Tomcat information disclosure

On 27/05/2014 15:12, Konstantin Preißer wrote: Hi André, -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Tuesday, May 27, 2014 3:06 PM Mark Thomas wrote: CVE-2014-0099 Information Disclosure ... Description: The code used to parse the request content

RE: [SECURITY] CVE-2014-0099 Apache Tomcat information disclosure

Hi Mark, -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Tuesday, May 27, 2014 4:33 PM snip Yes, you need to have a content-length above Long.MAX_VALUE for problems to occur. That would be unusual to say the least for most (all?) applications in normal usage

Re: [SECURITY] CVE-2014-0099 Apache Tomcat information disclosure

Mark Thomas wrote: On 27/05/2014 15:12, Konstantin Preißer wrote: Hi André, -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Tuesday, May 27, 2014 3:06 PM Mark Thomas wrote: CVE-2014-0099 Information Disclosure ... Description: The code used to parse the

Re: [SECURITY] CVE-2014-0099 Apache Tomcat information disclosure

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 5/27/14, 10:03 AM, André Warnier wrote: Mark Thomas wrote: On 27/05/2014 14:05, André Warnier wrote: Mark Thomas wrote: CVE-2014-0099 Information Disclosure ... Description: The code used to parse the request content length

Re: [SECURITY] CVE-2014-0099 Apache Tomcat information disclosure

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 5/27/14, 10:32 AM, Mark Thomas wrote: On 27/05/2014 15:12, Konstantin Preißer wrote: Hi André, -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Tuesday, May 27, 2014 3:06 PM Mark Thomas wrote:

Re: [SECURITY] CVE-2014-0099 Apache Tomcat information disclosure

On 27/05/2014 19:24, Christopher Schultz wrote: André, On 5/27/14, 10:03 AM, André Warnier wrote: Mark Thomas wrote: On 27/05/2014 14:05, André Warnier wrote: Mark Thomas wrote: CVE-2014-0099 Information Disclosure ... Description: The code used to parse the request content length

Re: [SECURITY] CVE-2014-0099 Apache Tomcat information disclosure

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 5/27/14, 3:04 PM, Mark Thomas wrote: On 27/05/2014 19:24, Christopher Schultz wrote: André, On 5/27/14, 10:03 AM, André Warnier wrote: Mark Thomas wrote: On 27/05/2014 14:05, André Warnier wrote: Mark Thomas wrote: CVE-2014-0099

Re: [OT] [SECURITY] CVE-2014-0099 Apache Tomcat information disclosure

Mark Thomas wrote: On 27/05/2014 19:24, Christopher Schultz wrote: André, On 5/27/14, 10:03 AM, André Warnier wrote: Mark Thomas wrote: On 27/05/2014 14:05, André Warnier wrote: Mark Thomas wrote: CVE-2014-0099 Information Disclosure ... Description: The code used to parse the request