Your submission was sent successfully! Close

CVE-2011-2526

Published: 14 July 2011

Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application.

Priority

Low

Status

Package Release Status
tomcat5.5
Launchpad, Ubuntu, Debian
hardy Ignored
(reached end-of-life)
lucid Does not exist

maverick Does not exist

natty Does not exist

oneiric Does not exist

upstream
Released (5.5.34)
Patches:
upstream: http://svn.apache.org/viewvc?view=revision&revision=1158244






tomcat6
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid
Released (6.0.24-2ubuntu1.9)
maverick
Released (6.0.28-2ubuntu1.5)
natty
Released (6.0.28-10ubuntu2.2)
oneiric
Released (6.0.32-5ubuntu1.1)
upstream
Released (6.0.33)
Patches:

upstream: http://svn.apache.org/viewvc?view=revision&revision=1146703





tomcat7
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Does not exist

maverick Does not exist

natty Does not exist

oneiric Not vulnerable
(7.0.21-1)
upstream
Released (7.0.19)
Patches:


upstream: http://svn.apache.org/viewvc?view=revision&revision=1146005
upstream: http://svn.apache.org/viewvc?view=revision&revision=1145694
upstream: http://svn.apache.org/viewvc?view=revision&revision=1145571
upstream: http://svn.apache.org/viewvc?view=revision&revision=1145489
upstream: http://svn.apache.org/viewvc?view=revision&revision=1145383