From https://bugzilla.redhat.com/show_bug.cgi?id=961783 : A denial of service flaw was found in the way chunked transfer encoding input filter of Apache Tomcat, an Apache Servlet/JSP Engine, processed CRLF sequences at the end of data chunks in certain circumstances. When the chunked transfer encoding was enabled, a remote attacker could issue a specially-crafted request that, when processed would lead to (limited) denial of service of the Apache Tomcat server. Relevant upstream patch: * for Apache Tomcat 6.x: http://svn.apache.org/viewvc?view=revision&revision=1476592 * for Apache Tomcat 7:x: http://svn.apache.org/viewvc?view=rev&rev=1378702 http://svn.apache.org/viewvc?view=rev&rev=1378921
From https://bugzilla.redhat.com/show_bug.cgi?id=961779 : A session fixation flaw was found in the way FormAuthenticator module of Apache Tomcat, an Apache Servlet/JSP Engine, performed authentication requests management in certain circumstances (the most recent authentication request was associated with current user's session). An attacker could use this flaw to inject (and possibly successfully to complete) an authentication request, that would be executed using the credentials of the victim. Relevant upstream patch: * for Apache Tomcat 6.x: http://svn.apache.org/viewvc?view=revision&revision=1417891 * for Apache Tomcat 7.x: http://svn.apache.org/viewvc?view=rev&rev=1408044
From https://bugzilla.redhat.com/show_bug.cgi?id=961803 : An information disclosure flaw was found in the way asynchronous context implementation of Apache Tomcat, an Apache Servlet/JSP Engine, performed request information management in certain circumstances (formerly certain elements of a previous request might have been exposed to the current request). If an application used AsyncListeners that threw RuntimeExceptions, a remote attacker could use this flaw to possibly obtain sensitive information. Upstream bug report: https://issues.apache.org/bugzilla/show_bug.cgi?id=54178 Relevant upstream patch (including testcase): http://svn.apache.org/viewvc?view=rev&rev=1471372 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
First one fixed since 7.0.40/doesn't seem to affect 6.0.x, second one fixed in 7.0.33/6.0.37. Not sure which revisions were the first to fix the third issue, but the latest 6.0.x and 7.0.x have the requisite fixes. @java team: please ack stabilization.
CVE-2013-2071 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2071): java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes. CVE-2013-2067 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2067): java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.
CVE-2012-3544 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3544): Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming data.
Maintainer timeout. Arches, please test and mark stable: =www-servers/tomcat-6.0.37 Target arches: amd64 ppc ppc64 x86 =www-servers/tomcat-7.0.42 Target arches: amd64 ppc ppc64 x86
amd64 stable
x86 stable
ppc stable
ppc64 stable
Added to existing GLSA request. Maintainers, please drop vulnerable versions.
+ 08 Oct 2013; Tom Wijsman <TomWij@gentoo.org> -tomcat-6.0.36.ebuild, + -tomcat-7.0.32.ebuild, -tomcat-7.0.39.ebuild, -tomcat-7.0.41.ebuild: + Dropped vulnerable versions (CVE-2012-3544,CVE-2013-{2067,2071}) for security + bug #469434.
This issue was resolved and addressed in GLSA 201412-29 at http://security.gentoo.org/glsa/glsa-201412-29.xml by GLSA coordinator Sean Amoss (ackle).