Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 692402 (CVE-2019-0221)

Summary: <www-servers/tomcat-{7.0.93,8.5.39}: XSS in SSI printenv (CVE-2019-0221)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 656044, 662168, 662892    

Description GLSAMaker/CVETool Bot gentoo-dev 2019-08-17 22:58:29 UTC
CVE-2019-0221 (https://nvd.nist.gov/vuln/detail/CVE-2019-0221):
  The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to
  8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and
  is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv
  command is intended for debugging and is unlikely to be present in a
  production website.
Comment 1 Miroslav Šulc gentoo-dev 2019-09-21 07:05:59 UTC
slots 7 and 8.5 are clean, slot 9 needs virtual/{jdk,jre} unmasked first to stabilize the newest version of tomcat in that slot.
Comment 2 Thomas Deutschmann gentoo-dev Security 2019-10-26 20:42:32 UTC
@ maintainer(s): ping, please name exact virtual/{jre,jdk} you are waiting for!
Comment 3 Miroslav Šulc gentoo-dev 2019-10-26 20:46:24 UTC
(In reply to Thomas Deutschmann from comment #2)
> @ maintainer(s): ping, please name exact virtual/{jre,jdk} you are waiting
> for!

slot 11
Comment 4 Miroslav Šulc gentoo-dev 2020-02-09 23:39:19 UTC
i've dropped 9.0.7 so you can proceed now
Comment 5 Sam James gentoo-dev Security 2020-03-19 01:10:40 UTC
Tree looks clean?
Comment 6 Thomas Deutschmann gentoo-dev Security 2020-03-19 17:03:19 UTC
Added to an existing GLSA request.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2020-03-19 17:17:59 UTC
This issue was resolved and addressed in
 GLSA 202003-43 at https://security.gentoo.org/glsa/202003-43
by GLSA coordinator Thomas Deutschmann (whissi).