Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 896370 (CVE-2023-24998) - <www-servers/tomcat-{8.5.85,9.0.71,10.1.5}: DoS via many request parts
Summary: <www-servers/tomcat-{8.5.85,9.0.71,10.1.5}: DoS via many request parts
Status: RESOLVED FIXED
Alias: CVE-2023-24998
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://lists.apache.org/thread/4xl4l...
Whiteboard: B3 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-02-25 01:06 UTC by John Helmert III
Modified: 2023-05-31 02:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-25 01:06:09 UTC
CVE-2023-24998:

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

Just needs GLSA.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-29 23:18:00 UTC
GLSA request filed.
Comment 2 Larry the Git Cow gentoo-dev 2023-05-30 03:05:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=a8b85191c046076a4e4d12c8541d49e1473aaa66

commit a8b85191c046076a4e4d12c8541d49e1473aaa66
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-30 03:03:08 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-30 03:05:04 +0000

    [ GLSA 202305-37 ] Apache Tomcat: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/878911
    Bug: https://bugs.gentoo.org/889596
    Bug: https://bugs.gentoo.org/896370
    Bug: https://bugs.gentoo.org/907387
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-37.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-30 03:07:00 UTC
GLSA released, all done!
Comment 4 Larry the Git Cow gentoo-dev 2023-05-31 02:20:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=023c3018165ffad6f1f6a874561e1c3c555cb505

commit 023c3018165ffad6f1f6a874561e1c3c555cb505
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-05-31 02:20:03 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-31 02:20:25 +0000

    [ GLSA 202305-37 ] fix versions, add other slots
    
    Bug: https://bugs.gentoo.org/878911
    Bug: https://bugs.gentoo.org/889596
    Bug: https://bugs.gentoo.org/896370
    Bug: https://bugs.gentoo.org/907387
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-37.xml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)