You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2017/03/01 13:48:40 UTC
svn commit: r1784933 - in /tomcat/site/trunk: docs/security-7.html
docs/security-8.html xdocs/security-7.xml xdocs/security-8.xml
Author: markt
Date: Wed Mar 1 13:48:39 2017
New Revision: 1784933
URL: http://svn.apache.org/viewvc?rev=1784933&view=rev
Log:
Add info on CVE-2017-6056 to the not a vulnerability in Tomcat section
Modified:
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/docs/security-8.html
tomcat/site/trunk/xdocs/security-7.xml
tomcat/site/trunk/xdocs/security-8.xml
Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1784933&r1=1784932&r2=1784933&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Wed Mar 1 13:48:39 2017
@@ -2250,6 +2250,46 @@
<p>
+<strong>Important: Denial of Service</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6056" rel="nofollow">CVE-2017-6056</a>
+</p>
+
+
+<p>In February 2015 a single user reported high CPU usage (<a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=57544">57544</a>)
+ which was traced to a tight loop. However, it was not clear how the
+ conditions necessary to enter the loop were being created. There was no
+ evidence that indicated that the loop was user triggerable. The only
+ potential paths identified by code inspection depended on application
+ bugs (retaining references to request objects and accessing after the
+ request had completed).</p>
+
+
+<p>It was (and still is) believed that an application bug was the most
+ likely root cause. Therefore, <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=57544">57544</a> was not treated as a DoS
+ vulnerability.</p>
+
+
+<p>In November 2016, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816" rel="nofollow">CVE-2016-6816</a> was announced. When downstream
+ distributions, notably Debian, back-ported the fix for
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816" rel="nofollow">CVE-2016-6816</a> they inadvertently make it trivial for users to
+ trigger the tight loop from <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=57544">57544</a>. This made a DoS attack
+ trivial to mount and resulted in multiple reports of problems including
+ <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=60578">60578</a> and <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=60581">60581</a>.</p>
+
+
+<p>Tomcat releases from the Apache Software Foundation were not affected as
+ the ASF did not release any versions that contained the fix for
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816" rel="nofollow">CVE-2016-6816</a> but not the fix for <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=57544">57544</a>.</p>
+
+
+<p>This issue was first announced on 13 February 2017.</p>
+
+
+<p>Affects: Debian, Ubuntu and potentially other downstream
+ distributions.</p>
+
+
+<p>
<strong>Low: Denial Of Service</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5568" rel="nofollow">CVE-2012-5568</a>
</p>
Modified: tomcat/site/trunk/docs/security-8.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1784933&r1=1784932&r2=1784933&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-8.html (original)
+++ tomcat/site/trunk/docs/security-8.html Wed Mar 1 13:48:39 2017
@@ -1378,6 +1378,46 @@
<p>
+<strong>Important: Denial of Service</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6056" rel="nofollow">CVE-2017-6056</a>
+</p>
+
+
+<p>In February 2015 a single user reported high CPU usage (<a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=57544">57544</a>)
+ which was traced to a tight loop. However, it was not clear how the
+ conditions necessary to enter the loop were being created. There was no
+ evidence that indicated that the loop was user triggerable. The only
+ potential paths identified by code inspection depended on application
+ bugs (retaining references to request objects and accessing after the
+ request had completed).</p>
+
+
+<p>It was (and still is) believed that an application bug was the most
+ likely root cause. Therefore, <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=57544">57544</a> was not treated as a DoS
+ vulnerability.</p>
+
+
+<p>In November 2016, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816" rel="nofollow">CVE-2016-6816</a> was announced. When downstream
+ distributions, notably Debian, back-ported the fix for
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816" rel="nofollow">CVE-2016-6816</a> they inadvertently make it trivial for users to
+ trigger the tight loop from <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=57544">57544</a>. This made a DoS attack
