Summary: | <www-servers/tomcat-{7.0.104,8.5.55}: Remote Code Execution via session persistence (CVE-2020-9484) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | fordfrog, java |
Priority: | Normal | Flags: | nattka:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.openwall.com/lists/oss-security/2020/05/20/4 | ||
Whiteboard: | B1 [glsa+ cve cleanup] | ||
Package list: |
=www-servers/tomcat-7.0.104 amd64
=dev-java/tomcat-servlet-api-7.0.104 amd64 ppc64 x86
=www-servers/tomcat-8.5.55 amd64
=dev-java/tomcat-servlet-api-8.5.55 amd64 ppc64 x86
|
Runtime testing required: | --- |
Description
Sam James
2020-05-20 15:28:28 UTC
@maintainer(s), please advise if ready for stabilisation, or call yourself Sanity check failed:
> www-servers/tomcat-7.0.104
> depend amd64 stable profile default/linux/amd64/17.0 (28 total)
> ~dev-java/tomcat-servlet-api-7.0.104:3.0
> depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
> ~dev-java/tomcat-servlet-api-7.0.104:3.0
> rdepend amd64 stable profile default/linux/amd64/17.0 (28 total)
> ~dev-java/tomcat-servlet-api-7.0.104:3.0
> rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
> ~dev-java/tomcat-servlet-api-7.0.104:3.0
> www-servers/tomcat-8.5.55
> depend amd64 stable profile default/linux/amd64/17.0 (28 total)
> ~dev-java/tomcat-servlet-api-8.5.55:3.1
> depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
> ~dev-java/tomcat-servlet-api-8.5.55:3.1
> rdepend amd64 stable profile default/linux/amd64/17.0 (28 total)
> ~dev-java/tomcat-servlet-api-8.5.55:3.1
> rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
> ~dev-java/tomcat-servlet-api-8.5.55:3.1
please stabilize The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ee1ed4c847701b5095b39a29de158554ff74571 commit 3ee1ed4c847701b5095b39a29de158554ff74571 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2020-05-20 18:08:08 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2020-05-20 18:08:08 +0000 www-servers/tomcat: removed vulnerable version 9.0.34 Bug: https://bugs.gentoo.org/724344 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-servers/tomcat/Manifest | 1 - www-servers/tomcat/tomcat-9.0.34.ebuild | 181 -------------------------------- 2 files changed, 182 deletions(-) amd64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cc31a9948285a982d825c7c8c17151f347d8bea9 commit cc31a9948285a982d825c7c8c17151f347d8bea9 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2020-05-21 10:22:59 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2020-05-21 10:22:59 +0000 www-servers/tomcat: removed vulnerable versions 7.0.103 and 8.5.54 Bug: https://bugs.gentoo.org/724344 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-servers/tomcat/Manifest | 2 - www-servers/tomcat/tomcat-7.0.103.ebuild | 146 ---------------------------- www-servers/tomcat/tomcat-8.5.54.ebuild | 158 ------------------------------- 3 files changed, 306 deletions(-) This issue was resolved and addressed in GLSA 202006-21 at https://security.gentoo.org/glsa/202006-21 by GLSA coordinator Aaron Bauman (b-man). |