CVE-2014-0230

NameCVE-2014-0230
DescriptionApache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-232-1, DSA-3530-1
NVD severityhigh
Debian Bugs785316

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat7 (PTS)stretch7.0.75-1fixed
tomcat8 (PTS)stretch8.5.54-0+deb9u1fixed
stretch (security)8.5.54-0+deb9u4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat6sourcesqueeze6.0.41-2+squeeze7DLA-232-1
tomcat6sourcewheezy6.0.45+dfsg-1~deb7u1DSA-3530-1
tomcat6source(unstable)6.0.41-3785316
tomcat7sourcewheezy7.0.28-4+deb7u3
tomcat7source(unstable)7.0.55-1
tomcat8source(unstable)8.0.9-1

Notes

tomcat6 in jessie only builds the servlet API classes
https://svn.apache.org/viewvc?view=revision&revision=1603781 (7.x)
https://svn.apache.org/viewvc?view=revision&revision=1659537 (6.x)

Search for package or bug name: Reporting problems