Bug 773571 (CVE-2021-25122, CVE-2021-25329)

Summary:	<www-servers/tomcat-{7.0.108,8.5.63,9.0.43}: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	fordfrog, java
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	773562
Bug Blocks:

Description Sam James archtester

2021-03-01 12:49:57 UTC

* CVE-2021-25329 (Incomplete fix for CVE-2020-9484)

"The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494.

Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue."

Advisory: https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E

* CVE-2021-25122

"When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request."

Advisory: https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cannounce.tomcat.apache.org%3E

Comment 1 Miroslav Šulc gentoo-dev

2021-03-01 13:19:29 UTC

from the slot 10 we have only 10.0.2 which is not affected, but i miss in the subject <7.0.108 (we have 7.0.107 which is affected too).

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2021-03-01 15:39:42 UTC

Confirmed, Gentoo's 10.x was never affected.

Comment 3 Miroslav Šulc gentoo-dev

2021-03-08 05:53:21 UTC

what's wrong with nattka not cc'ing stabilization archs?

Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev

2021-03-12 19:37:03 UTC

ppc64 stable

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2021-03-15 01:40:37 UTC

x86 stable

Comment 6 Agostino Sarubbo gentoo-dev

2021-03-26 14:24:46 UTC

amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 7 Larry the Git Cow gentoo-dev

2021-03-26 15:09:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7241c7a324f07c3b81015640422276c86cdba043

commit 7241c7a324f07c3b81015640422276c86cdba043
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-03-26 15:09:39 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-03-26 15:09:39 +0000

    www-servers/tomcat: removed obsolete and vulnerable 7.0.107 & 8.561
    
    Bug: https://bugs.gentoo.org/773571
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest              |   2 -
 www-servers/tomcat/tomcat-7.0.107.ebuild | 142 ---------------------------
 www-servers/tomcat/tomcat-8.5.61.ebuild  | 159 -------------------------------
 3 files changed, 303 deletions(-)

Comment 8 Miroslav Šulc gentoo-dev

2021-03-26 15:10:22 UTC

the tree is clean now, you can proceed

Comment 9 John Helmert III archtester

2021-03-26 15:14:29 UTC

What about 9.0.41?

Comment 10 Miroslav Šulc gentoo-dev

2021-03-26 15:19:06 UTC

(In reply to John Helmert III from comment #9)
> What about 9.0.41?

sorry, it's gone now too

Comment 11 John Helmert III archtester

2021-03-26 15:22:29 UTC

(In reply to Miroslav Šulc from comment #10)
> (In reply to John Helmert III from comment #9)
> > What about 9.0.41?
> 
> sorry, it's gone now too

Thanks :)

Comment 12 NATTkA bot gentoo-dev

2021-07-29 17:23:47 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 13 NATTkA bot gentoo-dev

2021-07-29 17:32:12 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 14 NATTkA bot gentoo-dev

2021-07-29 17:40:05 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 15 NATTkA bot gentoo-dev

2021-07-29 17:48:15 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 16 NATTkA bot gentoo-dev

2021-07-29 18:04:12 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 17 NATTkA bot gentoo-dev

2021-07-29 18:12:30 UTC

Package list is empty or all packages have requested keywords.

Comment 18 John Helmert III archtester

2022-08-14 01:39:53 UTC

GLSA request filed

Comment 19 Larry the Git Cow gentoo-dev

2022-08-21 02:09:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=a4afff138b8507c9b0b4fdbebda4c8d1935d6238

commit a4afff138b8507c9b0b4fdbebda4c8d1935d6238
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-21 01:35:21 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-21 01:40:47 +0000

    [ GLSA 202208-34 ] Apache Tomcat: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/773571
    Bug: https://bugs.gentoo.org/801916
    Bug: https://bugs.gentoo.org/818160
    Bug: https://bugs.gentoo.org/855971
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-34.xml | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)

Comment 20 John Helmert III archtester

2022-08-21 02:14:11 UTC

GLSA released, all done!