Bug #909828 “Tomcat needs update to prevent hash function DoS at...” : Bugs : tomcat6 package : Ubuntu

Sami Mäkinen (sami-makinen-helsinki) on 2011-12-29

visibility:

private → public

Marc Deslauriers (mdeslaur) on 2012-01-06

Changed in tomcat6 (Ubuntu Precise):
status:	New → Fix Released
Changed in tomcat6 (Ubuntu Lucid):
status:	New → Confirmed
Changed in tomcat6 (Ubuntu Maverick):
status:	New → Confirmed
Changed in tomcat6 (Ubuntu Natty):
status:	New → Confirmed
Changed in tomcat6 (Ubuntu Oneiric):
status:	New → Confirmed
Changed in tomcat6 (Ubuntu Lucid):
importance:	Undecided → Medium
Changed in tomcat6 (Ubuntu Maverick):
importance:	Undecided → Medium
Changed in tomcat6 (Ubuntu Natty):
importance:	Undecided → Medium
Changed in tomcat6 (Ubuntu Oneiric):
importance:	Undecided → Medium

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2012-01-27:

#1

There are now updated tomcat6 packages that fix this issue, and CVE-2012-0022 in -proposed. Since the patch is quite intrusive, they will stay in -proposed until they get some testing.

If you would like to help, please enable -proposed, test the updates, and post your results here.

Thanks.

Revision history for this message

James Page (james-page) wrote on 2012-02-07:

#2

Testing completed in oneiric:

Installed tomcat6
Installed jenkins-tomcat
Installed solr-tomcat

Verified that both jenkins and solr where functional on current published packages.

Added -proposed and upgraded to version of tomcat6 in -proposed.

Revalidated that both jenkins and solr where still functional - all looked OK to me.

solr is quite intensive on use of parameters so felt like a reasonable test case.

Revision history for this message

James Page (james-page) wrote on 2012-02-07:

#3

Testing completed in lucid:

Installed tomcat6
Installed solr-tomcat

Verified that solr was functional on current published packages.

Added -proposed and upgraded to version of tomcat6 in -proposed.

Revalidated that solr was still functional - all looked OK to me.

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2012-02-07:

#4

SRU team: This is a security update. If the packages have the required testing to publish, please let the security team know so we can publish the USN and push it to -security also. Thanks!

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-02-13:

#5

This bug was fixed in the package tomcat6 - 6.0.24-2ubuntu1.10

---------------
tomcat6 (6.0.24-2ubuntu1.10) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022
-- Marc Deslauriers <email address hidden> Wed, 25 Jan 2012 14:35:46 -0500

Changed in tomcat6 (Ubuntu Lucid):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-02-13:

#6

This bug was fixed in the package tomcat6 - 6.0.28-2ubuntu1.6

---------------
tomcat6 (6.0.28-2ubuntu1.6) maverick-security; urgency=low

  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022
-- Marc Deslauriers <email address hidden> Wed, 25 Jan 2012 14:09:00 -0500

Changed in tomcat6 (Ubuntu Maverick):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-02-13:

#7

This bug was fixed in the package tomcat6 - 6.0.28-10ubuntu2.3

---------------
tomcat6 (6.0.28-10ubuntu2.3) natty-security; urgency=low

  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022
-- Marc Deslauriers <email address hidden> Wed, 25 Jan 2012 13:42:23 -0500

Changed in tomcat6 (Ubuntu Natty):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-02-13:

#8

This bug was fixed in the package tomcat6 - 6.0.32-5ubuntu1.2

---------------
tomcat6 (6.0.32-5ubuntu1.2) oneiric-security; urgency=low

  * SECURITY UPDATE: cross-request information leakage
    - debian/patches/0016-CVE-2011-3375.patch: ensure that the request and
      response objects are recycled after being re-populated in
      java/org/apache/catalina/connector/CoyoteAdapter.java,
      java/org/apache/coyote/ajp/AjpAprProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/Http11NioProcessor.java,
      java/org/apache/coyote/http11/Http11Processor.java.
    - CVE-2011-3375
  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0017-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FilterBase.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/filter.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022
-- Marc Deslauriers <email address hidden> Wed, 25 Jan 2012 09:00:23 -0500

Changed in tomcat6 (Ubuntu Oneiric):
status:	Confirmed → Fix Released

Ubuntu
tomcat6 package

Tomcat needs update to prevent hash function DoS attack

Bug Description

Related branches

CVE References

Duplicates of this bug

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to
tomcat6 (Ubuntu)	Fix Released	Undecided	Unassigned
Lucid	Fix Released	Medium	Unassigned
Maverick	Fix Released	Medium	Unassigned
Natty	Fix Released	Medium	Unassigned
Oneiric	Fix Released	Medium	Unassigned
Precise	Fix Released	Undecided	Unassigned

Ubuntutomcat6 package

Tomcat needs update to prevent hash function DoS attack

Bug Description

Related branches

CVE References

Duplicates of this bug

Other bug subscribers

Remote bug watches

Ubuntu
tomcat6 package