From https://bugzilla.redhat.com/1806398 :
CVE-2020-1938 is a file read/inclusion vulnerability in the AJP connector in
Apache Tomcat. This is enabled by default with a default configuration port of
8009. A remote, unauthenticated attacker could exploit this vulnerability to
read web application files from a vulnerable server. In instances where the
vulnerable server allows file uploads, an attacker could upload malicious
JavaServer Pages (JSP) code within a variety of file types and trigger this
vulnerability to gain remote code execution (RCE).
@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
please stabilize the mentioned packages so i can remove the affected ones.
i did some basic testing on my production servers and all seems fine. there is one change though related to ajp connectors which do not work in default configuration but that is intended by upstream so not really an issue. it just requires users to adjust server configuration. but they should follow changelogs anyway.
The bug has been referenced in the following commit(s):
Author: Miroslav Šulc <email@example.com>
AuthorDate: 2020-02-28 16:12:48 +0000
Commit: Miroslav Šulc <firstname.lastname@example.org>
CommitDate: 2020-02-28 16:13:10 +0000
www-servers/tomcat: removed old vulnerable
Package-Manager: Portage-2.3.89, Repoman-2.3.20
Signed-off-by: Miroslav Šulc <email@example.com>
www-servers/tomcat/Manifest | 2 -
www-servers/tomcat/tomcat-7.0.96.ebuild | 146 -----------------------------
www-servers/tomcat/tomcat-8.5.47.ebuild | 158 --------------------------------
3 files changed, 306 deletions(-)
Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
thanks for stabilization. we are clean now:
$ equery meta tomcat
* www-servers/tomcat [gentoo]
Maintainer: firstname.lastname@example.org (Java)
Upstream: None specified
Keywords: 7.0.100:7: amd64 ~amd64-linux ~ppc64 ~x86 ~x86-linux ~x86-solaris
Keywords: 8.5.51:8.5: amd64 ~amd64-linux ~x86 ~x86-linux ~x86-solaris
Keywords: 9.0.31:9: ~amd64 ~amd64-linux ~x86 ~x86-linux ~x86-solaris
New GLSA request filed.
This issue was resolved and addressed in
GLSA 202003-43 at https://security.gentoo.org/glsa/202003-43
by GLSA coordinator Thomas Deutschmann (whissi).