Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 758338 (CVE-2020-17527) - <www-servers/tomcat-8.5.60: HTTP/2 request header mix-up (CVE-2020-17527)
Summary: <www-servers/tomcat-8.5.60: HTTP/2 request header mix-up (CVE-2020-17527)
Alias: CVE-2020-17527
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa+ cve]
Depends on:
Reported: 2020-12-03 23:44 UTC by John Helmert III
Modified: 2020-12-24 14:19 UTC (History)
2 users (show)

See Also:
Package list:
www-servers/tomcat-8.5.60 amd64 dev-java/tomcat-servlet-api-8.5.60 dev-java/tomcat-servlet-api-9.0.40 amd64 x86
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-03 23:44:42 UTC

While investigating issue 64830 it was discovered that Apache Tomcat could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. 

Please stabilize 8.5.60.
Comment 1 NATTkA bot gentoo-dev 2020-12-03 23:48:54 UTC Comment hidden (obsolete)
Comment 2 Miroslav Šulc gentoo-dev 2020-12-04 06:39:00 UTC
including also dev-java/tomcat-servlet-api-9.0.40 to clean the affected version in the :9 slot.
Comment 3 NATTkA bot gentoo-dev 2020-12-04 06:40:58 UTC Comment hidden (obsolete)
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-07 02:31:39 UTC
It was reported that this vuln is currently being exploited.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-07 02:32:14 UTC
7.x is not affected because this version doesn't support HTTP/2.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-10 21:42:32 UTC
x86 stable
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-14 08:00:52 UTC
amd64 done
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2020-12-21 10:55:45 UTC
ppc64 stable
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-21 21:51:18 UTC
Please cleanup.
Comment 10 Larry the Git Cow gentoo-dev 2020-12-22 13:11:36 UTC
The bug has been referenced in the following commit(s):

commit 12fdc647a121ba0457c5264f19e2c3b773aae477
Author:     Miroslav Šulc <>
AuthorDate: 2020-12-22 13:00:09 +0000
Commit:     Miroslav Šulc <>
CommitDate: 2020-12-22 13:00:09 +0000

    www-servers/tomcat: removed obsolete & vulnerable 8.5.59
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Miroslav Šulc <>

 www-servers/tomcat/Manifest             |   1 -
 www-servers/tomcat/tomcat-8.5.59.ebuild | 163 --------------------------------
 2 files changed, 164 deletions(-)
Comment 11 Miroslav Šulc gentoo-dev 2020-12-22 13:15:35 UTC
the tree is clean now, you can proceed
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-22 20:12:07 UTC
(In reply to Miroslav Šulc from comment #11)
> the tree is clean now, you can proceed

Thank you!
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-23 01:26:37 UTC
New GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2020-12-24 14:19:47 UTC
This issue was resolved and addressed in
 GLSA 202012-23 at
by GLSA coordinator Thomas Deutschmann (whissi).