Hi I have an application where I currently use 6.0.20 version of Apache tomcat bundle from spring source. Now because of security vulnerabilities I have to migrate to newer latest version of Apache tomcat. I saw the latest version on Apace tomcat site is Apache Tomcat 6.0.43 where the highest CVE fixed is *CVE-2014-0227. *
Now one more latest CVE *Apache Tomcat File Upload denial of service *has come. The fix for this problem is not officially released by Apache. I see applying a patch is able to eliminate this problem. The bugfix is ready for download at svn.apache.org. The vulnerability is also documented in the databases at X-Force (102131) and SecurityTracker (ID 1032079). >From seclists.org, I heard this problem was identified as a partial DoS (non persistent, but you can very easily eat up all server ram) and assigned CVE-2014-0230 and then the person handling it left Red Hat and it didn't get processed properly. Can you please tell me, is there any official fix for this problem available and from where I can download the official fix for this CVE ? When will Apache tomcat site have a newer version of Apache tomcat with this CVE fixed ? Thanks and Regards ------------------------------- Raghavendra Neelekani