+ trivial to mount and resulted in multiple reports of problems including
+ <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=60578">60578</a> and <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=60581">60581</a>.</p>
+
+
+<p>Tomcat releases from the Apache Software Foundation were not affected as
+ the ASF did not release any versions that contained the fix for
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816" rel="nofollow">CVE-2016-6816</a> but not the fix for <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=57544">57544</a>.</p>
+
+
+<p>This issue was first announced on 13 February 2017.</p>
+
+
+<p>Affects: Debian, Ubuntu and potentially other downstream
+ distributions.</p>
+
+
+<p>
<strong>Important: Remote Memory Read</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160" rel="nofollow">CVE-2014-0160</a> (a.k.a. "Heartbleed")</p>
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1784933&r1=1784932&r2=1784933&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Wed Mar 1 13:48:39 2017
@@ -1371,6 +1371,37 @@
<section name="Not a vulnerability in Tomcat">
+ <p><strong>Important: Denial of Service</strong>
+ <cve>CVE-2017-6056</cve></p>
+
+ <p>In February 2015 a single user reported high CPU usage (<bug>57544</bug>)
+ which was traced to a tight loop. However, it was not clear how the
+ conditions necessary to enter the loop were being created. There was no
+ evidence that indicated that the loop was user triggerable. The only
+ potential paths identified by code inspection depended on application
+ bugs (retaining references to request objects and accessing after the
+ request had completed).</p>
+
+ <p>It was (and still is) believed that an application bug was the most
+ likely root cause. Therefore, <bug>57544</bug> was not treated as a DoS
+ vulnerability.</p>
+
+ <p>In November 2016, <cve>CVE-2016-6816</cve> was announced. When downstream
+ distributions, notably Debian, back-ported the fix for
+ <cve>CVE-2016-6816</cve> they inadvertently make it trivial for users to
+ trigger the tight loop from <bug>57544</bug>. This made a DoS attack
+ trivial to mount and resulted in multiple reports of problems including
+ <bug>60578</bug> and <bug>60581</bug>.</p>
+
+ <p>Tomcat releases from the Apache Software Foundation were not affected as
+ the ASF did not release any versions that contained the fix for
+ <cve>CVE-2016-6816</cve> but not the fix for <bug>57544</bug>.</p>
+
+ <p>This issue was first announced on 13 February 2017.</p>
+
+ <p>Affects: Debian, Ubuntu and potentially other downstream
+ distributions.</p>
+
<p><strong>Low: Denial Of Service</strong>
<cve>CVE-2012-5568</cve></p>
Modified: tomcat/site/trunk/xdocs/security-8.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1784933&r1=1784932&r2=1784933&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-8.xml (original)
+++ tomcat/site/trunk/xdocs/security-8.xml Wed Mar 1 13:48:39 2017
@@ -799,6 +799,37 @@
<section name="Not a vulnerability in Tomcat">
+ <p><strong>Important: Denial of Service</strong>
+ <cve>CVE-2017-6056</cve></p>
+
+ <p>In February 2015 a single user reported high CPU usage (<bug>57544</bug>)
+ which was traced to a tight loop. However, it was not clear how the
+ conditions necessary to enter the loop were being created. There was no
+ evidence that indicated that the loop was user triggerable. The only
+ potential paths identified by code inspection depended on application
+ bugs (retaining references to request objects and accessing after the
+ request had completed).</p>
+
+ <p>It was (and still is) believed that an application bug was the most
+ likely root cause. Therefore, <bug>57544</bug> was not treated as a DoS
+ vulnerability.</p>
+
+ <p>In November 2016, <cve>CVE-2016-6816</cve> was announced. When downstream
+ distributions, notably Debian, back-ported the fix for
+ <cve>CVE-2016-6816</cve> they inadvertently make it trivial for users to
+ trigger the tight loop from <bug>57544</bug>. This made a DoS attack
+ trivial to mount and resulted in multiple reports of problems including
+ <bug>60578</bug> and <bug>60581</bug>.</p>
+
+ <p>Tomcat releases from the Apache Software Foundation were not affected as
+ the ASF did not release any versions that contained the fix for
+ <cve>CVE-2016-6816</cve> but not the fix for <bug>57544</bug>.</p>
+
+ <p>This issue was first announced on 13 February 2017.</p>
+
+ <p>Affects: Debian, Ubuntu and potentially other downstream
+ distributions.</p>
+
<p><strong>Important: Remote Memory Read</strong>
<cve>CVE-2014-0160</cve> (a.k.a. "Heartbleed")</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org