Bug 729668 (CVE-2020-11996)

Summary:	<www-servers/tomcat-{8.5.56, 9.0.36}: Denial of service vulnerability (CVE-2020-11996)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	fordfrog, java
Priority:	Normal	Flags:	nattka: sanity-check-
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://marc.info/?l=apache-announce&m=159312225205518&w=2
Whiteboard:	B3 [noglsa cve]
Package list:	=dev-java/tomcat-servlet-api-8.5.56 amd64 ppc64 x86 =dev-java/tomcat-servlet-api-9.0.36 amd64 =www-servers/tomcat-8.5.56 amd64	Runtime testing required:	---

Description John Helmert III archtester

2020-06-25 22:33:11 UTC

Description:

A specially crafted sequence of HTTP/2 requests could trigger high CPU
usage for several seconds. If a sufficient number of such requests were
made on concurrent HTTP/2 connections, the server could become unresponsive.

Mitigation:
- Upgrade to Apache Tomcat 10.0.0-M6 or later
- Upgrade to Apache Tomcat 9.0.36 or later
- Upgrade to Apache Tomcat 8.5.56 or later



Maintainer(s), please call for stabilization for 8.5.56 when ready.

Comment 1 Larry the Git Cow gentoo-dev

2020-06-26 07:13:12 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e6588e21ed7b8395bc47c1163c7261eb94f8ec10

commit e6588e21ed7b8395bc47c1163c7261eb94f8ec10
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-06-26 07:12:49 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-06-26 07:12:49 +0000

    www-servers/tomcat: removed vulnerable 9.0.35
    
    Bug: https://bugs.gentoo.org/729668
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest             |   1 -
 www-servers/tomcat/tomcat-9.0.35.ebuild | 181 --------------------------------
 2 files changed, 182 deletions(-)

Comment 2 Miroslav Šulc gentoo-dev

2020-06-26 07:18:10 UTC

these are ready to stabilize. i also included the api archs, though not necessarily needed, but to get rid of the affected api versions.

Comment 3 Sam James archtester

2020-06-26 19:07:51 UTC

(In reply to Miroslav Šulc from comment #2)
> these are ready to stabilize. i also included the api archs, though not
> necessarily needed, but to get rid of the affected api versions.

thank you

Comment 4 Agostino Sarubbo gentoo-dev

2020-06-28 20:28:36 UTC

amd64 stable

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2020-06-28 20:30:04 UTC

x86 stable

Comment 6 NATTkA bot gentoo-dev

2020-06-28 20:32:44 UTC

Resetting sanity check; package list is empty or all packages are done.

Comment 7 Larry the Git Cow gentoo-dev

2020-06-29 04:55:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3fb737f93ec72b191d4985bce5a0d25504489046

commit 3fb737f93ec72b191d4985bce5a0d25504489046
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-06-29 04:54:40 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-06-29 04:54:40 +0000

    www-servers/tomcat: removed vulnerable 8.5.55
    
    Bug: https://bugs.gentoo.org/729668
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest             |   1 -
 www-servers/tomcat/tomcat-8.5.55.ebuild | 158 --------------------------------
 2 files changed, 159 deletions(-)

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2020-06-29 06:36:43 UTC

There are no packages for ppc@. Removing from CC.

Comment 9 Miroslav Šulc gentoo-dev

2020-06-29 06:55:34 UTC

my fault, should have been ppc64

Comment 10 Agostino Sarubbo gentoo-dev

2020-07-02 06:32:56 UTC

ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 11 Larry the Git Cow gentoo-dev

2020-07-02 07:19:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=48ac1540787ad049b3cfb639fa0b753d22afea7b

commit 48ac1540787ad049b3cfb639fa0b753d22afea7b
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-07-02 07:19:26 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-07-02 07:19:26 +0000

    dev-java/tomcat-servlet-api: removed obsolete {8.5.54,9.0.3[45]}
    
    Bug: https://bugs.gentoo.org/729668
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/tomcat-servlet-api/Manifest               |  3 --
 .../tomcat-servlet-api-8.5.54.ebuild               | 39 ----------------------
 .../tomcat-servlet-api-9.0.34.ebuild               | 39 ----------------------
 .../tomcat-servlet-api-9.0.35.ebuild               | 39 ----------------------
 4 files changed, 120 deletions(-)

Comment 12 Miroslav Šulc gentoo-dev

2020-07-02 07:21:27 UTC

www-servers/tomcat is already clean and related dev-java/tomcat-servlet-api is up to date too.

Comment 13 Sam James archtester

2020-07-02 10:36:00 UTC

(In reply to Miroslav Šulc from comment #12)
> www-servers/tomcat is already clean and related dev-java/tomcat-servlet-api
> is up to date too.

Thank you :)

Comment 14 NATTkA bot gentoo-dev

2020-07-20 08:44:39 UTC

Unable to check for sanity:

> no match for package: =www-servers/tomcat-8.5.56