Description: Hitachi Incident Response Team has reported a vulnerability in Tomcat, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the servlet / JSP communication handling for the AJP12 protocol. This can be exploited to cause a vulnerable server to stop processing further requests by sending a specially crafted request to the APJ12 protocol port (8007/tcp by default). The vulnerability has been reported in version 3.x. Solution: The vulnerability has been fixed in the 5.x releases. Filter traffic to the APJ12 protocol port (default is 8007/tcp). Other References: US-CERT VU#204710: http://www.kb.cert.org/vuls/id/204710
Since 5.x versions are already in the tree, this just needs a GLSA decision.
i think it's not a problem if version <5 are getting removed from the tree. i'll add an ebuild for 5.5.x in the near future as the 5.5 release is the latest stable release from upstream and the main focus of development.
Voting half-yes...
I vote no.
½ YES here too,
Reversing vote and voting no... AJP12 should always be filtered, and this has been fixed in 5.x since forever. Reopen if you intended to vote yes.