Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 918700 (CVE-2023-46589)

Summary: <www-servers/tomcat-{10.1.16,9.0.83,8.5.96}: http request smuggling
Product: Gentoo Security Reporter: Christopher Fore <csfore>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: trivial CC: fordfrog, java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr
Whiteboard: B4 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 918696    
Bug Blocks:    

Description Christopher Fore 2023-11-28 16:55:58 UTC 
CVE-2023-46589 (https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr):

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.
Comment 1 Larry the Git Cow gentoo-dev 2023-11-28 19:22:10 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=41e79b6cbfc1c5cecca19531d6af0bead808b71f

commit 41e79b6cbfc1c5cecca19531d6af0bead808b71f
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2023-11-28 19:21:55 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-11-28 19:21:55 +0000

    www-servers/tomcat: dropped obsolete 8.5.95-r1, 9.0.82 & 10.1.15 (security)
    
    Bug: https://bugs.gentoo.org/918696
    Bug: https://bugs.gentoo.org/918700
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest                |   7 --
 www-servers/tomcat/tomcat-10.1.15.ebuild   | 181 -----------------------------
 www-servers/tomcat/tomcat-8.5.95-r1.ebuild | 157 -------------------------
 www-servers/tomcat/tomcat-9.0.82.ebuild    | 180 ----------------------------
 4 files changed, 525 deletions(-)
Comment 2 Miroslav Šulc gentoo-dev 2023-11-28 19:23:29 UTC 
the tree is clean now, you can proceed.