Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 627512 (CVE-2017-7675) - <www-servers/tomcat-8.5.16: Apache Tomcat Security Constraint Bypass (CVE-2017-7675)
Summary: <www-servers/tomcat-8.5.16: Apache Tomcat Security Constraint Bypass (CVE-201...
Status: RESOLVED FIXED
Alias: CVE-2017-7675
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://bz.apache.org/bugzilla/show_b...
Whiteboard: ~3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-11 03:57 UTC by D'juan McDonald (domhnall)
Modified: 2017-08-21 20:57 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-08-11 03:57:48 UTC
CVE-2017-7675 Apache Tomcat Security Constraint Bypass
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M21
Apache Tomcat 8.5.0 to 8.5.15
Description:
The HTTP/2 implementation bypassed a number of security checks that
prevented directory traversal attacks. It was therefore possible to
bypass security constraints using an specially crafted URL.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 9.0.0.M22 or later
- Upgrade to Apache Tomcat 8.5.16 or later
Credit:
The issue was reported as Bug 61120 and the security implications
identified by the Apache Tomcat Security Team.
History:
2017-08-10 Original advisory
2017-08-10 Correct copy/paste error in title
References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
[4] https://bz.apache.org/bugzilla/show_bug.cgi?id=61120


@maintainter(s), after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Miroslav Šulc gentoo-dev 2017-08-11 06:35:32 UTC
i just cleaned the old versions yesterday and bumped 9.0.0 so we are not affected:

$ equery meta tomcat
 * www-servers/tomcat [gentoo]
Maintainer:  java@gentoo.org (Java)
Upstream:    None specified
Homepage:    http://tomcat.apache.org/
Location:    /usr/portage/www-servers/tomcat
Keywords:    7.0.77:7: amd64 x86
Keywords:    7.0.79:7: ~amd64 ~amd64-linux ~ppc64 ~x86 ~x86-linux ~x86-solaris
Keywords:    8.0.43:8: amd64 x86
Keywords:    8.0.45:8: ~amd64 ~amd64-linux ~x86 ~x86-fbsd ~x86-linux ~x86-solaris
Keywords:    8.5.16:8.5: 
Keywords:    8.5.20:8.5: ~amd64 ~amd64-linux ~x86 ~x86-fbsd ~x86-linux ~x86-solaris
Keywords:    9.0.0_alpha26:9: ~amd64 ~amd64-linux ~x86 ~x86-fbsd ~x86-linux ~x86-solaris
License:     Apache-2.0
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-08-21 20:57:06 UTC
@ Maintainer(s): Thank you for your work.


No stable ebuild was affected, therefor no stabilization needed as part of this security bug.

Repository is clean, all done.