884201 – (CVE-2021-37533) <dev-java/commons-net-3.9.0: information leakage via malicious server

Bug 884201 (CVE-2021-37533) - <dev-java/commons-net-3.9.0: information leakage via malicious server

Summary: <dev-java/commons-net-3.9.0: information leakage via malicious server

Status:	RESOLVED FIXED

Alias:	CVE-2021-37533

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://lists.apache.org/thread/o6yn9...
Whiteboard:	B4 [noglsa]
Keywords:	PullRequest

Depends on:	884843
Blocks:
	Show dependency tree

Reported:	2022-12-03 19:07 UTC by John Helmert III
Modified:	2022-12-10 01:49 UTC (History)
CC List:	1 user (show)

See Also:	https://github.com/gentoo/gentoo/pull/28545 https://github.com/gentoo/gentoo/pull/28602
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-12-03 19:07:43 UTC

CVE-2021-37533:

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

Please bump to 3.9.0.

Comment 1 Larry the Git Cow gentoo-dev

2022-12-05 10:54:50 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=50f7a75fbc337ba67fb6cac15c5af4c707b5a188

commit 50f7a75fbc337ba67fb6cac15c5af4c707b5a188
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-12-05 09:17:15 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2022-12-05 10:37:30 +0000

    dev-java/commons-net: add 3.9.0
    
    Bug: https://bugs.gentoo.org/884201
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/28545
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 dev-java/commons-net/Manifest                 |  2 ++
 dev-java/commons-net/commons-net-3.9.0.ebuild | 39 +++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)

Comment 2 John Helmert III archtester

2022-12-08 01:20:05 UTC

Thanks! Please stabilize when ready.

Comment 3 Larry the Git Cow gentoo-dev

2022-12-09 08:19:40 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ca29a450d297bdd75190e97ec7440bae06dbf8c

commit 4ca29a450d297bdd75190e97ec7440bae06dbf8c
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-12-08 16:46:55 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-12-09 08:19:31 +0000

    dev-java/commons-net: drop 3.8.0
    
    Bug: https://bugs.gentoo.org/884201
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/28602
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/commons-net/Manifest                 |  1 -
 dev-java/commons-net/commons-net-3.8.0.ebuild | 21 ---------------------
 2 files changed, 22 deletions(-)

Comment 4 John Helmert III archtester

2022-12-10 01:49:11 UTC

Thanks! Looks very hard to exploit, so no GLSA. All done!