CVE-2007-6286 Information
Description
Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15 when the native APR connector is used does not properly handle an empty request to the SSL port which allows remote attackers to trigger handling of \a duplicate copy of one of the recent requests\ as demonstrated by using netcat to send the empty request.
Reference
http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html http://marc.info/?l=bugtraq&m=139344343412337&w=2 http://secunia.com/advisories/28878 http://secunia.com/advisories/28915 http://secunia.com/advisories/29711 http://secunia.com/advisories/30676 http://secunia.com/advisories/32222 http://secunia.com/advisories/37460 http://secunia.com/advisories/57126 http://security.gentoo.org/glsa/glsa-200804-10.xml http://securityreason.com/securityalert/3637 http://support.apple.com/kb/HT3216 http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html http://www.mandriva.com/security/advisories?name=MDVSA-2009:136 http://www.securityfocus.com/archive/1/487823/100/0/threaded http://www.securityfocus.com/archive/1/507985/100/0/threaded http://www.securityfocus.com/bid/31681 http://www.vmware.com/security/advisories/VMSA-2008-0010.html http://www.vmware.com/security/advisories/VMSA-2009-0016.html http://www.vupen.com/english/advisories/2008/0488 http://www.vupen.com/english/advisories/2008/1856/references http://www.vupen.com/english/advisories/2008/2780 http://www.vupen.com/english/advisories/2009/3316 https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@3Cdev.tomcat.apache.org3E https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00315.html https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00460.html
Share on: