From ${URL} : CVE-2014-7810 Security Manager Bypass Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.15 - - Apache Tomcat 7.0.0 to 7.0.57 - - Apache Tomcat 6.0.0 to 6.0.43 Description: Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section. This issue only affects installations that run web applications from untrusted sources. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.17 or later (8.0.16 has the fix but was not released) - - Upgrade to Apache Tomcat 7.0.59 or later (7.0.58 has the fix but was not released) - - Upgrade to Apache Tomcat 6.0.44 or later Credit: This issue was discovered by the Apache Tomcat security team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
8 in tree is not effected, only older versions of 7 < tomcat-7.0.59, need to be removed. Current is Tomcat 7.0.62 Released 2015-05-14. I would remove 6 entirely, though it is still current upstream, Tomcat 6.0.44 Released 2015-05-12. ALL versions of 6 in tree are effected.
+*tomcat-6.0.44 (03 Jun 2015) + + 03 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + +files/tomcat-6.0.44-build.xml.patch, +tomcat-6.0.44.ebuild, + -files/tomcat-6.0.41-build.xml.patch, -files/tomcat-6.0.43-build.xml.patch, + -tomcat-6.0.41.ebuild, -tomcat-6.0.43.ebuild: + Tomcat 6.0.44 version bump. EAPI 5 bump. Remove vulnerable versions. Fix + security bug 549536.
+ 03 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + -files/tomcat-7.0.56-build.xml.patch, -files/tomcat-7.0.57-build.xml.patch, + -tomcat-7.0.56.ebuild, -tomcat-7.0.57.ebuild: + Remove vulnerable versions < Tomcat 7.0.59. Fix security bug 549536. +
+*tomcat-servlet-api-6.0.44 (03 Jun 2015) + + 03 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + +tomcat-servlet-api-6.0.44.ebuild, -tomcat-servlet-api-6.0.41.ebuild, + -tomcat-servlet-api-6.0.43.ebuild: + Tomcat 6.0.44 version bump. Remove vulnerable versions. Fix security bug + 549536. +
+ 03 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + -tomcat-servlet-api-7.0.56.ebuild, -tomcat-servlet-api-7.0.57.ebuild: + Remove vulnerable versions < Tomcat 7.0.59. Fix security bug 549536. +
Hi security team There are no vulnerable versions of Tomcat in the tree. I've bumped Tomcat 6 and while at it, cleaned up the vulnerable versions. However, tomcat 6/7/8 now need stabilising (stabled versions are no more). Please stabilise: - www-servers/tomcat-6.0.44.ebuild - www-servers/tomcat-7.0.59.ebuild - www-servers/tomcat-8.0.23.ebuild As well as: - dev-java/tomcat-servlet-api-6.0.44.ebuild - dev-java/tomcat-servlet-api-7.0.59.ebuild - dev-java/tomcat-servlet-api-8.0.23.ebuild Thanks.
+ 03 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + +tomcat-servlet-api-6.0.41.ebuild, +tomcat-servlet-api-6.0.43.ebuild, + +tomcat-servlet-api-7.0.56.ebuild, +tomcat-servlet-api-7.0.57.ebuild, + tomcat-servlet-api-6.0.44.ebuild, tomcat-servlet-api-7.0.59.ebuild, + tomcat-servlet-api-8.0.23.ebuild: + Restore vulnerable ebuilds until security team stabilise the new version. + See bug 549536. + + 03 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + +files/tomcat-6.0.41-build.xml.patch, +files/tomcat-6.0.43-build.xml.patch, + +files/tomcat-7.0.56-build.xml.patch, +files/tomcat-7.0.57-build.xml.patch, + +tomcat-6.0.41.ebuild, +tomcat-6.0.43.ebuild, +tomcat-7.0.56.ebuild, + +tomcat-7.0.57.ebuild: + Restore vulnerable ebuilds until security team stabilise the new version. See + bug 549536. + There you go: I've been told not to remove the vulnerable ebuilds until security team say so. I didn't want to cause a stir so I've added back the vulnerable versions. Over to you guys.
Thanks, Arches, please stabilize: =www-servers/tomcat-6.0.44 Stable targets: amd64 ppc ppc64 x86 =www-servers/tomcat-7.0.59 Stable targets: amd64 ppc ppc64 x86
dev-java/tomcat-servlet-api needs stabilisation as well. =dev-java/tomcat-servlet-api-6.0.44 Stable targets: amd64 ppc ppc64 x86 =dev-java/tomcat-servlet-api-7.0.59 Stable targets: amd64 ppc ppc64 x86 Thanks.
amd64 stable
x86 stable
ping @ppc and @ppc64. Could you please stabilise tomcat-7.0.59.ebuild and tomcat-6.0.44.ebuild? These two are the last missing bit. Thanks!
Looks like the stabilisations fixed CVE-2014-0230 too.
ppc64 stable
ppc can't be done because of bug 536888
(In reply to Agostino Sarubbo from comment #15) > ppc can't be done because of bug 536888 Please reconsider following my comments there. Hopefully you're not able to reproduce that problem any more.
CVE-2014-7810 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7810): The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.
ppc stable. Maintainer(s), please cleanup. Security, please vote.
+ 15 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + -files/tomcat-6.0.41-build.xml.patch, -files/tomcat-6.0.43-build.xml.patch, + -files/tomcat-7.0.56-build.xml.patch, -files/tomcat-7.0.57-build.xml.patch, + -tomcat-6.0.41.ebuild, -tomcat-6.0.43.ebuild, -tomcat-7.0.56.ebuild, + -tomcat-7.0.57.ebuild: + Remove old. + + 15 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + -tomcat-servlet-api-6.0.41.ebuild, -tomcat-servlet-api-6.0.43.ebuild, + -tomcat-servlet-api-7.0.56.ebuild, -tomcat-servlet-api-7.0.57.ebuild: + Remove vulnerable versions. Fix security bug 549536. +
Maintainer and arches, thank you for your work. GLSA Vote: No
GLSA Vote: No Thank you all. Closing as noglsa.