As in NVD: Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.
it's already fixed in tomcat 7.0.21, but i can see no fix for tomcat:6 series nor tomcat:5.5 series. should the affected versions be removed once the fixes are available?
(In reply to comment #1) > it's already fixed in tomcat 7.0.21, but i can see no fix for tomcat:6 series > nor tomcat:5.5 series. should the affected versions be removed once the fixes > are available? Yes, please. Do you happen to have an ETA for a fixed 6.0 and 5.5?
no, i have no eta, it depends on upstream when they are going to release the fixes and i have no idea if there is any eta from their side or not. for now, i just removed tomcat:7 < 7.0.21 and related tomcat-servlet-api.
(In reply to comment #3) > no, i have no eta, it depends on upstream when they are going to release the > fixes and i have no idea if there is any eta from their side or not. > Ok. We'll just wait for the fixed versions and then do stabilization etc (like always). > for now, i just removed tomcat:7 < 7.0.21 and related tomcat-servlet-api. Thank you.
There are patches available that could apply to the current versions: - 6.0.x http://svn.apache.org/viewvc?rev=1162959&view=rev - 5.5.x http://svn.apache.org/viewvc?rev=1162960&view=rev If you wanted to include those for the current version ebuilds while waiting for a new fixed version to be released...
CVE-2011-3190 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3190): Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.
6.0.35 is now in tree and fixes CVE-2011-3190. stabilization request filed.
tomcat 5.5.x has been removed from the main tree because it's heading its eol in 2012-09-30 and it's unmaintained on our side (all the effort goes to 6.x and 7.x releases). tomcat 5.5.x has been moved to java-overlay for those that still need it.
Thanks, folks. GLSA Vote: yes.
On existing GLSA request.
no affected version in the tree anymore
This issue was resolved and addressed in GLSA 201206-24 at http://security.gentoo.org/glsa/glsa-201206-24.xml by GLSA coordinator Tobias Heinlein (keytoaster).