www/tomcat{7,85,9,-devel} already updated, but possible need merge-quarterly. ================================================================= CVE-2020-13934 Apache Tomcat HTTP/2 Denial of Service Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.0-M6 Apache Tomcat 9.0.0.M5 to 9.0.36 Apache Tomcat 8.5.1 to 8.5.56 Description: An h2c direct connection did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service. Mitigation: - Upgrade to Apache Tomcat 10.0.0-M7 or later - Upgrade to Apache Tomcat 9.0.37 or later - Upgrade to Apache Tomcat 8.5.57 or later Credit: This issue was reported publicly via the Apache Tomcat Users mailing list without reference to the potential for DoS. The DoS risks were identified by the Apache Tomcat Security Team. References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html ================================================================= CVE-2020-13935 Apache Tomcat WebSocket Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.0-M6 Apache Tomcat 9.0.0.M1 to 9.0.36 Apache Tomcat 8.5.0 to 8.5.56 Apache Tomcat 7.0.27 to 7.0.104 Description: The payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. Mitigation: - Upgrade to Apache Tomcat 10.0.0-M7 or later - Upgrade to Apache Tomcat 9.0.37 or later - Upgrade to Apache Tomcat 8.5.57 or later Credit: This issue was reported publicly via the Apache Tomcat Users mailing list without reference to the potential for DoS. The DoS risks were identified by the Apache Tomcat Security Team. References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html [4] https://tomcat.apache.org/security-7.html
A commit references this bug: Author: joneum Date: Thu Jul 23 11:54:54 UTC 2020 New revision: 542927 URL: https://svnweb.freebsd.org/changeset/ports/542927 Log: Add entry for www/tomcat{7,85,9,-devel} PR: 247975 Sponsored by: Netzkommune GmbH Changes: head/security/vuxml/vuln.xml
(In reply to commit-hook from comment #1) Thanks. Can you commit this too: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247555
reopen, this was first the vuxml currently i am testing www/tomcat{7,85,9,-devel} in poudriere on a current 2020Q3. If everything is ok, it comes to the Quaterly Branch. After that I will close here ;-)
A commit references this bug: Author: joneum Date: Thu Jul 23 14:35:33 UTC 2020 New revision: 542933 URL: https://svnweb.freebsd.org/changeset/ports/542933 Log: Merge www/tomcat{7,85,9,-devel} to 2020Q3 PR: 247975 Reported by: VVD <vvd@unislabs.com> Approved by: ports-secteam (with hat) Sponsored by: Netzkommune GmbH Changes: branches/2020Q3/www/tomcat-devel/Makefile branches/2020Q3/www/tomcat-devel/distinfo branches/2020Q3/www/tomcat7/Makefile branches/2020Q3/www/tomcat7/distinfo branches/2020Q3/www/tomcat85/Makefile branches/2020Q3/www/tomcat85/distinfo branches/2020Q3/www/tomcat9/Makefile branches/2020Q3/www/tomcat9/distinfo