CVE-2014-0230

NameCVE-2014-0230
DescriptionApache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-232-1, DSA-3530-1
NVD severityhigh (attack range: remote)
Debian Bugs785316

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat6 (PTS)wheezy6.0.45+dfsg-1~deb7u1fixed
wheezy (security)6.0.45+dfsg-1~deb7u5fixed
jessie (security), jessie6.0.45+dfsg-1~deb8u1fixed
tomcat7 (PTS)wheezy7.0.28-4+deb7u4fixed
wheezy (security)7.0.28-4+deb7u17fixed
jessie (security), jessie7.0.56-3+deb8u11fixed
stretch7.0.75-1fixed
buster, sid7.0.78-1fixed
tomcat8 (PTS)jessie (security), jessie8.0.14-1+deb8u11fixed
stretch (security), stretch8.5.14-1+deb9u2fixed
buster8.5.24-1fixed
sid8.5.24-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat6source(unstable)6.0.41-3high785316
tomcat6sourcesqueeze6.0.41-2+squeeze7highDLA-232-1
tomcat6sourcewheezy6.0.45+dfsg-1~deb7u1highDSA-3530-1
tomcat7source(unstable)7.0.55-1high
tomcat7sourcewheezy7.0.28-4+deb7u3high
tomcat8source(unstable)8.0.9-1high

Notes

tomcat6 in jessie only builds the servlet API classes
https://svn.apache.org/viewvc?view=revision&revision=1603781 (7.x)
https://svn.apache.org/viewvc?view=revision&revision=1659537 (6.x)

Search for package or bug name: Reporting problems