Friday, June 6, 2014

Apache releases Tomcat patches

Apache recently patched Tomcat, fixing a trio of information disclosure bugs and a denial of service bug in the open source web server and servlet container. The denial of service bug, discovered in February by David Jorm of the Red Hat Security Response Team, could have allowed an attacker to create a malformed chunk size as part of a chunked request that would've allowed an unlimited amount of data to be streamed to the server. This would have bypassed the size limits enforced on a request and triggered a denial of service condition. <more>

No comments: