Author: markt Date: Mon Jan 28 10:57:09 2013 New Revision: 1439338 URL: http://svn.apache.org/viewvc?rev=1439338&view=rev Log: Add CVE-2012-5568 to the not a vulnerability in Tomcat section.
Modified: tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/xdocs/security-6.xml tomcat/site/trunk/xdocs/security-7.xml Modified: tomcat/site/trunk/docs/security-6.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1439338&r1=1439337&r2=1439338&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-6.html (original) +++ tomcat/site/trunk/docs/security-6.html Mon Jan 28 10:57:09 2013 @@ -1791,6 +1791,33 @@ <p> +<strong>Low: Denial Of Service</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5568" rel="nofollow">CVE-2012-5568</a> +</p> + + +<p>Sending an HTTP request 1 byte at a time will consume a thread from the + connection pool until the request has been fully processed if using the + BIO or APR/native HTTP connectors. Multiple requests may be used to + consume all threads in the connection pool thereby creating a denial of + service.</p> + + +<p>Since the relationship between the client side resources and server side + resources is a linear one, this issue is not something that the Tomcat + Security Team views as a vulnerability. This is a generic DoS problem and + there is no magic solution. This issue has been discussed several times + on the Tomcat mailing lists. The best place to start to review these + discussions is the report for + <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=54263">bug + 54236</a>.</p> + + +<p>This was first discussed on the public Tomcat users mailing list on 19 + June 2009.</p> + + +<p> <strong>Important: Remote Denial Of Service</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476" rel="nofollow">CVE-2010-4476</a> </p> Modified: tomcat/site/trunk/docs/security-7.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1439338&r1=1439337&r2=1439338&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-7.html (original) +++ tomcat/site/trunk/docs/security-7.html Mon Jan 28 10:57:09 2013 @@ -1395,6 +1395,36 @@ <p> +<strong>Low: Denial Of Service</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5568" rel="nofollow">CVE-2012-5568</a> +</p> + + +<p>Sending an HTTP request 1 byte at a time will consume a thread from the + connection pool until the request has been fully processed if using the + BIO or APR/native HTTP connectors. Multiple requests may be used to + consume all threads in the connection pool thereby creating a denial of + service.</p> + + +<p>Since the relationship between the client side resources and server side + resources is a linear one, this issue is not something that the Tomcat + Security Team views as a vulnerability. This is a generic DoS problem and + there is no magic solution. This issue has been discussed several times + on the Tomcat mailing lists. The best place to start to review these + discussions is the report for + <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=54263">bug + 54236</a>.</p> + + +<p>This was first discussed on the public Tomcat users mailing list on 19 + June 2009.</p> + + +<p>Affects: 7.0.0-7.0.x</p> + + +<p> <strong>Important: Remote Denial Of Service</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476" rel="nofollow">CVE-2010-4476</a> </p> Modified: tomcat/site/trunk/xdocs/security-6.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1439338&r1=1439337&r2=1439338&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-6.xml (original) +++ tomcat/site/trunk/xdocs/security-6.xml Mon Jan 28 10:57:09 2013 @@ -909,6 +909,27 @@ <section name="Not a vulnerability in Tomcat"> + <p><strong>Low: Denial Of Service</strong> + <cve>CVE-2012-5568</cve></p> + + <p>Sending an HTTP request 1 byte at a time will consume a thread from the + connection pool until the request has been fully processed if using the + BIO or APR/native HTTP connectors. Multiple requests may be used to + consume all threads in the connection pool thereby creating a denial of + service.</p> + + <p>Since the relationship between the client side resources and server side + resources is a linear one, this issue is not something that the Tomcat + Security Team views as a vulnerability. This is a generic DoS problem and + there is no magic solution. This issue has been discussed several times + on the Tomcat mailing lists. The best place to start to review these + discussions is the report for + <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=54263">bug + 54236</a>.</p> + + <p>This was first discussed on the public Tomcat users mailing list on 19 + June 2009.</p> + <p><strong>Important: Remote Denial Of Service</strong> <cve>CVE-2010-4476</cve></p> Modified: tomcat/site/trunk/xdocs/security-7.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1439338&r1=1439337&r2=1439338&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-7.xml (original) +++ tomcat/site/trunk/xdocs/security-7.xml Mon Jan 28 10:57:09 2013 @@ -634,6 +634,29 @@ <section name="Not a vulnerability in Tomcat"> + <p><strong>Low: Denial Of Service</strong> + <cve>CVE-2012-5568</cve></p> + + <p>Sending an HTTP request 1 byte at a time will consume a thread from the + connection pool until the request has been fully processed if using the + BIO or APR/native HTTP connectors. Multiple requests may be used to + consume all threads in the connection pool thereby creating a denial of + service.</p> + + <p>Since the relationship between the client side resources and server side + resources is a linear one, this issue is not something that the Tomcat + Security Team views as a vulnerability. This is a generic DoS problem and + there is no magic solution. This issue has been discussed several times + on the Tomcat mailing lists. The best place to start to review these + discussions is the report for + <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=54263">bug + 54236</a>.</p> + + <p>This was first discussed on the public Tomcat users mailing list on 19 + June 2009.</p> + + <p>Affects: 7.0.0-7.0.x</p> + <p><strong>Important: Remote Denial Of Service</strong> <cve>CVE-2010-4476</cve></p> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org