"If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. Mitigation: Users of the affected versions should apply one of the following mitigations: - Ensure rejectIllegalHeader is set to true - Upgrade to Apache Tomcat 10.1.1 or later - Upgrade to Apache Tomcat 10.0.27 or later - Upgrade to Apache Tomcat 9.0.68 or later - Upgrade to Apache Tomcat 8.5.83 or later" Please stabilize fixed versions.
Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7743ec01429d2a0dccdc827f63ac4d9fadcb7e7e commit 7743ec01429d2a0dccdc827f63ac4d9fadcb7e7e Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2022-11-12 07:03:34 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2022-11-12 07:03:45 +0000 www-servers/tomcat: dropped obsolete 10.1.0-r1, 10.0.26, 9.0.67 & 8.5.82 Bug: https://bugs.gentoo.org/880871 Bug: https://bugs.gentoo.org/878911 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-servers/tomcat/Manifest | 6 - www-servers/tomcat/tomcat-10.0.26.ebuild | 198 ----------------------------- www-servers/tomcat/tomcat-10.1.0-r1.ebuild | 194 ---------------------------- www-servers/tomcat/tomcat-8.5.82.ebuild | 159 ----------------------- www-servers/tomcat/tomcat-9.0.67.ebuild | 190 --------------------------- 5 files changed, 747 deletions(-)
the tree is clean now, you can proceed.
Thanks!
GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=a8b85191c046076a4e4d12c8541d49e1473aaa66 commit a8b85191c046076a4e4d12c8541d49e1473aaa66 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-30 03:03:08 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-05-30 03:05:04 +0000 [ GLSA 202305-37 ] Apache Tomcat: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/878911 Bug: https://bugs.gentoo.org/889596 Bug: https://bugs.gentoo.org/896370 Bug: https://bugs.gentoo.org/907387 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202305-37.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+)
GLSA released, all done!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=023c3018165ffad6f1f6a874561e1c3c555cb505 commit 023c3018165ffad6f1f6a874561e1c3c555cb505 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2023-05-31 02:20:03 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-05-31 02:20:25 +0000 [ GLSA 202305-37 ] fix versions, add other slots Bug: https://bugs.gentoo.org/878911 Bug: https://bugs.gentoo.org/889596 Bug: https://bugs.gentoo.org/896370 Bug: https://bugs.gentoo.org/907387 Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202305-37.xml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-)
