CVE-2021-30639 (https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527b83e8be6b5ea3f4%40%3Cannounce.tomcat.apache.org%3E): A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64. CVE-2021-30640 (https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E): A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. CVE-2021-33037 (https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3E): Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. Fixes in 7.0.109, 8.5.68, 9.0.48, and 10.0.7, so please stabilize 8.5.68 and cleanup the 9.x and 10.x branches.
Sanity check failed: > www-servers/tomcat-8.5.68 > depend amd64 dev profile default/linux/amd64/17.0/x32 (2 total) > ~dev-java/tomcat-servlet-api-8.5.68:3.1 > depend amd64 stable profile default/linux/amd64/17.1 (15 total) > ~dev-java/tomcat-servlet-api-8.5.68:3.1 > rdepend amd64 dev profile default/linux/amd64/17.0/x32 (2 total) > ~dev-java/tomcat-servlet-api-8.5.68:3.1 > rdepend amd64 stable profile default/linux/amd64/17.1 (15 total) > ~dev-java/tomcat-servlet-api-8.5.68:3.1
All sanity-check issues have been resolved
x86 done
arm64 done
ppc64 done
amd64 done all arches done
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6326289a0137c5d8e7e145a0147ae389f91dba63 commit 6326289a0137c5d8e7e145a0147ae389f91dba63 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-07-13 04:25:22 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-07-13 04:26:29 +0000 www-servers/tomcat: removed vulnerable 8.5.66 Bug: https://bugs.gentoo.org/801916 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-servers/tomcat/Manifest | 1 - www-servers/tomcat/tomcat-8.5.66.ebuild | 159 -------------------------------- 2 files changed, 160 deletions(-)
the tree is clean now, you can proceed
Thank you!
Unable to check for sanity: > no match for package: www-servers/tomcat-8.5.68
Unable to check for sanity: > no match for package: dev-java/tomcat-servlet-api-8.5.68
Unable to check for sanity: > no match for package: www-servers/tomcat-8.5.69
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=a4afff138b8507c9b0b4fdbebda4c8d1935d6238 commit a4afff138b8507c9b0b4fdbebda4c8d1935d6238 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-21 01:35:21 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-08-21 01:40:47 +0000 [ GLSA 202208-34 ] Apache Tomcat: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/773571 Bug: https://bugs.gentoo.org/801916 Bug: https://bugs.gentoo.org/818160 Bug: https://bugs.gentoo.org/855971 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202208-34.xml | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+)
GLSA released, all done!