Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 627512 (CVE-2017-7675) - <www-servers/tomcat-8.5.16: Apache Tomcat Security Constraint Bypass (CVE-2017-7675)
Summary: <www-servers/tomcat-8.5.16: Apache Tomcat Security Constraint Bypass (CVE-201...
Alias: CVE-2017-7675
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [noglsa cve]
Depends on:
Reported: 2017-08-11 03:57 UTC by D'juan McDonald (domhnall)
Modified: 2017-08-21 20:57 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-08-11 03:57:48 UTC
CVE-2017-7675 Apache Tomcat Security Constraint Bypass
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M21
Apache Tomcat 8.5.0 to 8.5.15
The HTTP/2 implementation bypassed a number of security checks that
prevented directory traversal attacks. It was therefore possible to
bypass security constraints using an specially crafted URL.
Users of the affected versions should apply one of the following
- Upgrade to Apache Tomcat 9.0.0.M22 or later
- Upgrade to Apache Tomcat 8.5.16 or later
The issue was reported as Bug 61120 and the security implications
identified by the Apache Tomcat Security Team.
2017-08-10 Original advisory
2017-08-10 Correct copy/paste error in title

@maintainter(s), after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Miroslav Šulc gentoo-dev 2017-08-11 06:35:32 UTC
i just cleaned the old versions yesterday and bumped 9.0.0 so we are not affected:

$ equery meta tomcat
 * www-servers/tomcat [gentoo]
Maintainer: (Java)
Upstream:    None specified
Location:    /usr/portage/www-servers/tomcat
Keywords:    7.0.77:7: amd64 x86
Keywords:    7.0.79:7: ~amd64 ~amd64-linux ~ppc64 ~x86 ~x86-linux ~x86-solaris
Keywords:    8.0.43:8: amd64 x86
Keywords:    8.0.45:8: ~amd64 ~amd64-linux ~x86 ~x86-fbsd ~x86-linux ~x86-solaris
Keywords:    8.5.16:8.5: 
Keywords:    8.5.20:8.5: ~amd64 ~amd64-linux ~x86 ~x86-fbsd ~x86-linux ~x86-solaris
Keywords:    9.0.0_alpha26:9: ~amd64 ~amd64-linux ~x86 ~x86-fbsd ~x86-linux ~x86-solaris
License:     Apache-2.0
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-08-21 20:57:06 UTC
@ Maintainer(s): Thank you for your work.

No stable ebuild was affected, therefor no stabilization needed as part of this security bug.

Repository is clean, all done.