CVE-2014-0230

NameCVE-2014-0230
DescriptionApache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-232-1, DSA-3530-1
Debian Bugs785316

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat6 (PTS)jessie, jessie (lts)6.0.45+dfsg-1~deb8u1fixed
tomcat7 (PTS)jessie, jessie (lts)7.0.56-3+really7.0.109-1+deb8u6fixed
stretch7.0.75-1fixed
tomcat8 (PTS)jessie, jessie (lts)8.0.14-1+deb8u28fixed
stretch (security)8.5.54-0+deb9u8fixed
stretch (lts), stretch8.5.54-0+deb9u15fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat6sourcesqueeze6.0.41-2+squeeze7DLA-232-1
tomcat6sourcewheezy6.0.45+dfsg-1~deb7u1DSA-3530-1
tomcat6source(unstable)6.0.41-3785316
tomcat7sourcewheezy7.0.28-4+deb7u3
tomcat7source(unstable)7.0.55-1
tomcat8source(unstable)8.0.9-1

Notes

tomcat6 in jessie only builds the servlet API classes
https://svn.apache.org/viewvc?view=revision&revision=1603781 (7.x)
https://svn.apache.org/viewvc?view=revision&revision=1659537 (6.x)

Search for package or bug name: Reporting problems