You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2013/01/28 11:57:10 UTC

svn commit: r1439338 - in /tomcat/site/trunk: docs/security-6.html docs/security-7.html xdocs/security-6.xml xdocs/security-7.xml

Author: markt
Date: Mon Jan 28 10:57:09 2013
New Revision: 1439338

URL: http://svn.apache.org/viewvc?rev=1439338&view=rev
Log:
Add CVE-2012-5568 to the not a vulnerability in Tomcat section.

Modified:
    tomcat/site/trunk/docs/security-6.html
    tomcat/site/trunk/docs/security-7.html
    tomcat/site/trunk/xdocs/security-6.xml
    tomcat/site/trunk/xdocs/security-7.xml

Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1439338&r1=1439337&r2=1439338&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Jan 28 10:57:09 2013
@@ -1791,6 +1791,33 @@
 
     
 <p>
+<strong>Low: Denial Of Service</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5568" rel="nofollow">CVE-2012-5568</a>
+</p>
+
+    
+<p>Sending an HTTP request 1 byte at a time will consume a thread from the
+       connection pool until the request has been fully processed if using the
+       BIO or APR/native HTTP connectors. Multiple requests may be used to
+       consume all threads in the connection pool thereby creating a denial of
+       service.</p>
+
+    
+<p>Since the relationship between the client side resources and server side
+       resources is a linear one, this issue is not something that the Tomcat
+       Security Team views as a vulnerability. This is a generic DoS problem and
+       there is no magic solution. This issue has been discussed several times
+       on the Tomcat mailing lists. The best place to start to review these
+       discussions is the report for
+       <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=54263">bug
+       54236</a>.</p>
+
+    
+<p>This was first discussed on the public Tomcat users mailing list on 19
+       June 2009.</p>
+
+    
+<p>
 <strong>Important: Remote Denial Of Service</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476" rel="nofollow">CVE-2010-4476</a>
 </p>

Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1439338&r1=1439337&r2=1439338&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Mon Jan 28 10:57:09 2013
@@ -1395,6 +1395,36 @@
   
     
 <p>
+<strong>Low: Denial Of Service</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5568" rel="nofollow">CVE-2012-5568</a>
+</p>
+
+    
+<p>Sending an HTTP request 1 byte at a time will consume a thread from the
+       connection pool until the request has been fully processed if using the
+       BIO or APR/native HTTP connectors. Multiple requests may be used to
+       consume all threads in the connection pool thereby creating a denial of
+       service.</p>
+
+    
+<p>Since the relationship between the client side resources and server side
+       resources is a linear one, this issue is not something that the Tomcat
+       Security Team views as a vulnerability. This is a generic DoS problem and
+       there is no magic solution. This issue has been discussed several times
+       on the Tomcat mailing lists. The best place to start to review these
+       discussions is the report for
+       <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=54263">bug
+       54236</a>.</p>
+
+    
+<p>This was first discussed on the public Tomcat users mailing list on 19
+       June 2009.</p>
+
+    
+<p>Affects: 7.0.0-7.0.x</p>
+
+    
+<p>
 <strong>Important: Remote Denial Of Service</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476" rel="nofollow">CVE-2010-4476</a>
 </p>

Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1439338&r1=1439337&r2=1439338&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon Jan 28 10:57:09 2013
@@ -909,6 +909,27 @@
 
   <section name="Not a vulnerability in Tomcat">
 
+    <p><strong>Low: Denial Of Service</strong>
+       <cve>CVE-2012-5568</cve></p>
+
+    <p>Sending an HTTP request 1 byte at a time will consume a thread from the
+       connection pool until the request has been fully processed if using the
+       BIO or APR/native HTTP connectors. Multiple requests may be used to
+       consume all threads in the connection pool thereby creating a denial of
+       service.</p>
+
+    <p>Since the relationship between the client side resources and server side
+       resources is a linear one, this issue is not something that the Tomcat
+       Security Team views as a vulnerability. This is a generic DoS problem and
+       there is no magic solution. This issue has been discussed several times
+       on the Tomcat mailing lists. The best place to start to review these
+       discussions is the report for
+       <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=54263">bug
+       54236</a>.</p>
+
+    <p>This was first discussed on the public Tomcat users mailing list on 19
+       June 2009.</p>
+
     <p><strong>Important: Remote Denial Of Service</strong>
        <cve>CVE-2010-4476</cve></p>
 

Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1439338&r1=1439337&r2=1439338&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Mon Jan 28 10:57:09 2013
@@ -634,6 +634,29 @@
 
   <section name="Not a vulnerability in Tomcat">
   
+    <p><strong>Low: Denial Of Service</strong>
+       <cve>CVE-2012-5568</cve></p>
+
+    <p>Sending an HTTP request 1 byte at a time will consume a thread from the
+       connection pool until the request has been fully processed if using the
+       BIO or APR/native HTTP connectors. Multiple requests may be used to
+       consume all threads in the connection pool thereby creating a denial of
+       service.</p>
+
+    <p>Since the relationship between the client side resources and server side
+       resources is a linear one, this issue is not something that the Tomcat
+       Security Team views as a vulnerability. This is a generic DoS problem and
+       there is no magic solution. This issue has been discussed several times
+       on the Tomcat mailing lists. The best place to start to review these
+       discussions is the report for
+       <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=54263">bug
+       54236</a>.</p>
+
+    <p>This was first discussed on the public Tomcat users mailing list on 19
+       June 2009.</p>
+
+    <p>Affects: 7.0.0-7.0.x</p>
+
     <p><strong>Important: Remote Denial Of Service</strong>
        <cve>CVE-2010-4476</cve></p>
 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org