Debian Bug report logs -
#588813
CVE-2010-2227: DoS and information disclosure
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Mon, 12 Jul 2010 15:24:01 UTC
Severity: grave
Tags: security
Found in version tomcat6/6.0.18-1
Fixed in version tomcat6/6.0.28-1
Done: Torsten Werner <twerner@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#588813; Package tomcat6.
(Mon, 12 Jul 2010 15:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Mon, 12 Jul 2010 15:24:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: tomcat6
Severity: grave
Tags: security
Justification: user security hole
Please see
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.28
Important: Remote Denial Of Service and Information Disclosure
Vulnerability CVE-2010-2227
Several flaws in the handling of the 'Transfer-Encoding' header were
found that prevented the recycling of a buffer. A remote attacker
could trigger this flaw which would cause subsequent requests to fail
and/or information to leak between requests. This flaw is mitigated if
Tomcat is behind a reverse proxy (such as Apache httpd 2.2) as the
proxy should reject the invalid transfer encoding header.
This was fixed in revision 958977.
Cheers,
Moritz
-- System Information:
Debian Release: 5.0.5
APT prefers stable
APT policy: (990, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.18 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8@euro, LC_CTYPE=de_DE.UTF-8@euro (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Reply sent
to Torsten Werner <twerner@debian.org>:
You have taken responsibility.
(Mon, 19 Jul 2010 16:51:10 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Mon, 19 Jul 2010 16:51:10 GMT) (full text, mbox, link).
Message #10 received at 588813-close@bugs.debian.org (full text, mbox, reply):
Source: tomcat6
Source-Version: 6.0.28-1
We believe that the bug you reported is fixed in the latest version of
tomcat6, which is due to be installed in the Debian FTP archive:
libservlet2.5-java-doc_6.0.28-1_all.deb
to main/t/tomcat6/libservlet2.5-java-doc_6.0.28-1_all.deb
libservlet2.5-java_6.0.28-1_all.deb
to main/t/tomcat6/libservlet2.5-java_6.0.28-1_all.deb
libtomcat6-java_6.0.28-1_all.deb
to main/t/tomcat6/libtomcat6-java_6.0.28-1_all.deb
tomcat6-admin_6.0.28-1_all.deb
to main/t/tomcat6/tomcat6-admin_6.0.28-1_all.deb
tomcat6-common_6.0.28-1_all.deb
to main/t/tomcat6/tomcat6-common_6.0.28-1_all.deb
tomcat6-docs_6.0.28-1_all.deb
to main/t/tomcat6/tomcat6-docs_6.0.28-1_all.deb
tomcat6-examples_6.0.28-1_all.deb
to main/t/tomcat6/tomcat6-examples_6.0.28-1_all.deb
tomcat6-user_6.0.28-1_all.deb
to main/t/tomcat6/tomcat6-user_6.0.28-1_all.deb
tomcat6_6.0.28-1.debian.tar.gz
to main/t/tomcat6/tomcat6_6.0.28-1.debian.tar.gz
tomcat6_6.0.28-1.dsc
to main/t/tomcat6/tomcat6_6.0.28-1.dsc
tomcat6_6.0.28-1_all.deb
to main/t/tomcat6/tomcat6_6.0.28-1_all.deb
tomcat6_6.0.28.orig.tar.gz
to main/t/tomcat6/tomcat6_6.0.28.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 588813@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Torsten Werner <twerner@debian.org> (supplier of updated tomcat6 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 19 Jul 2010 18:22:52 +0200
Source: tomcat6
Binary: tomcat6-common tomcat6 tomcat6-user libtomcat6-java libservlet2.5-java libservlet2.5-java-doc tomcat6-admin tomcat6-examples tomcat6-docs
Architecture: source all
Version: 6.0.28-1
Distribution: unstable
Urgency: low
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Torsten Werner <twerner@debian.org>
Description:
libservlet2.5-java - Servlet 2.5 and JSP 2.1 Java API classes
libservlet2.5-java-doc - Servlet 2.5 and JSP 2.1 Java API documentation
libtomcat6-java - Servlet and JSP engine -- core libraries
tomcat6 - Servlet and JSP engine
tomcat6-admin - Servlet and JSP engine -- admin web applications
tomcat6-common - Servlet and JSP engine -- common files
tomcat6-docs - Servlet and JSP engine -- documentation
tomcat6-examples - Servlet and JSP engine -- example web applications
tomcat6-user - Servlet and JSP engine -- tools to create user instances
Closes: 588813
Changes:
tomcat6 (6.0.28-1) unstable; urgency=low
.
[ Niels Thykier ]
* Removed depends on JREs for the library packages. It is no longer
required by the policy.
.
[ Torsten Werner ]
* New upstream release (Closes: #588813)
- Fixes CVE-2010-2227: DoS and information disclosure
* Remove 2 patches that were backports to 6.0.26.
