CVE-2017-6056

NameCVE-2017-6056
DescriptionIt was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-823-1, DSA-3787-1, DSA-3788-1
Debian Bugs851304, 854551

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat7sourcewheezy7.0.28-4+deb7u10DLA-823-1
tomcat7sourcejessie7.0.56-3+deb8u8DSA-3787-1
tomcat7source(unstable)7.0.72-3854551
tomcat8sourcejessie8.0.14-1+deb8u7DSA-3788-1
tomcat8source(unstable)8.0.21-2851304

Notes

Since 7.0.72-3, src:tomcat7 only builds the Servlet API
https://bz.apache.org/bugzilla/show_bug.cgi?id=57544
Search for package or bug name: Reporting problems