Date: Tue, 22 Nov 2016 09:58:12 +0000 From: Mark Thomas <markt@...che.org> To: oss-security@...ts.openwall.com Subject: [SECURITY] CVE-2016-6817 Apache Tomcat Denial of Service CVE-2016-6817 Apache Tomcat Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M11 Apache Tomcat 8.5.0 to 8.5.6 Earlier versions are not affected. Description The HTTP/2 header parser entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of service attack possible. Mitigation Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 9.0.0.M13 or later (Apache Tomcat 9.0.0.M12 has the fix but was not released) - Upgrade to Apache Tomcat 8.5.8 or later (Apache Tomcat 8.5.7 has the fix but was not released) Credit: This issue was reported as a bug and the security implications identified by the Apache Tomcat Security Team. References:  http://tomcat.apache.org/security-9.html  http://tomcat.apache.org/security-8.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.