Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 878911 (CVE-2022-42252)

Summary: <www-servers/tomcat-{8.5.83,6.0.68,10.0.27,10.1.1}: request smuggling
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: fordfrog, java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.openwall.com/lists/oss-security/2022/10/31/5
Whiteboard: B4 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 880871    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 18:50:29 UTC 
"If Tomcat was configured to ignore invalid HTTP headers via setting
rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not
reject a request containing an invalid Content-Length header making a request
smuggling attack  possible if Tomcat was located behind a reverse proxy that
also failed to reject the request with the invalid header.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Ensure rejectIllegalHeader is set to true
- Upgrade to Apache Tomcat 10.1.1 or later
- Upgrade to Apache Tomcat 10.0.27 or later
- Upgrade to Apache Tomcat 9.0.68 or later
- Upgrade to Apache Tomcat 8.5.83 or later"

Please stabilize fixed versions.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-12 03:07:16 UTC 
Please cleanup
Comment 2 Larry the Git Cow gentoo-dev 2022-11-12 07:03:48 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7743ec01429d2a0dccdc827f63ac4d9fadcb7e7e

commit 7743ec01429d2a0dccdc827f63ac4d9fadcb7e7e
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-11-12 07:03:34 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-11-12 07:03:45 +0000

    www-servers/tomcat: dropped obsolete 10.1.0-r1, 10.0.26, 9.0.67 & 8.5.82
    
    Bug: https://bugs.gentoo.org/880871
    Bug: https://bugs.gentoo.org/878911
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest                |   6 -
 www-servers/tomcat/tomcat-10.0.26.ebuild   | 198 -----------------------------
 www-servers/tomcat/tomcat-10.1.0-r1.ebuild | 194 ----------------------------
 www-servers/tomcat/tomcat-8.5.82.ebuild    | 159 -----------------------
 www-servers/tomcat/tomcat-9.0.67.ebuild    | 190 ---------------------------
 5 files changed, 747 deletions(-)
Comment 3 Miroslav Šulc gentoo-dev 2022-11-12 07:09:47 UTC 
the tree is clean now, you can proceed.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-12 16:49:01 UTC 
Thanks!
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-29 23:17:47 UTC 
GLSA request filed.
Comment 6 Larry the Git Cow gentoo-dev 2023-05-30 03:05:35 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=a8b85191c046076a4e4d12c8541d49e1473aaa66

commit a8b85191c046076a4e4d12c8541d49e1473aaa66
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-30 03:03:08 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-30 03:05:04 +0000

    [ GLSA 202305-37 ] Apache Tomcat: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/878911
    Bug: https://bugs.gentoo.org/889596
    Bug: https://bugs.gentoo.org/896370
    Bug: https://bugs.gentoo.org/907387
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-37.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-30 03:06:47 UTC 
GLSA released, all done!
Comment 8 Larry the Git Cow gentoo-dev 2023-05-31 02:20:39 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=023c3018165ffad6f1f6a874561e1c3c555cb505

commit 023c3018165ffad6f1f6a874561e1c3c555cb505
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-05-31 02:20:03 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-31 02:20:25 +0000

    [ GLSA 202305-37 ] fix versions, add other slots
    
    Bug: https://bugs.gentoo.org/878911
    Bug: https://bugs.gentoo.org/889596
    Bug: https://bugs.gentoo.org/896370
    Bug: https://bugs.gentoo.org/907387
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-37.xml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)