CVE-2022-34305: http://www.openwall.com/lists/oss-security/2022/06/23/1 In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. Please bump.
9.0.65 was just released which fixes this too.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5751812bf9042cfd2a4129cef26a56c931205e1c commit 5751812bf9042cfd2a4129cef26a56c931205e1c Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2022-07-21 03:33:17 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2022-07-21 03:33:23 +0000 www-servers/tomcat: bump to 9.0.65 Bug: https://bugs.gentoo.org/855971 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-servers/tomcat/Manifest | 1 + www-servers/tomcat/tomcat-9.0.65.ebuild | 190 ++++++++++++++++++++++++++++++++ 2 files changed, 191 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c470f5e10c7fa9f8398f206376718cc65785b6b0 commit c470f5e10c7fa9f8398f206376718cc65785b6b0 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2022-07-26 17:52:17 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2022-07-26 17:52:17 +0000 www-servers/tomcat: bump to 10.0.23 Bug: https://bugs.gentoo.org/855971 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-servers/tomcat/Manifest | 1 + www-servers/tomcat/tomcat-10.0.23.ebuild | 198 +++++++++++++++++++++++++++++++ 2 files changed, 199 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=27228226e11fba6757c3a09fe4af1f777744f533 commit 27228226e11fba6757c3a09fe4af1f777744f533 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2022-08-13 16:07:36 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2022-08-13 16:07:36 +0000 www-servers/tomcat: bump to 8.5.82 Bug: https://bugs.gentoo.org/855971 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-servers/tomcat/Manifest | 1 + www-servers/tomcat/tomcat-8.5.82.ebuild | 159 ++++++++++++++++++++++++++++++++ 2 files changed, 160 insertions(+)
it is a low severity issue so let's give it few days before the stabilization
Works for me! Definitely noglsa.
Actually, given there's other Tomcat bugs waiting for GLSA we can just throw this one in with the others.
GLSA request filed. Will wait for stabilization before releasing.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=a4afff138b8507c9b0b4fdbebda4c8d1935d6238 commit a4afff138b8507c9b0b4fdbebda4c8d1935d6238 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-21 01:35:21 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-08-21 01:40:47 +0000 [ GLSA 202208-34 ] Apache Tomcat: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/773571 Bug: https://bugs.gentoo.org/801916 Bug: https://bugs.gentoo.org/818160 Bug: https://bugs.gentoo.org/855971 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202208-34.xml | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+)
GLSA released, all done!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99b0ea9db99b33526acd6557de1570033a0adfff commit 99b0ea9db99b33526acd6557de1570033a0adfff Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2022-08-21 05:47:24 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2022-08-21 05:47:24 +0000 www-servers/tomcat: dropped obsolete and vulnerable 10.0.22, 9.0.64 & 8.5.81 Bug: https://bugs.gentoo.org/865847 Bug: https://bugs.gentoo.org/855971 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> www-servers/tomcat/Manifest | 3 - www-servers/tomcat/tomcat-10.0.22.ebuild | 198 ------------------------------- www-servers/tomcat/tomcat-8.5.81.ebuild | 159 ------------------------- www-servers/tomcat/tomcat-9.0.64.ebuild | 190 ----------------------------- 4 files changed, 550 deletions(-)