From ${URL} : Apache Tomcat through versions 7.0.88, 8.0.52, 8.5.31 and 9.0.8 have defaults settings for the CORS filter that are insecure and enable 'supportsCredentials' for all origins. External References: https://lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1@%3Cannounce.tomcat.apache.org%3E http://tomcat.apache.org/security-9.html http://tomcat.apache.org/security-8.html http://tomcat.apache.org/security-7.html Upstream Patches: http://svn.apache.org/viewvc?view=rev&rev=1831726 http://svn.apache.org/viewvc?view=rev&rev=1831728 http://svn.apache.org/viewvc?view=rev&rev=1831729 http://svn.apache.org/viewvc?view=rev&rev=1831730 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
i guess this will take some time, because: * www-servers/tomcat:7 - is fine, we have only 7.0.92 (stable) * www-servers/tomcat:8 - we have affected 8.0.52 (stable) and unaffected 8.0.53 (unstable), which depends on >=dev-java/ant-core-1.9.13 which is not stable yet * www-servers/tomcat:8.5 - we have affected 8.5.31 (stable) and unaffected 8.5.37 (unstable), which depends on >=dev-java/ant-core-1.9.13 which is not stable yet * www-servers/tomcat:9 - we have affected 9.0.8 (stable) and unaffected 9.0.{14,16] (unstable), both depend on >=dev-java/ant-core-1.9.13 which is not stable yet and also on virtual/jdk-11 which is masked atm we can stabilize ant-core-1.9.13 sooner than at 2019-02-24 and hence we could remove the affected versions for slots 8 and 8.5, but idk when we will unmask java 11, gyakovlev would probably know better. and it will take some time before it will go stable. shall we proceed with ant-core-1.9.13 and/or 1.10.5 stabilization to fix at least slot 8 and 8.5? there were some issues with these new versions but all that have been reported have been solved.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61beaeeb0af2968e7e27c278bd5b33ea00849880 commit 61beaeeb0af2968e7e27c278bd5b33ea00849880 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2019-03-02 19:56:36 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2019-03-02 19:57:03 +0000 www-servers/tomcat-8.{0.52,5.31}: removed obsolete Bug: https://bugs.gentoo.org/662168 Bug: https://bugs.gentoo.org/656044 Bug: https://bugs.gentoo.org/662892 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-servers/tomcat/Manifest | 2 - www-servers/tomcat/tomcat-8.0.52.ebuild | 158 -------------------------------- www-servers/tomcat/tomcat-8.5.31.ebuild | 158 -------------------------------- 3 files changed, 318 deletions(-)
(In reply to Larry the Git Cow from comment #2) > The bug has been referenced in the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=61beaeeb0af2968e7e27c278bd5b33ea00849880 > > commit 61beaeeb0af2968e7e27c278bd5b33ea00849880 > Author: Miroslav Šulc <fordfrog@gentoo.org> > AuthorDate: 2019-03-02 19:56:36 +0000 > Commit: Miroslav Šulc <fordfrog@gentoo.org> > CommitDate: 2019-03-02 19:57:03 +0000 > > www-servers/tomcat-8.{0.52,5.31}: removed obsolete > > Bug: https://bugs.gentoo.org/662168 > Bug: https://bugs.gentoo.org/656044 > Bug: https://bugs.gentoo.org/662892 > Package-Manager: Portage-2.3.62, Repoman-2.3.12 > Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> > > www-servers/tomcat/Manifest | 2 - > www-servers/tomcat/tomcat-8.0.52.ebuild | 158 > -------------------------------- > www-servers/tomcat/tomcat-8.5.31.ebuild | 158 > -------------------------------- > 3 files changed, 318 deletions(-) 9.0.7 is still vulnerable and stable on amd64. Other slots are good. Please decide how to approach slot 9.
@java, ping. dev-java/ant-core dependencies look to be resolved now.
nevermind, the virtual is still masked
GLSA Vote: No!
i've dropped 9.0.7 so you can proceed now
Repository is clean, all done!
