Bug 758338 (CVE-2020-17527)

Summary:	<www-servers/tomcat-8.5.60: HTTP/2 request header mix-up (CVE-2020-17527)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	fordfrog, java
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.60
Whiteboard:	B3 [glsa+ cve]
Package list:	www-servers/tomcat-8.5.60 amd64 dev-java/tomcat-servlet-api-8.5.60 dev-java/tomcat-servlet-api-9.0.40 amd64 x86	Runtime testing required:	---

Description John Helmert III archtester

2020-12-03 23:44:42 UTC

CVE-2020-17527:

While investigating issue 64830 it was discovered that Apache Tomcat could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. 


Please stabilize 8.5.60.

Comment 1 NATTkA bot gentoo-dev

2020-12-03 23:48:54 UTC Comment hidden (obsolete)

Sanity check failed:

> www-servers/tomcat-8.5.60
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (3 total)
>     ~dev-java/tomcat-servlet-api-8.5.60:3.1
>   depend amd64 stable profile default/linux/amd64/17.1 (14 total)
>     ~dev-java/tomcat-servlet-api-8.5.60:3.1
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (3 total)
>     ~dev-java/tomcat-servlet-api-8.5.60:3.1
>   rdepend amd64 stable profile default/linux/amd64/17.1 (14 total)
>     ~dev-java/tomcat-servlet-api-8.5.60:3.1

Comment 2 Miroslav Šulc gentoo-dev

2020-12-04 06:39:00 UTC

including also dev-java/tomcat-servlet-api-9.0.40 to clean the affected version in the :9 slot.

Comment 3 NATTkA bot gentoo-dev

2020-12-04 06:40:58 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2020-12-07 02:31:39 UTC

It was reported that this vuln is currently being exploited.

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2020-12-07 02:32:14 UTC

7.x is not affected because this version doesn't support HTTP/2.

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2020-12-10 21:42:32 UTC

x86 stable

Comment 7 Sam James archtester

2020-12-14 08:00:52 UTC

amd64 done

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2020-12-21 10:55:45 UTC

ppc64 stable

Comment 9 John Helmert III archtester

2020-12-21 21:51:18 UTC

Please cleanup.

Comment 10 Larry the Git Cow gentoo-dev

2020-12-22 13:11:36 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=12fdc647a121ba0457c5264f19e2c3b773aae477

commit 12fdc647a121ba0457c5264f19e2c3b773aae477
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-12-22 13:00:09 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-12-22 13:00:09 +0000

    www-servers/tomcat: removed obsolete & vulnerable 8.5.59
    
    Bug: https://bugs.gentoo.org/758338
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest             |   1 -
 www-servers/tomcat/tomcat-8.5.59.ebuild | 163 --------------------------------
 2 files changed, 164 deletions(-)

Comment 11 Miroslav Šulc gentoo-dev

2020-12-22 13:15:35 UTC

the tree is clean now, you can proceed

Comment 12 John Helmert III archtester

2020-12-22 20:12:07 UTC

(In reply to Miroslav Šulc from comment #11)
> the tree is clean now, you can proceed

Thank you!

Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev

2020-12-23 01:26:37 UTC

New GLSA request filed.

Comment 14 GLSAMaker/CVETool Bot gentoo-dev

2020-12-24 14:19:47 UTC

This issue was resolved and addressed in
 GLSA 202012-23 at https://security.gentoo.org/glsa/202012-23
by GLSA coordinator Thomas Deutschmann (whissi).