Bug 692402 (CVE-2019-0221)

Summary:	<www-servers/tomcat-{7.0.93,8.5.39}: XSS in SSI printenv (CVE-2019-0221)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	java
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B4 [glsa+ cve]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	656044, 662168, 662892

Description GLSAMaker/CVETool Bot gentoo-dev

2019-08-17 22:58:29 UTC

CVE-2019-0221 (https://nvd.nist.gov/vuln/detail/CVE-2019-0221):
  The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to
  8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and
  is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv
  command is intended for debugging and is unlikely to be present in a
  production website.

Comment 1 Miroslav Šulc gentoo-dev

2019-09-21 07:05:59 UTC

slots 7 and 8.5 are clean, slot 9 needs virtual/{jdk,jre} unmasked first to stabilize the newest version of tomcat in that slot.

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2019-10-26 20:42:32 UTC

@ maintainer(s): ping, please name exact virtual/{jre,jdk} you are waiting for!

Comment 3 Miroslav Šulc gentoo-dev

2019-10-26 20:46:24 UTC

(In reply to Thomas Deutschmann from comment #2)
> @ maintainer(s): ping, please name exact virtual/{jre,jdk} you are waiting
> for!

slot 11

Comment 4 Miroslav Šulc gentoo-dev

2020-02-09 23:39:19 UTC

i've dropped 9.0.7 so you can proceed now

Comment 5 Sam James archtester

2020-03-19 01:10:40 UTC

Tree looks clean?

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-19 17:03:19 UTC

Added to an existing GLSA request.

Comment 7 GLSAMaker/CVETool Bot gentoo-dev

2020-03-19 17:17:59 UTC

This issue was resolved and addressed in
 GLSA 202003-43 at https://security.gentoo.org/glsa/202003-43
by GLSA coordinator Thomas Deutschmann (whissi).