Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 500600 (CVE-2014-0050) - <www-servers/tomcat-{6.0.41,7.0.56}: Commons UploadFile Denial of Service Vulnerability (CVE-2014-0050)
Summary: <www-servers/tomcat-{6.0.41,7.0.56}: Commons UploadFile Denial of Service Vul...
Alias: CVE-2014-0050
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on: 519590
  Show dependency tree
Reported: 2014-02-07 08:22 UTC by Agostino Sarubbo
Modified: 2020-08-28 03:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-02-07 08:22:58 UTC
From ${URL} :


A vulnerability has been reported in Apache Tomcat, which can be exploited by malicious people to cause a 
DoS (Denial of Service).

The vulnerability is caused due to a bundled vulnerable version of Apache Commons FileUpload.

For more information:

The vulnerability is reported in versions 7.0.50 and prior.

Fixed in the source code repository.

Further details available to Secunia VIM customers

Original Advisory:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2014-06-24 00:38:15 UTC
As per upstream 

Fixed in Apache Tomcat 7.0.52

Note: The issue below was fixed in Apache Tomcat 7.0.51 but the release vote for the 7.0.51 release candidate did not pass. Therefore, although users must download 7.0.52 to obtain a version that includes a fix for this issue, version 7.0.51 is not included in the list of affected versions.

Please advise if we are ready for stabilization.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-06-27 21:22:03 UTC
CVE-2014-0050 ( in Apache Commons FileUpload before 1.3.1, as used in
  Apache Tomcat, JBoss Web, and other products, allows remote attackers to
  cause a denial of service (infinite loop and CPU consumption) via a crafted
  Content-Type header that bypasses a loop's intended exit conditions.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-06-27 21:24:34 UTC
7.0.52 is in tree, are we ready for stabilization?
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-07-17 03:10:53 UTC
From the security URL this is stated as Fixed in 7.0.52.

7.0.52 in Tree, are we ready to stabilize?
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2014-08-01 03:06:22 UTC
Ping on stable question!
(In reply to Yury German from comment #3)
> 7.0.52 is in tree, are we ready for stabilization?

Comment 6 Johann Schmitz (ercpe) (RETIRED) gentoo-dev 2014-11-02 10:23:52 UTC
Just committed tomcat-6.0.41 and tomcat-7.0.56.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-12-15 00:45:16 UTC
This issue was resolved and addressed in
 GLSA 201412-29 at
by GLSA coordinator Sean Amoss (ackle).