CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP Upload Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 7.0.0 to 7.0.79 Description: When running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released) Credit: This issue was reported responsibly to the Apache Tomcat Security Team by iswin from 360-sg-lab (360观星实验室) History: 2017-09-19 Original advisory ---------------------------------------------------------------------- CVE-2017-12616 Apache Tomcat Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 7.0.0 to 7.0.80 Description: When using a VirtualDirContext it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 7.0.81 Credit: This issue was identified by the Tomcat Security Team while investigating CVE-2017-12615. History: 2017-09-19 Original advisory
Changing Summary since we are not affected by CVE-2017-12615. The fixed version is already in the tree. @Maintainers, please call for stabilization when ready or let us know. Gentoo Security Padawan ChrisADR
i just marked =dev-java/tomcat-servlet-api-7.0.81 and =www-servers/tomcat-7.0.81 as stable on amd64. we just need to get it stable on x86 so that i could remove the affected version.
(In reply to Miroslav Šulc from comment #2) > i just marked =dev-java/tomcat-servlet-api-7.0.81 and > =www-servers/tomcat-7.0.81 as stable on amd64. we just need to get it stable > on x86 so that i could remove the affected version. Thank you, @x86 please let us know when ready. Gentoo Security Padawan ChrisADR
x86 has never stable versions. @maintainers, please clean =7.0.79
7.0.79 removed
(In reply to Aaron Bauman from comment #4) > x86 has never stable versions. > > @maintainers, please clean =7.0.79 s/never/newer Thanks!
x86 stable