Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 732128 (CVE-2020-13934, CVE-2020-13935) - <www-servers/tomcat-{7.0.105, 8.5.57}: Multiple vulnerabilities (CVE-2020-{13934,13935})
Summary: <www-servers/tomcat-{7.0.105, 8.5.57}: Multiple vulnerabilities (CVE-2020-{13...
Status: RESOLVED FIXED
Alias: CVE-2020-13934, CVE-2020-13935
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bz.apache.org/bugzilla/show_b...
Whiteboard: B3 [noglsa cve cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-10 19:23 UTC by John Helmert III
Modified: 2020-07-26 15:51 UTC (History)
2 users (show)

See Also:
Package list:
=dev-java/tomcat-servlet-api-7.0.105 amd64 x86 =dev-java/tomcat-servlet-api-8.5.57 amd64 ppc64 x86 =dev-java/tomcat-servlet-api-9.0.37 amd64 =www-servers/tomcat-7.0.105 amd64 =www-servers/tomcat-8.5.57 amd64
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-10 19:23:01 UTC 
From $URL:

If all bits(7+64) of the payload length in one websocket frame are 1,the length will be resolved to a negative value which will cause an endless loop.The result is CPU usage is high and will not drop!



This was in the 7.0 changelog (https://tomcat.apache.org/tomcat-7.0-doc/changelog.html), and I didn't see it elsewhere. Maintainer(s), please let us know if other branches are affected, else we need to stabilize 7.0.105.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-14 16:24:43 UTC 
* CVE-2020-13934

"Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.0-M6
Apache Tomcat 9.0.0.M5 to 9.0.36
Apache Tomcat 8.5.1 to 8.5.56

Description:
An h2c direct connection did not release the HTTP/1.1 processor after
the upgrade to HTTP/2. If a sufficient number of such requests were
made, an OutOfMemoryException could occur leading to a denial of service.

Mitigation:
- Upgrade to Apache Tomcat 10.0.0-M7 or later
- Upgrade to Apache Tomcat 9.0.37 or later
- Upgrade to Apache Tomcat 8.5.57 or later"

* CVE-2020-13935

"Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.0-M6
Apache Tomcat 9.0.0.M1 to 9.0.36
Apache Tomcat 8.5.0 to 8.5.56
Apache Tomcat 7.0.27 to 7.0.104

Description:
The payload length in a WebSocket frame was not correctly validated.
Invalid payload lengths could trigger an infinite loop. Multiple
requests with invalid payload lengths could lead to a denial of service.

Mitigation:
- Upgrade to Apache Tomcat 10.0.0-M7 or later
- Upgrade to Apache Tomcat 9.0.37 or later
- Upgrade to Apache Tomcat 8.5.57 or later"
Comment 2 Miroslav Šulc gentoo-dev 2020-07-14 16:35:42 UTC 
please stabilize
Comment 3 Larry the Git Cow gentoo-dev 2020-07-14 16:41:36 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9ad6505d0f6be0dc01ae0e77136db16abda0b634

commit 9ad6505d0f6be0dc01ae0e77136db16abda0b634
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-07-14 16:38:28 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-07-14 16:41:27 +0000

    www-servers/tomcat: removed vulnerable 9.0.36
    
    Bug: https://bugs.gentoo.org/732128
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest                        |   3 -
 .../tomcat/files/tomcat-9.0.27-build.xml.patch     | 278 ---------------------
 www-servers/tomcat/tomcat-9.0.36.ebuild            | 181 --------------
 3 files changed, 462 deletions(-)
Comment 4 Agostino Sarubbo gentoo-dev 2020-07-17 15:12:58 UTC 
ppc64 stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-17 23:27:12 UTC 
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-07-20 06:43:35 UTC 
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Larry the Git Cow gentoo-dev 2020-07-20 08:40:15 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7801359547d4db9a10608c493b1d3ad00f86381c

commit 7801359547d4db9a10608c493b1d3ad00f86381c
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-07-20 08:39:51 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-07-20 08:40:09 +0000

    www-servers/tomcat: removed obsolete and vulnerable
    
    Bug: https://bugs.gentoo.org/732128
    Package-Manager: Portage-3.0.0, Repoman-2.3.23
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest                        |   2 -
 .../tomcat/files/tomcat-8.5.47-build.xml.patch     | 259 ---------------------
 www-servers/tomcat/tomcat-7.0.104.ebuild           | 146 ------------
 www-servers/tomcat/tomcat-8.5.56.ebuild            | 158 -------------
 4 files changed, 565 deletions(-)
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-26 15:51:46 UTC 
noglsa. Closing, thanks everyone.