CVE-2007-6286

Publication date 12 February 2008

Last updated 24 July 2024

Ubuntu priority

Low

Why this priority?

Description

Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of "a duplicate copy of one of the recent requests," as demonstrated by using netcat to send the empty request.

Read the notes from the security team

Status

Package Ubuntu Release Status
tomcat5 9.10 karmic Not in release
9.04 jaunty Not in release
8.10 intrepid Not in release
8.04 LTS hardy Not in release
7.10 gutsy Not in release
7.04 feisty Ignored end of life, was needed
6.10 edgy Ignored end of life, was needed
6.06 LTS dapper Ignored end of life
tomcat5.5 9.10 karmic Not in release
9.04 jaunty
Not affected
8.10 intrepid
Not affected
8.04 LTS hardy
Not affected
7.10 gutsy
Not affected
7.04 feisty
Not affected
6.10 edgy
Not affected
6.06 LTS dapper Not in release

Notes

fujitsu

At least 5.5 doesn't use the native APR connector.

References

Other references

Access our resources on patching vulnerabilities