Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 656044

Summary: www-servers/tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1579611
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 678858, 692402    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2018-05-18 15:52:14 UTC
From ${URL} :

Apache Tomcat through versions 7.0.88, 8.0.52, 8.5.31 and 9.0.8 have defaults settings for the CORS filter that are insecure and enable 'supportsCredentials' for all origins.


External References:

https://lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1@%3Cannounce.tomcat.apache.org%3E
http://tomcat.apache.org/security-9.html
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-7.html


Upstream Patches:

http://svn.apache.org/viewvc?view=rev&rev=1831726
http://svn.apache.org/viewvc?view=rev&rev=1831728
http://svn.apache.org/viewvc?view=rev&rev=1831729
http://svn.apache.org/viewvc?view=rev&rev=1831730


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Miroslav Šulc gentoo-dev 2019-02-10 14:30:42 UTC
i guess this will take some time, because:

* www-servers/tomcat:7 - is fine, we have only 7.0.92 (stable)
* www-servers/tomcat:8 - we have affected 8.0.52 (stable) and unaffected 8.0.53 (unstable), which depends on >=dev-java/ant-core-1.9.13 which is not stable yet
* www-servers/tomcat:8.5 - we have affected 8.5.31 (stable) and unaffected 8.5.37 (unstable), which depends on >=dev-java/ant-core-1.9.13 which is not stable yet
* www-servers/tomcat:9 - we have affected 9.0.8 (stable) and unaffected 9.0.{14,16] (unstable), both depend on >=dev-java/ant-core-1.9.13 which is not stable yet and also on virtual/jdk-11 which is masked atm

we can stabilize ant-core-1.9.13 sooner than at 2019-02-24 and hence we could remove the affected versions for slots 8 and 8.5, but idk when we will unmask java 11, gyakovlev would probably know better. and it will take some time before it will go stable.

shall we proceed with ant-core-1.9.13 and/or 1.10.5 stabilization to fix at least slot 8 and 8.5? there were some issues with these new versions but all that have been reported have been solved.
Comment 2 Larry the Git Cow gentoo-dev 2019-03-02 19:57:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61beaeeb0af2968e7e27c278bd5b33ea00849880

commit 61beaeeb0af2968e7e27c278bd5b33ea00849880
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2019-03-02 19:56:36 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2019-03-02 19:57:03 +0000

    www-servers/tomcat-8.{0.52,5.31}: removed obsolete
    
    Bug: https://bugs.gentoo.org/662168
    Bug: https://bugs.gentoo.org/656044
    Bug: https://bugs.gentoo.org/662892
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest             |   2 -
 www-servers/tomcat/tomcat-8.0.52.ebuild | 158 --------------------------------
 www-servers/tomcat/tomcat-8.5.31.ebuild | 158 --------------------------------
 3 files changed, 318 deletions(-)
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-03-27 00:17:27 UTC
(In reply to Larry the Git Cow from comment #2)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=61beaeeb0af2968e7e27c278bd5b33ea00849880
> 
> commit 61beaeeb0af2968e7e27c278bd5b33ea00849880
> Author:     Miroslav Šulc <fordfrog@gentoo.org>
> AuthorDate: 2019-03-02 19:56:36 +0000
> Commit:     Miroslav Šulc <fordfrog@gentoo.org>
> CommitDate: 2019-03-02 19:57:03 +0000
> 
>     www-servers/tomcat-8.{0.52,5.31}: removed obsolete
>     
>     Bug: https://bugs.gentoo.org/662168
>     Bug: https://bugs.gentoo.org/656044
>     Bug: https://bugs.gentoo.org/662892
>     Package-Manager: Portage-2.3.62, Repoman-2.3.12
>     Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>
> 
>  www-servers/tomcat/Manifest             |   2 -
>  www-servers/tomcat/tomcat-8.0.52.ebuild | 158
> --------------------------------
>  www-servers/tomcat/tomcat-8.5.31.ebuild | 158
> --------------------------------
>  3 files changed, 318 deletions(-)

9.0.7 is still vulnerable and stable on amd64.  Other slots are good.  Please decide how to approach slot 9.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2019-08-17 16:07:52 UTC
@java, ping. dev-java/ant-core dependencies look to be resolved now.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2019-08-17 16:09:01 UTC
nevermind, the virtual is still masked
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-26 20:44:02 UTC
GLSA Vote: No!
Comment 7 Miroslav Šulc gentoo-dev 2020-02-09 23:41:42 UTC
i've dropped 9.0.7 so you can proceed now
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-19 17:04:25 UTC
Repository is clean, all done!