| Summary: | <www-servers/tomcat-{7.0.70, 8.0.36}: Usage of vulnerable FileUpload package can result in denial of service (CVE-2016-3092) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | java |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1349468 | ||
| See Also: | https://bugs.gentoo.org/show_bug.cgi?id=739350 | ||
| Whiteboard: | B3 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 598324 | ||
| Bug Blocks: | 575796 | ||
none of the 8.5.x versions in the tree is affected by this issue. and according to the log at http://tomcat.apache.org/tomcat-8.0-doc/changelog.html#Tomcat_8.0.36_(markt) it seems the first unaffected version is 8.0.36. anyway, there are some bugs reported against this version that block stabilization so these should be fixed first i guess. CVE-2016-3092 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3092): The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string. 8.5.x is currently unstable. @maintainer(s), please let us know if you are ready to stabilize the unaffected versions. If so, please call for stabilization in this bug or let us know. Thank you. GLSA Vote: Yes. Given the blocked bug this will require a GLSA. We will do stabilization in bug 598324. Arches and Maintainer(s), Thank you for your work. This issue was resolved and addressed in GLSA 201705-09 at https://security.gentoo.org/glsa/201705-09 by GLSA coordinator Yury German (BlueKnight). |
From ${URL} : Apache Tomcat uses a package renamed copy of Apache Commons FileUpload to implement the file upload requirements of the Servlet specification. A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file. This caused the file upload process to take several orders of magnitude longer than if the boundary was the typical tens of bytes long. External references: http://tomcat.apache.org/security-8.html http://tomcat.apache.org/security-7.html Upstream fixes: Tomcat 8.5.x: http://svn.apache.org/viewvc?view=revision&revision=1743722 Tomcat 8.0.x: http://svn.apache.org/viewvc?view=revision&revision=1743738 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.