CVE-2017-6056

NameCVE-2017-6056
DescriptionIt was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-823-1, DSA-3787-1, DSA-3788-1
NVD severitymedium (attack range: remote)
Debian Bugs851304, 854551

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat7 (PTS)wheezy7.0.28-4+deb7u4vulnerable
wheezy (security)7.0.28-4+deb7u17fixed
jessie (security), jessie7.0.56-3+deb8u11fixed
stretch7.0.75-1fixed
buster, sid7.0.78-1fixed
tomcat8 (PTS)jessie (security), jessie8.0.14-1+deb8u11fixed
stretch (security), stretch8.5.14-1+deb9u2fixed
buster8.5.24-1fixed
sid8.5.24-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat7source(unstable)7.0.72-3medium854551
tomcat7sourcejessie7.0.56-3+deb8u8mediumDSA-3787-1
tomcat7sourcewheezy7.0.28-4+deb7u10mediumDLA-823-1
tomcat8source(unstable)8.0.21-2medium851304
tomcat8sourcejessie8.0.14-1+deb8u7mediumDSA-3788-1

Notes

Since 7.0.72-3, src:tomcat7 only builds the Servlet API
https://bz.apache.org/bugzilla/show_bug.cgi?id=57544

Search for package or bug name: Reporting problems