662892 – (CVE-2018-1336, CVE-2018-8034) www-servers/tomcat: multiple vulnerabilites (CVE-2018-{8034,8037})

Bug 662892 (CVE-2018-1336, CVE-2018-8034) - www-servers/tomcat: multiple vulnerabilites (CVE-2018-{8034,8037})

Summary: www-servers/tomcat: multiple vulnerabilites (CVE-2018-{8034,8037})

Status:	RESOLVED FIXED

Alias:	CVE-2018-1336, CVE-2018-8034

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:	678858 CVE-2019-0221
Blocks:
	Show dependency tree

Reported:	2018-08-05 23:15 UTC by GLSAMaker/CVETool Bot
Modified:	2020-03-19 17:06 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2018-08-05 23:15:26 UTC

CVE-2018-8037 (https://nvd.nist.gov/vuln/detail/CVE-2018-8037):
  A bug in the tracking of connection closures can lead to reuse of user
  sessions in a new connection. Versions Affected: Apache Tomcat 9.0.0.M9 to
  9.0.9 and 8.5.5 to 8.5.31.

CVE-2018-8034 (https://nvd.nist.gov/vuln/detail/CVE-2018-8034):
  The host name verification when using TLS with the WebSocket client was
  missing. It is now enabled by default. Versions Affected: Apache Tomcat
  9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to
  7.0.88.

Comment 1 Miroslav Šulc gentoo-dev

2019-02-10 14:26:44 UTC

i guess this will take some time, because:

* www-servers/tomcat:7 - is fine, we have only 7.0.92 (stable)
* www-servers/tomcat:8 - we have affected 8.0.52 (stable) and unaffected 8.0.53 (unstable), which depends on >=dev-java/ant-core-1.9.13 which is not stable yet
* www-servers/tomcat:8.5 - we have affected 8.5.31 (stable) and unaffected 8.5.37 (unstable), which depends on >=dev-java/ant-core-1.9.13 which is not stable yet
* www-servers/tomcat:9 - we have affected 9.0.8 (stable) and unaffected 9.0.{14,16] (unstable), both depend on >=dev-java/ant-core-1.9.13 which is not stable yet and also on virtual/jdk-11 which is masked atm

we can stabilize ant-core-1.9.13 sooner than at 2019-02-24 and hence we could remove the affected versions for slots 8 and 8.5, but idk when we will unmask java 11, gyakovlev would probably know better. and it will take some time before it will go stable.

shall we proceed with ant-core-1.9.13 and/or 1.10.5 stabilization to fix at least slot 8 and 8.5? there were some issues with these new versions but all that have been reported have been solved.

Comment 2 Larry the Git Cow gentoo-dev

2019-03-02 19:57:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61beaeeb0af2968e7e27c278bd5b33ea00849880

commit 61beaeeb0af2968e7e27c278bd5b33ea00849880
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2019-03-02 19:56:36 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2019-03-02 19:57:03 +0000

    www-servers/tomcat-8.{0.52,5.31}: removed obsolete
    
    Bug: https://bugs.gentoo.org/662168
    Bug: https://bugs.gentoo.org/656044
    Bug: https://bugs.gentoo.org/662892
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest             |   2 -
 www-servers/tomcat/tomcat-8.0.52.ebuild | 158 --------------------------------
 www-servers/tomcat/tomcat-8.5.31.ebuild | 158 --------------------------------
 3 files changed, 318 deletions(-)

Comment 3 Miroslav Šulc gentoo-dev

2020-02-09 23:40:22 UTC

i've dropped 9.0.7 so you can proceed now

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-19 17:06:57 UTC

Repository is clean, all done!