|Description||Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)|
|NVD severity||medium (attack range: remote)|
|Debian Bugs||532363, 532366|
Vulnerable and fixed packages
The table below lists information on source packages.
|tomcat6 (PTS)||wheezy, wheezy (security)||6.0.45+dfsg-1~deb7u1||fixed|
|jessie, jessie (security)||6.0.45+dfsg-1~deb8u1||fixed|
The information below is based on the following data on fixed versions.
[lenny] - tomcat6 <not-affected> (Only ships the servlet package)