You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2013/01/28 11:57:10 UTC
svn commit: r1439338 - in /tomcat/site/trunk: docs/security-6.html
docs/security-7.html xdocs/security-6.xml xdocs/security-7.xml
Author: markt
Date: Mon Jan 28 10:57:09 2013
New Revision: 1439338
URL: http://svn.apache.org/viewvc?rev=1439338&view=rev
Log:
Add CVE-2012-5568 to the not a vulnerability in Tomcat section.
Modified:
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/xdocs/security-6.xml
tomcat/site/trunk/xdocs/security-7.xml
Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1439338&r1=1439337&r2=1439338&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Jan 28 10:57:09 2013
@@ -1791,6 +1791,33 @@
<p>
+<strong>Low: Denial Of Service</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5568" rel="nofollow">CVE-2012-5568</a>
+</p>
+
+
+<p>Sending an HTTP request 1 byte at a time will consume a thread from the
+ connection pool until the request has been fully processed if using the
+ BIO or APR/native HTTP connectors. Multiple requests may be used to
+ consume all threads in the connection pool thereby creating a denial of
+ service.</p>
+
+
+<p>Since the relationship between the client side resources and server side
+ resources is a linear one, this issue is not something that the Tomcat
+ Security Team views as a vulnerability. This is a generic DoS problem and
+ there is no magic solution. This issue has been discussed several times
+ on the Tomcat mailing lists. The best place to start to review these
+ discussions is the report for
+ <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=54263">bug
+ 54236</a>.</p>
+
+
+<p>This was first discussed on the public Tomcat users mailing list on 19
+ June 2009.</p>
+
+
+<p>
<strong>Important: Remote Denial Of Service</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476" rel="nofollow">CVE-2010-4476</a>
</p>
Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1439338&r1=1439337&r2=1439338&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Mon Jan 28 10:57:09 2013
@@ -1395,6 +1395,36 @@
<p>
+<strong>Low: Denial Of Service</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5568" rel="nofollow">CVE-2012-5568</a>
+</p>
+
+
+<p>Sending an HTTP request 1 byte at a time will consume a thread from the
+ connection pool until the request has been fully processed if using the
+ BIO or APR/native HTTP connectors. Multiple requests may be used to
+ consume all threads in the connection pool thereby creating a denial of
+ service.</p>
+
+
+<p>Since the relationship between the client side resources and server side
+ resources is a linear one, this issue is not something that the Tomcat
+ Security Team views as a vulnerability. This is a generic DoS problem and
+ there is no magic solution. This issue has been discussed several times
+ on the Tomcat mailing lists. The best place to start to review these
+ discussions is the report for
+ <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=54263">bug
+ 54236</a>.</p>
+
+
+<p>This was first discussed on the public Tomcat users mailing list on 19
+ June 2009.</p>
+
+
+<p>Affects: 7.0.0-7.0.x</p>
+
+
+<p>
<strong>Important: Remote Denial Of Service</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476" rel="nofollow">CVE-2010-4476</a>
</p>
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1439338&r1=1439337&r2=1439338&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon Jan 28 10:57:09 2013
@@ -909,6 +909,27 @@
<section name="Not a vulnerability in Tomcat">
+ <p><strong>Low: Denial Of Service</strong>
+ <cve>CVE-2012-5568</cve></p>
+
+ <p>Sending an HTTP request 1 byte at a time will consume a thread from the
+ connection pool until the request has been fully processed if using the
+ BIO or APR/native HTTP connectors. Multiple requests may be used to
+ consume all threads in the connection pool thereby creating a denial of
+ service.</p>
+
+ <p>Since the relationship between the client side resources and server side
+ resources is a linear one, this issue is not something that the Tomcat
+ Security Team views as a vulnerability. This is a generic DoS problem and
+ there is no magic solution. This issue has been discussed several times
+ on the Tomcat mailing lists. The best place to start to review these
+ discussions is the report for
+ <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=54263">bug
+ 54236</a>.</p>
+
+ <p>This was first discussed on the public Tomcat users mailing list on 19
+ June 2009.</p>
+
<p><strong>Important: Remote Denial Of Service</strong>
<cve>CVE-2010-4476</cve></p>
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1439338&r1=1439337&r2=1439338&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Mon Jan 28 10:57:09 2013
@@ -634,6 +634,29 @@
<section name="Not a vulnerability in Tomcat">
+ <p><strong>Low: Denial Of Service</strong>
+ <cve>CVE-2012-5568</cve></p>
+
+ <p>Sending an HTTP request 1 byte at a time will consume a thread from the
+ connection pool until the request has been fully processed if using the
+ BIO or APR/native HTTP connectors. Multiple requests may be used to
+ consume all threads in the connection pool thereby creating a denial of
+ service.</p>
+
+ <p>Since the relationship between the client side resources and server side
+ resources is a linear one, this issue is not something that the Tomcat
+ Security Team views as a vulnerability. This is a generic DoS problem and
+ there is no magic solution. This issue has been discussed several times
+ on the Tomcat mailing lists. The best place to start to review these
+ discussions is the report for
+ <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=54263">bug
+ 54236</a>.</p>
+
+ <p>This was first discussed on the public Tomcat users mailing list on 19
+ June 2009.</p>
+
+ <p>Affects: 7.0.0-7.0.x</p>
+
<p><strong>Important: Remote Denial Of Service</strong>
<cve>CVE-2010-4476</cve></p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org