Comment 1 Miroslav Šulc 2011-09-06 16:13:38 UTC

it's already fixed in tomcat 7.0.21, but i can see no fix for tomcat:6 series nor tomcat:5.5 series. should the affected versions be removed once the fixes are available?

Comment 2 Tim Sammut (RETIRED) 2011-09-07 16:00:40 UTC

(In reply to comment #1)
> it's already fixed in tomcat 7.0.21, but i can see no fix for tomcat:6 series
> nor tomcat:5.5 series. should the affected versions be removed once the fixes
> are available?

Yes, please. Do you happen to have an ETA for a fixed 6.0 and 5.5?

Comment 3 Miroslav Šulc 2011-09-07 17:18:57 UTC

no, i have no eta, it depends on upstream when they are going to release the fixes and i have no idea if there is any eta from their side or not.

for now, i just removed tomcat:7 < 7.0.21 and related tomcat-servlet-api.

Comment 4 Tim Sammut (RETIRED) 2011-09-07 17:23:40 UTC

(In reply to comment #3)
> no, i have no eta, it depends on upstream when they are going to release the
> fixes and i have no idea if there is any eta from their side or not.
> 

Ok. We'll just wait for the fixed versions and then do stabilization etc (like always).

> for now, i just removed tomcat:7 < 7.0.21 and related tomcat-servlet-api.

Thank you.

There are patches available that could apply to the current versions:

- 6.0.x http://svn.apache.org/viewvc?rev=1162959&view=rev
- 5.5.x http://svn.apache.org/viewvc?rev=1162960&view=rev

If you wanted to include those for the current version ebuilds while waiting for a new fixed version to be released...

Comment 6 GLSAMaker/CVETool Bot 2011-10-07 22:47:44 UTC

CVE-2011-3190 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3190):
  Certain AJP protocol connector implementations in Apache Tomcat 7.0.0
  through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly
  other versions allow remote attackers to spoof AJP requests, bypass
  authentication, and obtain sensitive information by causing the connector to
  interpret a request body as a new request.

Comment 7 Miroslav Šulc 2011-12-24 19:56:53 UTC

6.0.35 is now in tree and fixes CVE-2011-3190. stabilization request filed.

Comment 8 Miroslav Šulc 2011-12-24 20:32:13 UTC

tomcat 5.5.x has been removed from the main tree because it's heading its eol in 2012-09-30 and it's unmaintained on our side (all the effort goes to 6.x and 7.x releases). tomcat 5.5.x has been moved to java-overlay for those that still need it.

Comment 9 Tim Sammut (RETIRED) 2012-03-13 21:57:47 UTC

Thanks, folks. GLSA Vote: yes.

Comment 10 Sean Amoss (RETIRED) 2012-03-23 13:28:06 UTC

On existing GLSA request.

Comment 11 Miroslav Šulc 2012-03-25 20:25:54 UTC

no affected version in the tree anymore

Comment 12 GLSAMaker/CVETool Bot 2012-06-24 14:12:55 UTC

This issue was resolved and addressed in
 GLSA 201206-24 at http://security.gentoo.org/glsa/glsa-201206-24.xml
by GLSA coordinator Tobias Heinlein (keytoaster).