[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 529-1] tomcat7 security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : tomcat7
Version        : 7.0.28-4+deb7u5
CVE ID         : CVE-2016-3092


A denial of service vulnerability was identified in Commons FileUpload
that occurred when the length of the multipart boundary was just below
the size of the buffer (4096 bytes) used to read the uploaded file.
This caused the file upload process to take several orders of
magnitude longer than if the boundary was the typical tens of bytes long.

Apache Tomcat uses a package renamed copy of Apache Commons FileUpload
to implement the file upload requirements of the Servlet specification
and was therefore also vulnerable to the denial of service vulnerability.

For Debian 7 "Wheezy", these problems have been fixed in version
7.0.28-4+deb7u5.

We recommend that you upgrade your tomcat7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJXcCYFXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkGmsP/2S9BF1p+SyKGB40/JQsHQC8
aHUVFBnVlc99T2yFOjT74Crruna7N/vOHBH0a2So5/Z9OYKxdgww1hSTK8r1fdFb
9km+y0hDHmgDK0wBCUpJRrqPLe5OrI6u9htztAjNP8fR3zdFwCeH/36+ESCmW/VK
u/acSilGBMQJlDXxKAqGPUrmujLqyMamPcr0CZX7OEJy4tSDtnJFte/wkZqiaoC5
Tb/5d9TDos1vfPm1pgeAXgtNddLy3uhhL7d+zgn0RBGHmezgkPSmO/hrJiUyoZm3
lRIN8LS85j46yWv23O1/WR+OtmDTVQHjxez3uQ+LwNJ2utUCUhGYTlomlB13z1k0
/+j/5+GxVx2KnDg1CTUdFWbgehhr0Xu3LcNEo/ezthUZJnffgRKXQ5ihcOJr0OlH
Vqet1uVZ5PrDf0W4pTjIyS9vyedJlo3tFIPD2JC3SV2duH3eAr0sG6ppTanfO+1d
uSa8yh3PwrD0/bPxpZTU4gTr8kVOH86SpNnAKucsaYyjA13udQugh7CiD4jk2Pbn
sxqDPr1rcTZwQzMTjouFsOBs6RVFxVLBlVZywhqm8qG5uUVADw8BA8Nqwit7L4z4
bnJLp4Q9rXAafSiAH5RJG1GKeb8UqcG7Y9/+kblwnOocQygn8Z9InKSOV/Vtkj0K
u6foffO1ztkK9S/yjrd+
=eKTJ
-----END PGP SIGNATURE-----


Reply to: