Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2017-6056

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.

Related bugs and status

CVE-2017-6056 (Candidate) is related to these bugs:

Bug #1663318: Tomcat 7 keeps using 100% CPU after sending an invalid HTTP request

Summary				In	Importance	Status
	1663318	Tomcat 7 keeps using 100% CPU after sending an invalid HTTP request		tomcat7 (Ubuntu)	Undecided	Fix Released
	1663318	Tomcat 7 keeps using 100% CPU after sending an invalid HTTP request		Debian	Unknown	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: https://bugs.debian.or...
CONFIRM: https://bz.apache.org/...
CONFIRM: https://lists.debian.o...
CONFIRM: https://lists.debian.o...
BID: 96293
SECTRACK: 1037860
DEBIAN: DSA-3787
DEBIAN: DSA-3788
REDHAT: RHSA-2017:0517
REDHAT: RHSA-2017:0826
REDHAT: RHSA-2017:0827
REDHAT: RHSA-2017:0828
REDHAT: RHSA-2017:0829
CONFIRM: https://security.netap...
MLIST: [activemq-issues] 2019...
MLIST: [activemq-issues] 2019...
MISC: https://www.oracle.com...