Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 729668 (CVE-2020-11996)

Summary: <www-servers/tomcat-{8.5.56, 9.0.36}: Denial of service vulnerability (CVE-2020-11996)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: fordfrog, java
Priority: Normal Flags: nattka: sanity-check-
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://marc.info/?l=apache-announce&m=159312225205518&w=2
Whiteboard: B3 [noglsa cve]
Package list:
=dev-java/tomcat-servlet-api-8.5.56 amd64 ppc64 x86 =dev-java/tomcat-servlet-api-9.0.36 amd64 =www-servers/tomcat-8.5.56 amd64
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-25 22:33:11 UTC
Description:

A specially crafted sequence of HTTP/2 requests could trigger high CPU
usage for several seconds. If a sufficient number of such requests were
made on concurrent HTTP/2 connections, the server could become unresponsive.

Mitigation:
- Upgrade to Apache Tomcat 10.0.0-M6 or later
- Upgrade to Apache Tomcat 9.0.36 or later
- Upgrade to Apache Tomcat 8.5.56 or later



Maintainer(s), please call for stabilization for 8.5.56 when ready.
Comment 1 Larry the Git Cow gentoo-dev 2020-06-26 07:13:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e6588e21ed7b8395bc47c1163c7261eb94f8ec10

commit e6588e21ed7b8395bc47c1163c7261eb94f8ec10
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-06-26 07:12:49 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-06-26 07:12:49 +0000

    www-servers/tomcat: removed vulnerable 9.0.35
    
    Bug: https://bugs.gentoo.org/729668
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest             |   1 -
 www-servers/tomcat/tomcat-9.0.35.ebuild | 181 --------------------------------
 2 files changed, 182 deletions(-)
Comment 2 Miroslav Šulc gentoo-dev 2020-06-26 07:18:10 UTC
these are ready to stabilize. i also included the api archs, though not necessarily needed, but to get rid of the affected api versions.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-26 19:07:51 UTC
(In reply to Miroslav Šulc from comment #2)
> these are ready to stabilize. i also included the api archs, though not
> necessarily needed, but to get rid of the affected api versions.

thank you
Comment 4 Agostino Sarubbo gentoo-dev 2020-06-28 20:28:36 UTC
amd64 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2020-06-28 20:30:04 UTC
x86 stable
Comment 6 NATTkA bot gentoo-dev 2020-06-28 20:32:44 UTC
Resetting sanity check; package list is empty or all packages are done.
Comment 7 Larry the Git Cow gentoo-dev 2020-06-29 04:55:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3fb737f93ec72b191d4985bce5a0d25504489046

commit 3fb737f93ec72b191d4985bce5a0d25504489046
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-06-29 04:54:40 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-06-29 04:54:40 +0000

    www-servers/tomcat: removed vulnerable 8.5.55
    
    Bug: https://bugs.gentoo.org/729668
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest             |   1 -
 www-servers/tomcat/tomcat-8.5.55.ebuild | 158 --------------------------------
 2 files changed, 159 deletions(-)
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2020-06-29 06:36:43 UTC
There are no packages for ppc@. Removing from CC.
Comment 9 Miroslav Šulc gentoo-dev 2020-06-29 06:55:34 UTC
my fault, should have been ppc64
Comment 10 Agostino Sarubbo gentoo-dev 2020-07-02 06:32:56 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Larry the Git Cow gentoo-dev 2020-07-02 07:19:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=48ac1540787ad049b3cfb639fa0b753d22afea7b

commit 48ac1540787ad049b3cfb639fa0b753d22afea7b
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-07-02 07:19:26 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-07-02 07:19:26 +0000

    dev-java/tomcat-servlet-api: removed obsolete {8.5.54,9.0.3[45]}
    
    Bug: https://bugs.gentoo.org/729668
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/tomcat-servlet-api/Manifest               |  3 --
 .../tomcat-servlet-api-8.5.54.ebuild               | 39 ----------------------
 .../tomcat-servlet-api-9.0.34.ebuild               | 39 ----------------------
 .../tomcat-servlet-api-9.0.35.ebuild               | 39 ----------------------
 4 files changed, 120 deletions(-)
Comment 12 Miroslav Šulc gentoo-dev 2020-07-02 07:21:27 UTC
www-servers/tomcat is already clean and related dev-java/tomcat-servlet-api is up to date too.
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-02 10:36:00 UTC
(In reply to Miroslav Šulc from comment #12)
> www-servers/tomcat is already clean and related dev-java/tomcat-servlet-api
> is up to date too.

Thank you :)
Comment 14 NATTkA bot gentoo-dev 2020-07-20 08:44:39 UTC
Unable to check for sanity:

> no match for package: =www-servers/tomcat-8.5.56