Debian Security Advisory
DSA-395-1 tomcat4 -- incorrect input handling
- Date Reported:
- 15 Oct 2003
- Affected Packages:
- tomcat4
- Vulnerable:
- Yes
- Security database references:
- In the Bugtraq database (at SecurityFocus): BugTraq ID 8824.
In Mitre's CVE dictionary: CVE-2003-0866. - More information:
-
Aldrin Martoq has discovered a denial of service (DoS) vulnerability in Apache Tomcat 4.0.x. Sending several non-HTTP requests to Tomcat's HTTP connector makes Tomcat reject further requests on this port until it is restarted.
For the current stable distribution (woody) this problem has been fixed in version 4.0.3-3woody3.
For the unstable distribution (sid) this problem does not exist in the current version 4.1.24-2.
We recommend that you upgrade your tomcat4 packages and restart the tomcat server.
- Fixed in:
-
Debian GNU/Linux 3.0 (woody)
- Source:
- http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody3.dsc
- http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody3.diff.gz
- http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3.orig.tar.gz
- http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody3.diff.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/contrib/t/tomcat4/libtomcat4-java_4.0.3-3woody3_all.deb
- http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4-webapps_4.0.3-3woody3_all.deb
- http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody3_all.deb
- http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4-webapps_4.0.3-3woody3_all.deb
MD5 checksums of the listed files are available in the original advisory.