-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Brandon,
On 6/12/13 11:33 AM, Brandon McCombs wrote: > I don't know if this is the correct list but it seem to be the > best one. > > I'm trying to find evidence of whether tomcat 6.0.35 is vulnerable > (and if so, was it fixed and in which version?) to the issue > identified in CVE-2007-6750? Note that, officially, CVE-2007-6750 is against Apache httpd, and no other product. Technically, CVE-2007-6750 cannot be applied to Tomcat. On the other hand, the technique used for a DOS (Slowloris) can definitely be used to DOS Tomcat under certain configurations. Technically, this is tracked via a separate CVE issue: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5568 (which you should have found from RedHat's Bugzilla entry). To (partially) mitigate Slowloris, use the NIO connector with an appropriate connectionTimeout configured. > "The Apache HTTP Server 1.x and 2.x allows remote attackers to > cause a denial of service (daemon outage) via partial HTTP > requests, as demonstrated by Slowloris, related to the lack of the > mod_reqtimeout module in versions before 2.2.15." > > I found a single statement on > https://bugzilla.redhat.com/show_bug.cgi?id=880011 that says > Tomcat is affected but I haven't found any published fix from RH or > any confirmation on tomcat.apache.org website. http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat You are looking for CVE-2012-5568. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRuJn3AAoJEBzwKT+lPKRYCUQP/3HVXBjBtHuUG/SgowZ4xy9l sKz336AeLtDkTcwcJKnblXvCf62KjBKELO06/Yl6QOAafhbsDfloSNJY/MxNNwgR y1e7KUHhSOKzf49+cxiW2KTqGMVJLLkMX24OzaqeOVBqxlRg89BjBYH4HGQUH9w7 DuoeoEWcxKviFZrMCDlUoL/hgB8r23aHA9eqKUkO2Lfz+V7gCl4ANQ8xEhIjaQlm amqG8F8j8TOxeoKLuG1w5nPpQHmpwQvrSYNd/czxQHPqne4W6VFgA4GqDDoVGZzT EbJpiqsSOiw3/GqCJOlDFZVipDnx4jrzhlo1S5r7XbAP9robTxwDfg6HvXekKgNH trpjNbp8joty7rJ4dQFeQqEKuK+mRKorWx5uLmDJpD8baOIxhlr4TvsE8N+BNLfD dCmrLYn7QYbqsPga9ujpDbM73ZbzWkdVi+W6o8+XHyxiwaFgUawe0BEJujCtjGBO ZmapaH7ondBGajZLKltnH5c+JGydTl7G/6V4ZndMzPclgoWGLHopb9jOThJLeT7b PuIhpAlEfbJLeZQPlsJILTsbd4eqi8YXlbEpykgUTXR/LIfCqMIHx0PmCPELYyJC y/7xLI6GXG5kmgvRnZMoLTuYF55trJG3IuxKvt/9KEm9UlO6x64E+iz+D3R6HyFU zfgqa1ec8Mw+qZmcOdhb =uuaV -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
