Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 519590 - <www-servers/tomcat-{6.0.41,7.0.56}: Multiple vulnerabilities (CVE-2013-{4286,4322,4590})
Summary: <www-servers/tomcat-{6.0.41,7.0.56}: Multiple vulnerabilities (CVE-2013-{4286...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on: 528908
Blocks: CVE-2014-0050 CVE-2014-0075 CVE-2014-0033
  Show dependency tree
 
Reported: 2014-08-10 21:36 UTC by GLSAMaker/CVETool Bot
Modified: 2015-06-29 17:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2014-08-10 21:36:07 UTC
CVE-2013-4590 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4590):
  Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10
  allows attackers to obtain "Tomcat internals" information by leveraging the
  presence of an untrusted web application with a context.xml, web.xml,
  *.jspx, *.tagx, or *.tld XML document containing an external entity
  declaration in conjunction with an entity reference, related to an XML
  External Entity (XXE) issue.

CVE-2013-4322 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4322):
  Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10
  processes chunked transfer coding without properly handling (1) a large
  total amount of chunked data or (2) whitespace characters in an HTTP header
  value within a trailer field, which allows remote attackers to cause a
  denial of service by streaming data.  NOTE: this vulnerability exists
  because of an incomplete fix for CVE-2012-3544.

CVE-2013-4286 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4286):
  Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3,
  when an HTTP connector or AJP connector is used, does not properly handle
  certain inconsistent HTTP request headers, which allows remote attackers to
  trigger incorrect identification of a request's length and conduct
  request-smuggling attacks via (1) multiple Content-Length headers or (2) a
  Content-Length header and a "Transfer-Encoding: chunked" header.  NOTE: this
  vulnerability exists because of an incomplete fix for CVE-2005-2090.


Maintainers, may we proceed with stabilization of 6.0.39 and 7.0.52?
Comment 1 Agostino Sarubbo gentoo-dev 2014-11-11 11:30:39 UTC
Arches, please test and mark stable:                                                                                                                                                                                                                                           
=www-servers/tomcat-7.0.56
=www-servers/tomcat-6.0.41                                                                                                                                                                                                                                                    
=dev-java/tomcat-servlet-api-6.0.41
=dev-java/tomcat-servlet-api-7.0.56
Target keywords : "amd64 ppc ppc64 x86"
Comment 2 Agostino Sarubbo gentoo-dev 2014-11-13 10:03:08 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2014-11-13 10:04:00 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-11-29 13:35:29 UTC
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-11-29 13:36:00 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-12-15 00:45:38 UTC
This issue was resolved and addressed in
 GLSA 201412-29 at http://security.gentoo.org/glsa/glsa-201412-29.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 7 Sean Amoss gentoo-dev Security 2014-12-15 00:46:56 UTC
Re-opening for cleanup.

Maintainers, please drop the vulnerable versions.
Comment 8 Johann Schmitz (ercpe) (RETIRED) gentoo-dev 2014-12-22 17:48:40 UTC
+  22 Dec 2014; Johann Schmitz <ercpe@gentoo.org>
+  -files/tomcat-6.0.37-build.xml.patch, -files/tomcat-6.0.39-build.xml.patch,
+  -files/tomcat-7.0.42-build.xml.patch, -files/tomcat-7.0.47-build.xml.patch,
+  -files/tomcat-7.0.52-build.xml.patch, -tomcat-6.0.37.ebuild,
+  -tomcat-6.0.39.ebuild, -tomcat-7.0.42.ebuild, -tomcat-7.0.47.ebuild,
+  -tomcat-7.0.52.ebuild:
+  Dropped vulnerable versions


Sorry for the late response.
Comment 9 Patrice Clement gentoo-dev 2015-06-03 15:13:37 UTC
+  03 Jun 2015; Patrice Clement <monsieurp@gentoo.org>
+  -files/tomcat-7.0.56-build.xml.patch, -files/tomcat-7.0.57-build.xml.patch,
+  -tomcat-7.0.56.ebuild, -tomcat-7.0.57.ebuild:
+  Remove vulnerable versions < Tomcat 7.0.59. Fix security bug 549536.
+

tomcat-7.0.56 was the last bit remaining and has been removed from the tree. See bug 549536 for more info.
Comment 10 Patrice Clement gentoo-dev 2015-06-16 07:58:39 UTC
Hi security

You can close this bug.
Comment 11 Kristian Fiskerstrand gentoo-dev Security 2015-06-29 17:40:50 UTC
Thanks for cleanup, closing.