Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 773571 (CVE-2021-25122, CVE-2021-25329) - <www-servers/tomcat-{7.0.108,8.5.63,9.0.43}: multiple vulnerabilities
Summary: <www-servers/tomcat-{7.0.108,8.5.63,9.0.43}: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2021-25122, CVE-2021-25329
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 773562
Blocks:
  Show dependency tree
 
Reported: 2021-03-01 12:49 UTC by Sam James
Modified: 2022-08-21 02:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-01 12:49:57 UTC
* CVE-2021-25329 (Incomplete fix for CVE-2020-9484)

"The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494.

Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue."

Advisory: https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E

* CVE-2021-25122

"When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request."

Advisory: https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cannounce.tomcat.apache.org%3E
Comment 1 Miroslav Šulc gentoo-dev 2021-03-01 13:19:29 UTC
from the slot 10 we have only 10.0.2 which is not affected, but i miss in the subject <7.0.108 (we have 7.0.107 which is affected too).
Comment 2 Thomas Deutschmann gentoo-dev 2021-03-01 15:39:42 UTC
Confirmed, Gentoo's 10.x was never affected.
Comment 3 Miroslav Šulc gentoo-dev 2021-03-08 05:53:21 UTC
what's wrong with nattka not cc'ing stabilization archs?
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2021-03-12 19:37:03 UTC
ppc64 stable
Comment 5 Thomas Deutschmann gentoo-dev 2021-03-15 01:40:37 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2021-03-26 14:24:46 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Larry the Git Cow gentoo-dev 2021-03-26 15:09:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7241c7a324f07c3b81015640422276c86cdba043

commit 7241c7a324f07c3b81015640422276c86cdba043
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-03-26 15:09:39 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-03-26 15:09:39 +0000

    www-servers/tomcat: removed obsolete and vulnerable 7.0.107 & 8.561
    
    Bug: https://bugs.gentoo.org/773571
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest              |   2 -
 www-servers/tomcat/tomcat-7.0.107.ebuild | 142 ---------------------------
 www-servers/tomcat/tomcat-8.5.61.ebuild  | 159 -------------------------------
 3 files changed, 303 deletions(-)
Comment 8 Miroslav Šulc gentoo-dev 2021-03-26 15:10:22 UTC
the tree is clean now, you can proceed
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-26 15:14:29 UTC
What about 9.0.41?
Comment 10 Miroslav Šulc gentoo-dev 2021-03-26 15:19:06 UTC
(In reply to John Helmert III from comment #9)
> What about 9.0.41?

sorry, it's gone now too
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-26 15:22:29 UTC
(In reply to Miroslav Šulc from comment #10)
> (In reply to John Helmert III from comment #9)
> > What about 9.0.41?
> 
> sorry, it's gone now too

Thanks :)
Comment 12 NATTkA bot gentoo-dev 2021-07-29 17:23:47 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 17:32:12 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2021-07-29 17:40:05 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2021-07-29 17:48:15 UTC Comment hidden (obsolete)
Comment 16 NATTkA bot gentoo-dev 2021-07-29 18:04:12 UTC Comment hidden (obsolete)
Comment 17 NATTkA bot gentoo-dev 2021-07-29 18:12:30 UTC
Package list is empty or all packages have requested keywords.
Comment 18 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 01:39:53 UTC
GLSA request filed
Comment 19 Larry the Git Cow gentoo-dev 2022-08-21 02:09:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=a4afff138b8507c9b0b4fdbebda4c8d1935d6238

commit a4afff138b8507c9b0b4fdbebda4c8d1935d6238
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-21 01:35:21 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-21 01:40:47 +0000

    [ GLSA 202208-34 ] Apache Tomcat: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/773571
    Bug: https://bugs.gentoo.org/801916
    Bug: https://bugs.gentoo.org/818160
    Bug: https://bugs.gentoo.org/855971
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-34.xml | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)
Comment 20 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-21 02:14:11 UTC
GLSA released, all done!