CVE-2019-0221 (https://nvd.nist.gov/vuln/detail/CVE-2019-0221): The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
slots 7 and 8.5 are clean, slot 9 needs virtual/{jdk,jre} unmasked first to stabilize the newest version of tomcat in that slot.
@ maintainer(s): ping, please name exact virtual/{jre,jdk} you are waiting for!
(In reply to Thomas Deutschmann from comment #2) > @ maintainer(s): ping, please name exact virtual/{jre,jdk} you are waiting > for! slot 11
i've dropped 9.0.7 so you can proceed now
Tree looks clean?
Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 202003-43 at https://security.gentoo.org/glsa/202003-43 by GLSA coordinator Thomas Deutschmann (whissi).