From ${URL} : Description A vulnerability has been reported in Apache Tomcat, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to a bundled vulnerable version of Apache Commons FileUpload. For more information: SA56750 The vulnerability is reported in versions 7.0.50 and prior. Solution: Fixed in the source code repository. Further details available to Secunia VIM customers Original Advisory: http://tomcat.apache.org/security-7.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
As per upstream Fixed in Apache Tomcat 7.0.52 Note: The issue below was fixed in Apache Tomcat 7.0.51 but the release vote for the 7.0.51 release candidate did not pass. Therefore, although users must download 7.0.52 to obtain a version that includes a fix for this issue, version 7.0.51 is not included in the list of affected versions. Please advise if we are ready for stabilization.
CVE-2014-0050 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0050): MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
7.0.52 is in tree, are we ready for stabilization?
From the security URL this is stated as Fixed in 7.0.52. http://tomcat.apache.org/security-7.html 7.0.52 in Tree, are we ready to stabilize?
Ping on stable question! (In reply to Yury German from comment #3) > 7.0.52 is in tree, are we ready for stabilization? Ping!
Just committed tomcat-6.0.41 and tomcat-7.0.56.
This issue was resolved and addressed in GLSA 201412-29 at http://security.gentoo.org/glsa/glsa-201412-29.xml by GLSA coordinator Sean Amoss (ackle).
