Details at: http://www.openwall.com/lists/oss-security/2017/04/10/21 http://www.openwall.com/lists/oss-security/2017/04/10/22 http://www.openwall.com/lists/oss-security/2017/04/10/23 http://www.openwall.com/lists/oss-security/2017/04/10/24
CVE ID: CVE-2017-5650 Summary: In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads. Published: 2017-04-17T16:59:00.000Z ______________________________ CVE ID: CVE-2017-5651 Summary: In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up. Published: 2017-04-17T16:59:00.000Z ______________________________ CVE ID: CVE-2017-5647 Summary: A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. Published: 2017-04-17T16:59:00.000Z ______________________________ CVE ID: CVE-2017-5648 Summary: While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. Published: 2017-04-17T16:59:00.000Z
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
@ Arches, please test and mark stable: =www-servers/tomcat-7.0.77 =www-servers/tomcat-8.0.43
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Added to an existing GLSA Request. Maintainer(s), please drop the vulnerable version(s).
commit 0294da2621bb358a30caa4f13f8e5a3ccdfc0950 Author: Miroslav Šulc <fordfrog@gentoo.org> Date: Tue May 9 15:26:32 2017 +0200 dev-java/tomcat-servlet-api: removed vurnelable versions per bug #615868 Package-Manager: Portage-2.3.5, Repoman-2.3.2 dev-java/tomcat-servlet-api/Manifest | 8 -------- dev-java/tomcat-servlet-api/tomcat-servlet-api-7.0.73.ebuild | 38 -------------------------------------- dev-java/tomcat-servlet-api/tomcat-servlet-api-7.0.75.ebuild | 38 -------------------------------------- dev-java/tomcat-servlet-api/tomcat-servlet-api-7.0.76.ebuild | 38 -------------------------------------- dev-java/tomcat-servlet-api/tomcat-servlet-api-8.0.39.ebuild | 35 ----------------------------------- dev-java/tomcat-servlet-api/tomcat-servlet-api-8.0.41.ebuild | 35 ----------------------------------- dev-java/tomcat-servlet-api/tomcat-servlet-api-8.5.11.ebuild | 39 --------------------------------------- dev-java/tomcat-servlet-api/tomcat-servlet-api-8.5.12.ebuild | 39 --------------------------------------- dev-java/tomcat-servlet-api/tomcat-servlet-api-8.5.9.ebuild | 39 --------------------------------------- 9 files changed, 309 deletions(-) commit d4326129c72bcf9e3190c0ed148687ae4a5b6fc6 Author: Miroslav Šulc <fordfrog@gentoo.org> Date: Tue May 9 15:22:43 2017 +0200 www-servers/tomcat: removed vurnelable versions per bug #615868 Package-Manager: Portage-2.3.5, Repoman-2.3.2 www-servers/tomcat/Manifest | 8 ------ www-servers/tomcat/files/tomcat-7.0.73-build.xml.patch | 149 ----------------------------------------------------------------------------------------------------- www-servers/tomcat/files/tomcat-7.0.75-build.xml.patch | 149 ----------------------------------------------------------------------------------------------------- www-servers/tomcat/files/tomcat-7.0.76-build.xml.patch | 149 ----------------------------------------------------------------------------------------------------- www-servers/tomcat/files/tomcat-8.0.39-build.xml.patch | 259 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- www-servers/tomcat/files/tomcat-8.0.41-build.xml.patch | 259 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- www-servers/tomcat/files/tomcat-8.5.11-build.xml.patch | 250 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ www-servers/tomcat/files/tomcat-8.5.12-build.xml.patch | 250 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ www-servers/tomcat/files/tomcat-8.5.9-build.xml.patch | 250 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ www-servers/tomcat/tomcat-7.0.73.ebuild | 148 ---------------------------------------------------------------------------------------------------- www-servers/tomcat/tomcat-7.0.75.ebuild | 148 ---------------------------------------------------------------------------------------------------- www-servers/tomcat/tomcat-7.0.76.ebuild | 148 ---------------------------------------------------------------------------------------------------- www-servers/tomcat/tomcat-8.0.39.ebuild | 157 ---------------------------------------------------------------------------------------------------------- www-servers/tomcat/tomcat-8.0.41.ebuild | 157 ---------------------------------------------------------------------------------------------------------- www-servers/tomcat/tomcat-8.5.11.ebuild | 157 ---------------------------------------------------------------------------------------------------------- www-servers/tomcat/tomcat-8.5.12.ebuild | 157 ---------------------------------------------------------------------------------------------------------- www-servers/tomcat/tomcat-8.5.9.ebuild | 157 ---------------------------------------------------------------------------------------------------------- 17 files changed, 2952 deletions(-)
after removing the old vulnerable versions i was notified that i broke the tree. the reason was i removed both vulnerable versions of tomcat and related tomcat-servlet-api whose where not stabilized (but should have been). so i marked them as stable too: commit 5fc95911b3bba9c81fd438e6a5f33911e62d8fb6 Author: Miroslav Šulc <fordfrog@gentoo.org> Date: Tue May 9 16:09:32 2017 +0200 dev-java/tomcat-servlet-api: stabilized tomcat-servlet-api-7.0.77 and tomcat-servlet-api-8.0.43 as these should be stabilized with related tomcat versions (as per bug #615868) Package-Manager: Portage-2.3.5, Repoman-2.3.2 dev-java/tomcat-servlet-api/tomcat-servlet-api-7.0.77.ebuild | 2 +- dev-java/tomcat-servlet-api/tomcat-servlet-api-8.0.43.ebuild | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
Maintainer(s), Thank you for your work.
This issue was resolved and addressed in GLSA 201705-09 at https://security.gentoo.org/glsa/201705-09 by GLSA coordinator Yury German (BlueKnight).
