855971 – (CVE-2022-34305) <www-servers/tomcat-{8.5.82,9.0.65,10.0.23}: XSS in examples webapp

Bug 855971 (CVE-2022-34305) - <www-servers/tomcat-{8.5.82,9.0.65,10.0.23}: XSS in examples webapp

Summary: <www-servers/tomcat-{8.5.82,9.0.65,10.0.23}: XSS in examples webapp

Status:	RESOLVED FIXED

Alias:	CVE-2022-34305

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://lists.apache.org/thread/k04zk...
Whiteboard:	B4 [glsa+]
Keywords:

Depends on:	865847
Blocks:
	Show dependency tree

Reported:	2022-07-02 17:17 UTC by John Helmert III
Modified:	2022-08-21 05:47 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-07-02 17:17:07 UTC

CVE-2022-34305:
http://www.openwall.com/lists/oss-security/2022/06/23/1

In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.

Please bump.

Comment 1 John Helmert III archtester

2022-07-20 21:36:10 UTC

9.0.65 was just released which fixes this too.

Comment 2 Larry the Git Cow gentoo-dev

2022-07-21 03:33:25 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5751812bf9042cfd2a4129cef26a56c931205e1c

commit 5751812bf9042cfd2a4129cef26a56c931205e1c
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-07-21 03:33:17 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-07-21 03:33:23 +0000

    www-servers/tomcat: bump to 9.0.65
    
    Bug: https://bugs.gentoo.org/855971
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest             |   1 +
 www-servers/tomcat/tomcat-9.0.65.ebuild | 190 ++++++++++++++++++++++++++++++++
 2 files changed, 191 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2022-07-26 17:52:24 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c470f5e10c7fa9f8398f206376718cc65785b6b0

commit c470f5e10c7fa9f8398f206376718cc65785b6b0
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-07-26 17:52:17 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-07-26 17:52:17 +0000

    www-servers/tomcat: bump to 10.0.23
    
    Bug: https://bugs.gentoo.org/855971
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest              |   1 +
 www-servers/tomcat/tomcat-10.0.23.ebuild | 198 +++++++++++++++++++++++++++++++
 2 files changed, 199 insertions(+)

Comment 4 Larry the Git Cow gentoo-dev

2022-08-13 16:07:47 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=27228226e11fba6757c3a09fe4af1f777744f533

commit 27228226e11fba6757c3a09fe4af1f777744f533
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-08-13 16:07:36 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-08-13 16:07:36 +0000

    www-servers/tomcat: bump to 8.5.82
    
    Bug: https://bugs.gentoo.org/855971
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest             |   1 +
 www-servers/tomcat/tomcat-8.5.82.ebuild | 159 ++++++++++++++++++++++++++++++++
 2 files changed, 160 insertions(+)

Comment 5 Miroslav Šulc gentoo-dev

2022-08-13 16:09:32 UTC

it is a low severity issue so let's give it few days before the stabilization

Comment 6 John Helmert III archtester

2022-08-13 23:28:16 UTC

Works for me! Definitely noglsa.

Comment 7 John Helmert III archtester

2022-08-14 01:33:20 UTC

Actually, given there's other Tomcat bugs waiting for GLSA we can just throw this one in with the others.

Comment 8 John Helmert III archtester

2022-08-14 01:40:30 UTC

GLSA request filed. Will wait for stabilization before releasing.

Comment 9 Larry the Git Cow gentoo-dev

2022-08-21 02:09:21 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=a4afff138b8507c9b0b4fdbebda4c8d1935d6238

commit a4afff138b8507c9b0b4fdbebda4c8d1935d6238
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-21 01:35:21 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-21 01:40:47 +0000

    [ GLSA 202208-34 ] Apache Tomcat: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/773571
    Bug: https://bugs.gentoo.org/801916
    Bug: https://bugs.gentoo.org/818160
    Bug: https://bugs.gentoo.org/855971
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-34.xml | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)

Comment 10 John Helmert III archtester

2022-08-21 02:14:37 UTC

GLSA released, all done!

Comment 11 Larry the Git Cow gentoo-dev

2022-08-21 05:47:41 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99b0ea9db99b33526acd6557de1570033a0adfff

commit 99b0ea9db99b33526acd6557de1570033a0adfff
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-08-21 05:47:24 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-08-21 05:47:24 +0000

    www-servers/tomcat: dropped obsolete and vulnerable 10.0.22, 9.0.64 & 8.5.81
    
    Bug: https://bugs.gentoo.org/865847
    Bug: https://bugs.gentoo.org/855971
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest              |   3 -
 www-servers/tomcat/tomcat-10.0.22.ebuild | 198 -------------------------------
 www-servers/tomcat/tomcat-8.5.81.ebuild  | 159 -------------------------
 www-servers/tomcat/tomcat-9.0.64.ebuild  | 190 -----------------------------
 4 files changed, 550 deletions(-)