CVE-2017-7675 Apache Tomcat Security Constraint Bypass Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M21 Apache Tomcat 8.5.0 to 8.5.15 Description: The HTTP/2 implementation bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using an specially crafted URL. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.0.M22 or later - Upgrade to Apache Tomcat 8.5.16 or later Credit: The issue was reported as Bug 61120 and the security implications identified by the Apache Tomcat Security Team. History: 2017-08-10 Original advisory 2017-08-10 Correct copy/paste error in title References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] https://bz.apache.org/bugzilla/show_bug.cgi?id=61120 @maintainter(s), after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
i just cleaned the old versions yesterday and bumped 9.0.0 so we are not affected: $ equery meta tomcat * www-servers/tomcat [gentoo] Maintainer: java@gentoo.org (Java) Upstream: None specified Homepage: http://tomcat.apache.org/ Location: /usr/portage/www-servers/tomcat Keywords: 7.0.77:7: amd64 x86 Keywords: 7.0.79:7: ~amd64 ~amd64-linux ~ppc64 ~x86 ~x86-linux ~x86-solaris Keywords: 8.0.43:8: amd64 x86 Keywords: 8.0.45:8: ~amd64 ~amd64-linux ~x86 ~x86-fbsd ~x86-linux ~x86-solaris Keywords: 8.5.16:8.5: Keywords: 8.5.20:8.5: ~amd64 ~amd64-linux ~x86 ~x86-fbsd ~x86-linux ~x86-solaris Keywords: 9.0.0_alpha26:9: ~amd64 ~amd64-linux ~x86 ~x86-fbsd ~x86-linux ~x86-solaris License: Apache-2.0
@ Maintainer(s): Thank you for your work. No stable ebuild was affected, therefor no stabilization needed as part of this security bug. Repository is clean, all done.