Checksums-Sha1:
9ee5d3126b73506856d570a12e0e3b60395dd756 1605 tomcat6_6.0.28-1.dsc
3f97860913d29f9e28016bd1844d161ce6542c59 3114279 tomcat6_6.0.28.orig.tar.gz
10dac5fa176273d69ce908c87a6f341f82775535 29803 tomcat6_6.0.28-1.debian.tar.gz
64d82ed84583db58de47471c74e2d61861ba8b36 46920 tomcat6-common_6.0.28-1_all.deb
421daeb08a2db12ba8eeace02a18674829d858de 31298 tomcat6_6.0.28-1_all.deb
619089d34ea0a1c941731e03e87ddc096371462e 25568 tomcat6-user_6.0.28-1_all.deb
52c6a17aa79912b5b1d7380a6b46b3ee17db1057 3028432 libtomcat6-java_6.0.28-1_all.deb
17df4ad42107508438298d8d08be3d09f2606570 191000 libservlet2.5-java_6.0.28-1_all.deb
a047f41bb149ee715704a6df59b22d78b32f6058 253768 libservlet2.5-java-doc_6.0.28-1_all.deb
d29340d994b7f47be4636328aa730e38e2968f80 41444 tomcat6-admin_6.0.28-1_all.deb
4162e727b3e1385eafc24b4c53995796e672eac1 159274 tomcat6-examples_6.0.28-1_all.deb
852fbf62482ae7747d75e378b25307d122d7e3c2 529176 tomcat6-docs_6.0.28-1_all.deb
Checksums-Sha256:
14a17edc85879fa02787cc361bf8ad05146fb56013bf53b70ecd80dc5da9675a 1605 tomcat6_6.0.28-1.dsc
4a871c7725aacaa575996b8ef5d4c9bc675586cc4061729b5ce73cd3438e7e06 3114279 tomcat6_6.0.28.orig.tar.gz
1f359a600c7962aecf552f351d0b7924003927c42593bccc941acecd078ac06d 29803 tomcat6_6.0.28-1.debian.tar.gz
450db80f6aad0baf7fbf539462b7ff0182502c4fd296a4932b18429ff7960aef 46920 tomcat6-common_6.0.28-1_all.deb
34cfa49dee463095a1eedd1340c6b134dae7fda921211c3f270e15c25a892804 31298 tomcat6_6.0.28-1_all.deb
55ae45dd7cb73c4227ca9a1751b8a699b1955335c85340ec0922c5d9bb51fa29 25568 tomcat6-user_6.0.28-1_all.deb
ffa1a19de4a84b5dc67d0638d10f5b9193fdb09a04efdf495c50a508852f451c 3028432 libtomcat6-java_6.0.28-1_all.deb
903e6a531f41e0814c79970a7cc7155f7a0ee424b21d9cec18b24576a261dfd1 191000 libservlet2.5-java_6.0.28-1_all.deb
dbac100cf5dec68ef4593b39c97a1779a707bc3d798f62686fd8bf4f35a7c873 253768 libservlet2.5-java-doc_6.0.28-1_all.deb
38f76a45e671b2871655427640e13c6e66023aae1cd375e674e1ed16542c2027 41444 tomcat6-admin_6.0.28-1_all.deb
9e476083f7eb6038f86ea3dad1215c903befaa5374b0af96053f75975adb7d2a 159274 tomcat6-examples_6.0.28-1_all.deb
5ac779b22f66cf214f4502b5ae075b97e64e00d08a6993c96e8b4de1e9d782f7 529176 tomcat6-docs_6.0.28-1_all.deb
Files:
d5ff955c8f3e2b1afa6f329b3b53bc14 1605 java optional tomcat6_6.0.28-1.dsc
c3d696609054be07a55c14a7de1b8ddf 3114279 java optional tomcat6_6.0.28.orig.tar.gz
cfae94ea50cc28676d3dc936e4f27b6f 29803 java optional tomcat6_6.0.28-1.debian.tar.gz
e5366493348716b7797734d858ffafd8 46920 java optional tomcat6-common_6.0.28-1_all.deb
470888a3d13f0e717dbd88855e136bf6 31298 java optional tomcat6_6.0.28-1_all.deb
0baeb0f795f54a47aff63d8ac022a410 25568 java optional tomcat6-user_6.0.28-1_all.deb
72524e664aa3b8cc45c2997dbe5d8d21 3028432 java optional libtomcat6-java_6.0.28-1_all.deb
d6185b23b5b066335dbc06fa3b0ae64b 191000 java optional libservlet2.5-java_6.0.28-1_all.deb
4a1e6fea6f1d97e3fd58be6c694ef3fe 253768 doc optional libservlet2.5-java-doc_6.0.28-1_all.deb
57389c2a61470e0e635b36400ccf9b70 41444 java optional tomcat6-admin_6.0.28-1_all.deb
1d854bd62cbf98402e8c8f5d9e22afbb 159274 java optional tomcat6-examples_6.0.28-1_all.deb
3fbd4d6fb1b3f3415802a040463db369 529176 doc optional tomcat6-docs_6.0.28-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkxEfWMACgkQfY3dicTPjsNhTQCfQ0PSGgZXQkrCAFL6RQyqLhgg
nhIAn3D8gGFqD4xQhupJ8SChj6MIvJAP
=yBzg
-----END PGP SIGNATURE-----
Bug Marked as found in versions tomcat6/6.0.18-1.
Request was from Niels Thykier <niels@thykier.net>
to control@bugs.debian.org.
(Wed, 04 Aug 2010 00:51:02 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 01 Sep 2010 07:31:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:02:10 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon