You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2011/09/15 16:56:40 UTC
DO NOT REPLY [Bug 51828] New: Tomcat vulnerable to CVE-2011-3192
denial of service
https://issues.apache.org/bugzilla/show_bug.cgi?id=51828
Bug #: 51828
Summary: Tomcat vulnerable to CVE-2011-3192 denial of service
Product: Tomcat 7
Version: unspecified
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: robert@cosmicrealms.com
Classification: Unclassified
So according to:
http://serverfault.com/questions/304739/is-tomcat-vulnerable-to-the-apache-dos-vulnerability-in-cve-2011-3192
Tomcat 7 is vulnerable to the denial of service attack detailed in
CVE-2011-3192
I didn't see any other bugs in Bugzilla covering this, so I thought I should
submit one.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51828] Tomcat vulnerable to CVE-2011-3192 denial
of service
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51828
William A. Rowe Jr. <wr...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #2 from William A. Rowe Jr. <wr...@apache.org> 2011-09-15 15:52:39 UTC ---
According to that page, Tim Funk answers correctly, quoting him...
"Its not a vulnerability. read the Default servlet code. It loads the resource
once. It also reads all the range offsets. Then it iterates through all the
offsets serving the content bases on the original resource. Which is DIFFERENT
as to how apache httpd did it. So it will not trigger an OOM exception."
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51828] Tomcat vulnerable to CVE-2011-3192 denial
of service
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51828
rkilmon@blackducksoftware.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |rkilmon@blackducksoftware.c
| |om
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51828] Tomcat vulnerable to CVE-2011-3192 denial
of service
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51828
--- Comment #1 from Tim Funk <fu...@apache.org> 2011-09-15 15:20:26 UTC ---
No ... its not.
If this were a vulnerability ... please do not use bugzilla but the security
mailing list.
(I also update the the stack overflow entry to correct any FUD)
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org