CVE-2014-0230

Name	CVE-2014-0230
Description	Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-232-1, DSA-3530-1
Debian Bugs	785316

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
tomcat6	source	squeeze	6.0.41-2+squeeze7	DLA-232-1
tomcat6	source	wheezy	6.0.45+dfsg-1~deb7u1	DSA-3530-1
tomcat6	source	(unstable)	6.0.41-3		785316
tomcat7	source	wheezy	7.0.28-4+deb7u3
tomcat7	source	(unstable)	7.0.55-1
tomcat8	source	(unstable)	8.0.9-1

Notes

tomcat6 in jessie only builds the servlet API classes
https://svn.apache.org/viewvc?view=revision&revision=1603781 (7.x)
https://svn.apache.org/viewvc?view=revision&revision=1659537 (6.x)