From https://bugzilla.redhat.com/1806398 : CVE-2020-1938 is a file read/inclusion vulnerability in the AJP connector in Apache Tomcat. This is enabled by default with a default configuration port of 8009. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution (RCE). @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
please stabilize the mentioned packages so i can remove the affected ones. i did some basic testing on my production servers and all seems fine. there is one change though related to ajp connectors which do not work in default configuration but that is intended by upstream so not really an issue. it just requires users to adjust server configuration. but they should follow changelogs anyway.
amd64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=44c7742044198a985fc81163b590ce0ca15e2bdf commit 44c7742044198a985fc81163b590ce0ca15e2bdf Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2020-02-28 16:12:48 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2020-02-28 16:13:10 +0000 www-servers/tomcat: removed old vulnerable Bug: https://bugs.gentoo.org/710656 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-servers/tomcat/Manifest | 2 - www-servers/tomcat/tomcat-7.0.96.ebuild | 146 ----------------------------- www-servers/tomcat/tomcat-8.5.47.ebuild | 158 -------------------------------- 3 files changed, 306 deletions(-)
x86 stable
ppc64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
thanks for stabilization. we are clean now: $ equery meta tomcat * www-servers/tomcat [gentoo] Maintainer: java@gentoo.org (Java) Upstream: None specified Homepage: https://tomcat.apache.org/ Location: /usr/portage/www-servers/tomcat Keywords: 7.0.100:7: amd64 ~amd64-linux ~ppc64 ~x86 ~x86-linux ~x86-solaris Keywords: 8.5.51:8.5: amd64 ~amd64-linux ~x86 ~x86-linux ~x86-solaris Keywords: 9.0.31:9: ~amd64 ~amd64-linux ~x86 ~x86-linux ~x86-solaris License: Apache-2.0
New GLSA request filed.
This issue was resolved and addressed in GLSA 202003-43 at https://security.gentoo.org/glsa/202003-43 by GLSA coordinator Thomas Deutschmann (whissi).