Debian Security Advisory

DSA-395-1 tomcat4 -- incorrect input handling

Date Reported:
15 Oct 2003
Affected Packages:
Security database references:
In the Bugtraq database (at SecurityFocus): BugTraq ID 8824.
In Mitre's CVE dictionary: CVE-2003-0866.
More information:

Aldrin Martoq has discovered a denial of service (DoS) vulnerability in Apache Tomcat 4.0.x. Sending several non-HTTP requests to Tomcat's HTTP connector makes Tomcat reject further requests on this port until it is restarted.

For the current stable distribution (woody) this problem has been fixed in version 4.0.3-3woody3.

For the unstable distribution (sid) this problem does not exist in the current version 4.1.24-2.

We recommend that you upgrade your tomcat4 packages and restart the tomcat server.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Architecture-independent component:

MD5 checksums of the listed files are available in the original advisory.