Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 747970 (CVE-2020-13943) - <www-servers/tomcat-{8.5.58, 9.0.38}: HTTP/2 connection confusion (CVE-2020-13943)
Summary: <www-servers/tomcat-{8.5.58, 9.0.38}: HTTP/2 connection confusion (CVE-2020-1...
Status: RESOLVED FIXED
Alias: CVE-2020-13943
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-12 11:12 UTC by Sam James
Modified: 2020-11-13 18:07 UTC (History)
2 users (show)

See Also:
Package list:
www-servers/tomcat-8.5.58 amd64 dev-java/tomcat-servlet-api-8.5.58 dev-java/tomcat-servlet-api-9.0.38 amd64 x86
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-12 11:12:12 UTC 
Seems like 7.x is unaffected.

Description:
"If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources."
Comment 1 NATTkA bot gentoo-dev 2020-10-12 11:12:56 UTC 
Sanity check failed:

> www-servers/tomcat-8.5.58
>   depend amd64 stable profile default/linux/amd64/17.0 (28 total)
>     ~dev-java/tomcat-servlet-api-8.5.58:3.1
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     ~dev-java/tomcat-servlet-api-8.5.58:3.1
>   rdepend amd64 stable profile default/linux/amd64/17.0 (28 total)
>     ~dev-java/tomcat-servlet-api-8.5.58:3.1
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     ~dev-java/tomcat-servlet-api-8.5.58:3.1
Comment 2 Miroslav Šulc gentoo-dev 2020-10-16 07:24:46 UTC 
it's time to stabilize anyway so i'm reusing this bug.
Comment 3 Larry the Git Cow gentoo-dev 2020-10-16 07:28:35 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=45d6f8a13613202f3ea5856d4323aead7031e717

commit 45d6f8a13613202f3ea5856d4323aead7031e717
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-10-16 07:28:13 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-10-16 07:28:13 +0000

    www-servers/tomcat: removed old and vulnerable 9.0.37-r1
    
    Bug: https://bugs.gentoo.org/747970
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest                |   1 -
 www-servers/tomcat/tomcat-9.0.37-r1.ebuild | 187 -----------------------------
 2 files changed, 188 deletions(-)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-16 14:42:50 UTC 
Thanks :)
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2020-10-18 15:12:27 UTC 
x86 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2020-10-20 07:13:39 UTC 
ppc64 stable
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-01 15:00:19 UTC 
amd64 done

all arches done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-01 15:00:55 UTC 
amd64 done

all arches done
Comment 9 Larry the Git Cow gentoo-dev 2020-11-01 17:00:51 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0dd49a07f535a2880f54d39fc3d87e86572a47a2

commit 0dd49a07f535a2880f54d39fc3d87e86572a47a2
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-11-01 17:00:34 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-11-01 17:00:47 +0000

    www-servers/tomcat: removed vulnerable 8.5.57-r1
    
    Bug: https://bugs.gentoo.org/747970
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest                |   1 -
 www-servers/tomcat/tomcat-8.5.57-r1.ebuild | 163 -----------------------------
 2 files changed, 164 deletions(-)
Comment 10 Miroslav Šulc gentoo-dev 2020-11-01 17:01:25 UTC 
we're clean now, you can proceed :-)
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-13 18:07:33 UTC 
(In reply to Miroslav Šulc from comment #10)
> we're clean now, you can proceed :-)

Thanks!