You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by kk...@apache.org on 2015/05/10 18:49:07 UTC

svn commit: r1678578 - /tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Author: kkolinko
Date: Sun May 10 16:49:07 2015
New Revision: 1678578

URL: http://svn.apache.org/r1678578
Log:
Correct changelog entry for r1659537 / CVE-2014-0230

1) This is the first commit that introduced the "maxSwallowSize" feature in Tomcat 6.
In Tomcat 7 this feature was implemented in a series of commits gradually improving the feature,
thus a confusion from mentioning only the last one of those changes.

2) To simplify the patch, in Tomcat 6 this feature is configured via a system property instead
of a Connector attribute.

3) Mention CVE number.

Modified:
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1678578&r1=1678577&r2=1678578&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sun May 10 16:49:07 2015
@@ -79,9 +79,16 @@
         filterInsecureProtocols method. (kkolinko/schultz)
       </fix>
       <fix>
-        When applying the <code>maxSwallowSize</code> limit to a connection read
-        that many bytes first before closing the connection to give the client a
-        chance to read the response. (markt)
+        CVE-2014-0230: Add a new system property
+        <code>org.apache.coyote.MAX_SWALLOW_SIZE</code> (defaults to 2MB)
+        that limits amount of data Tomcat will swallow if request body
+        has not been fully read during normal request processing, e.g.
+        for an aborted upload. (Note: in Tomcat 7 and later this feature is
+        configured by <code>maxSwallowSize</code> attribute on a connector).
+        When applying the limit to a connection try to read that many bytes
+        first before closing the connection to give the client a chance to
+        read the response.
+        (markt)
       </fix>
       <fix>
         <bug>57544</bug>: Fix a potential infinite loop when preparing a kept



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org