Summary: | <www-servers/tomcat-{6.0.44,7.0.59}: Security Manager Bypass (CVE-2014-7810) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | java |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://mail-archives.us.apache.org/mod_mbox/www-announce/201505.mbox/%3C5554AB1C.7050606@apache.org%3E | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=519590 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-05-15 10:16:01 UTC
8 in tree is not effected, only older versions of 7 < tomcat-7.0.59, need to be removed. Current is Tomcat 7.0.62 Released 2015-05-14. I would remove 6 entirely, though it is still current upstream, Tomcat 6.0.44 Released 2015-05-12. ALL versions of 6 in tree are effected. +*tomcat-6.0.44 (03 Jun 2015) + + 03 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + +files/tomcat-6.0.44-build.xml.patch, +tomcat-6.0.44.ebuild, + -files/tomcat-6.0.41-build.xml.patch, -files/tomcat-6.0.43-build.xml.patch, + -tomcat-6.0.41.ebuild, -tomcat-6.0.43.ebuild: + Tomcat 6.0.44 version bump. EAPI 5 bump. Remove vulnerable versions. Fix + security bug 549536. + 03 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + -files/tomcat-7.0.56-build.xml.patch, -files/tomcat-7.0.57-build.xml.patch, + -tomcat-7.0.56.ebuild, -tomcat-7.0.57.ebuild: + Remove vulnerable versions < Tomcat 7.0.59. Fix security bug 549536. + +*tomcat-servlet-api-6.0.44 (03 Jun 2015) + + 03 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + +tomcat-servlet-api-6.0.44.ebuild, -tomcat-servlet-api-6.0.41.ebuild, + -tomcat-servlet-api-6.0.43.ebuild: + Tomcat 6.0.44 version bump. Remove vulnerable versions. Fix security bug + 549536. + + 03 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + -tomcat-servlet-api-7.0.56.ebuild, -tomcat-servlet-api-7.0.57.ebuild: + Remove vulnerable versions < Tomcat 7.0.59. Fix security bug 549536. + Hi security team There are no vulnerable versions of Tomcat in the tree. I've bumped Tomcat 6 and while at it, cleaned up the vulnerable versions. However, tomcat 6/7/8 now need stabilising (stabled versions are no more). Please stabilise: - www-servers/tomcat-6.0.44.ebuild - www-servers/tomcat-7.0.59.ebuild - www-servers/tomcat-8.0.23.ebuild As well as: - dev-java/tomcat-servlet-api-6.0.44.ebuild - dev-java/tomcat-servlet-api-7.0.59.ebuild - dev-java/tomcat-servlet-api-8.0.23.ebuild Thanks. + 03 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + +tomcat-servlet-api-6.0.41.ebuild, +tomcat-servlet-api-6.0.43.ebuild, + +tomcat-servlet-api-7.0.56.ebuild, +tomcat-servlet-api-7.0.57.ebuild, + tomcat-servlet-api-6.0.44.ebuild, tomcat-servlet-api-7.0.59.ebuild, + tomcat-servlet-api-8.0.23.ebuild: + Restore vulnerable ebuilds until security team stabilise the new version. + See bug 549536. + + 03 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + +files/tomcat-6.0.41-build.xml.patch, +files/tomcat-6.0.43-build.xml.patch, + +files/tomcat-7.0.56-build.xml.patch, +files/tomcat-7.0.57-build.xml.patch, + +tomcat-6.0.41.ebuild, +tomcat-6.0.43.ebuild, +tomcat-7.0.56.ebuild, + +tomcat-7.0.57.ebuild: + Restore vulnerable ebuilds until security team stabilise the new version. See + bug 549536. + There you go: I've been told not to remove the vulnerable ebuilds until security team say so. I didn't want to cause a stir so I've added back the vulnerable versions. Over to you guys. Thanks, Arches, please stabilize: =www-servers/tomcat-6.0.44 Stable targets: amd64 ppc ppc64 x86 =www-servers/tomcat-7.0.59 Stable targets: amd64 ppc ppc64 x86 dev-java/tomcat-servlet-api needs stabilisation as well. =dev-java/tomcat-servlet-api-6.0.44 Stable targets: amd64 ppc ppc64 x86 =dev-java/tomcat-servlet-api-7.0.59 Stable targets: amd64 ppc ppc64 x86 Thanks. amd64 stable x86 stable ping @ppc and @ppc64. Could you please stabilise tomcat-7.0.59.ebuild and tomcat-6.0.44.ebuild? These two are the last missing bit. Thanks! Looks like the stabilisations fixed CVE-2014-0230 too. ppc64 stable ppc can't be done because of bug 536888 (In reply to Agostino Sarubbo from comment #15) > ppc can't be done because of bug 536888 Please reconsider following my comments there. Hopefully you're not able to reproduce that problem any more. CVE-2014-7810 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7810): The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation. ppc stable. Maintainer(s), please cleanup. Security, please vote. + 15 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + -files/tomcat-6.0.41-build.xml.patch, -files/tomcat-6.0.43-build.xml.patch, + -files/tomcat-7.0.56-build.xml.patch, -files/tomcat-7.0.57-build.xml.patch, + -tomcat-6.0.41.ebuild, -tomcat-6.0.43.ebuild, -tomcat-7.0.56.ebuild, + -tomcat-7.0.57.ebuild: + Remove old. + + 15 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + -tomcat-servlet-api-6.0.41.ebuild, -tomcat-servlet-api-6.0.43.ebuild, + -tomcat-servlet-api-7.0.56.ebuild, -tomcat-servlet-api-7.0.57.ebuild: + Remove vulnerable versions. Fix security bug 549536. + Maintainer and arches, thank you for your work. GLSA Vote: No GLSA Vote: No Thank you all. Closing as noglsa. |