CVE-2017-7675 Apache Tomcat Security Constraint Bypass
Vendor: The Apache Software Foundation
Apache Tomcat 9.0.0.M1 to 9.0.0.M21
Apache Tomcat 8.5.0 to 8.5.15
The HTTP/2 implementation bypassed a number of security checks that
prevented directory traversal attacks. It was therefore possible to
bypass security constraints using an specially crafted URL.
Users of the affected versions should apply one of the following
- Upgrade to Apache Tomcat 9.0.0.M22 or later
- Upgrade to Apache Tomcat 8.5.16 or later
The issue was reported as Bug 61120 and the security implications
identified by the Apache Tomcat Security Team.
2017-08-10 Original advisory
2017-08-10 Correct copy/paste error in title
@maintainter(s), after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
i just cleaned the old versions yesterday and bumped 9.0.0 so we are not affected:
$ equery meta tomcat
* www-servers/tomcat [gentoo]
Maintainer: firstname.lastname@example.org (Java)
Upstream: None specified
Keywords: 7.0.77:7: amd64 x86
Keywords: 7.0.79:7: ~amd64 ~amd64-linux ~ppc64 ~x86 ~x86-linux ~x86-solaris
Keywords: 8.0.43:8: amd64 x86
Keywords: 8.0.45:8: ~amd64 ~amd64-linux ~x86 ~x86-fbsd ~x86-linux ~x86-solaris
Keywords: 8.5.20:8.5: ~amd64 ~amd64-linux ~x86 ~x86-fbsd ~x86-linux ~x86-solaris
Keywords: 9.0.0_alpha26:9: ~amd64 ~amd64-linux ~x86 ~x86-fbsd ~x86-linux ~x86-solaris
@ Maintainer(s): Thank you for your work.
No stable ebuild was affected, therefor no stabilization needed as part of this security bug.
Repository is clean, all done.