Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 732128 (CVE-2020-13934, CVE-2020-13935) - <www-servers/tomcat-{7.0.105, 8.5.57}: Multiple vulnerabilities (CVE-2020-{13934,13935})
Summary: <www-servers/tomcat-{7.0.105, 8.5.57}: Multiple vulnerabilities (CVE-2020-{13...
Status: RESOLVED FIXED
Alias: CVE-2020-13934, CVE-2020-13935
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bz.apache.org/bugzilla/show_b...
Whiteboard: B3 [noglsa cve cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-10 19:23 UTC by John Helmert III
Modified: 2020-07-26 15:51 UTC (History)
2 users (show)

See Also:
Package list:
=dev-java/tomcat-servlet-api-7.0.105 amd64 x86 =dev-java/tomcat-servlet-api-8.5.57 amd64 ppc64 x86 =dev-java/tomcat-servlet-api-9.0.37 amd64 =www-servers/tomcat-7.0.105 amd64 =www-servers/tomcat-8.5.57 amd64
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2020-07-10 19:23:01 UTC
From $URL:

If all bits(7+64) of the payload length in one websocket frame are 1,the length will be resolved to a negative value which will cause an endless loop.The result is CPU usage is high and will not drop!



This was in the 7.0 changelog (https://tomcat.apache.org/tomcat-7.0-doc/changelog.html), and I didn't see it elsewhere. Maintainer(s), please let us know if other branches are affected, else we need to stabilize 7.0.105.
Comment 1 Sam James archtester gentoo-dev Security 2020-07-14 16:24:43 UTC
* CVE-2020-13934

"Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.0-M6
Apache Tomcat 9.0.0.M5 to 9.0.36
Apache Tomcat 8.5.1 to 8.5.56

Description:
An h2c direct connection did not release the HTTP/1.1 processor after
the upgrade to HTTP/2. If a sufficient number of such requests were
made, an OutOfMemoryException could occur leading to a denial of service.

Mitigation:
- Upgrade to Apache Tomcat 10.0.0-M7 or later
- Upgrade to Apache Tomcat 9.0.37 or later
- Upgrade to Apache Tomcat 8.5.57 or later"

* CVE-2020-13935

"Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.0-M6
Apache Tomcat 9.0.0.M1 to 9.0.36
Apache Tomcat 8.5.0 to 8.5.56
Apache Tomcat 7.0.27 to 7.0.104

Description:
The payload length in a WebSocket frame was not correctly validated.
Invalid payload lengths could trigger an infinite loop. Multiple
requests with invalid payload lengths could lead to a denial of service.

Mitigation:
- Upgrade to Apache Tomcat 10.0.0-M7 or later
- Upgrade to Apache Tomcat 9.0.37 or later
- Upgrade to Apache Tomcat 8.5.57 or later"
Comment 2 Miroslav Šulc gentoo-dev 2020-07-14 16:35:42 UTC
please stabilize
Comment 3 Larry the Git Cow gentoo-dev 2020-07-14 16:41:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9ad6505d0f6be0dc01ae0e77136db16abda0b634

commit 9ad6505d0f6be0dc01ae0e77136db16abda0b634
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-07-14 16:38:28 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-07-14 16:41:27 +0000

    www-servers/tomcat: removed vulnerable 9.0.36
    
    Bug: https://bugs.gentoo.org/732128
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest                        |   3 -
 .../tomcat/files/tomcat-9.0.27-build.xml.patch     | 278 ---------------------
 www-servers/tomcat/tomcat-9.0.36.ebuild            | 181 --------------
 3 files changed, 462 deletions(-)
Comment 4 Agostino Sarubbo gentoo-dev 2020-07-17 15:12:58 UTC
ppc64 stable
Comment 5 Sam James archtester gentoo-dev Security 2020-07-17 23:27:12 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-07-20 06:43:35 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Larry the Git Cow gentoo-dev 2020-07-20 08:40:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7801359547d4db9a10608c493b1d3ad00f86381c

commit 7801359547d4db9a10608c493b1d3ad00f86381c
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-07-20 08:39:51 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-07-20 08:40:09 +0000

    www-servers/tomcat: removed obsolete and vulnerable
    
    Bug: https://bugs.gentoo.org/732128
    Package-Manager: Portage-3.0.0, Repoman-2.3.23
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest                        |   2 -
 .../tomcat/files/tomcat-8.5.47-build.xml.patch     | 259 ---------------------
 www-servers/tomcat/tomcat-7.0.104.ebuild           | 146 ------------
 www-servers/tomcat/tomcat-8.5.56.ebuild            | 158 -------------
 4 files changed, 565 deletions(-)
Comment 8 Sam James archtester gentoo-dev Security 2020-07-26 15:51:46 UTC
noglsa. Closing, thanks everyone.