tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Officially released Apache tomcat version with CVE-2014-0230
Date Tue, 05 May 2015 11:58:11 GMT
On 05/05/2015 11:27, Raghavendra Nilekani wrote:
> Hi
> I have an application where I currently use 6.0.20 version of Apache tomcat
> bundle from spring source. Now because of security vulnerabilities I have
> to migrate to newer latest version of Apache tomcat. I saw the latest
> version on Apace tomcat site is Apache Tomcat 6.0.43 where the highest CVE
> fixed is *CVE-2014-0227. *
> Now one more latest CVE *Apache Tomcat File Upload denial of service *has
> come. The fix for this problem is not officially released by Apache. I see
> applying a patch is able to eliminate this problem. The bugfix is ready for
> download at The vulnerability is also documented in the
> databases at X-Force (102131) and SecurityTracker (ID 1032079).
> From, I heard this problem was identified as a partial DoS
> (non persistent, but you can very easily eat up all server ram) and
> assigned CVE-2014-0230 and then the person handling it left Red Hat and it
> didn't get processed properly.
> Can you please tell me, is there any official fix for this problem
> available and from where I can download the official fix for this CVE ?
> When will Apache tomcat site have a newer version of Apache tomcat with
> this CVE fixed ?

The limited information that has been published was released by RedHat
in breach of the embargo that the Apache Tomcat team had placed on it.
To say the Tomcat team is not happy with RedHat would be an understatement.

This was fixed in 8.0.x in 8.0.9 onwards.
This was fixed in 7.0.x in 7.0.55 onwards.
This has been fixed in svn for 6.0.x and will be in 6.0.44 onwards.

Expect the 6.0.44 release shortly.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message