Comment 1 Fernando Apesteguía 2023-02-20 07:20:35 UTC

^Triage: reporter is committer, assign accordingly

Comment 2 Graham Perrin 2023-02-20 19:31:07 UTC

Better someone else tackle this, it's (highly) likely that I'd make a mess of it.

Comment 3 Fernando Apesteguía 2023-02-20 21:32:58 UTC

(In reply to Graham Perrin from comment #2)
It takes literally zero talent to fill a VuXML entry. In addition, if you are not a ports committer, it will be peer-reviewed before commit time or it will be committed by the ports committer.

Comment 4 Vladimir Druzenko 2023-02-21 21:18:17 UTC

New CVE in Tomcat:

CVE-2023-24998 Apache Tomcat - FileUpload DoS with excessive parts

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1
Apache Tomcat 10.1.0-M1 to 10.1.4
Apache Tomcat 9.0.0-M1 to 9.0.70
Apache Tomcat 8.5.0 to 8.5.84

Description:
Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Apache Tomcat was, therefore, also vulnerable to the Apache Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to the number of request parts processed. This resulted in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.0-M3 or later when released
- Upgrade to Apache Tomcat 10.1.5 or later
- Upgrade to Apache Tomcat 9.0.71 or later
- Upgrade to Apache Tomcat 8.5.85 or later
- Note 11.0.0-M2 was not released

Credit:
This issue was identified by Jakob Ackermann

History:
2023-01-03 Original advisory
2023-01-03 Corrected credit

References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
https://tomcat.apache.org/security-11.html

Comment 5 Graham Perrin 2023-02-22 03:00:56 UTC

(In reply to Fernando Apesteguía from comment #3)

It takes literally zero talent to fill a VuXML entry. 

Everyone, please treat me as entirely talentless in this area. 

Thank you.

Comment 6 Fernando Apesteguía 2023-02-22 12:15:43 UTC

(In reply to VVD from comment #4)
Hi there,

Are these new Tomcat CVEs somehow related to the ones in net/freerdp for which this PR was created?

If not, can we move that to a new PR?

Comment 7 Vladimir Druzenko 2023-02-22 12:24:09 UTC

(In reply to Graham Perrin from comment #5)
Sorry, incorrect PR - different tab in browser. :-o

Comment 8 commit-hook 2023-02-24 13:41:59 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a9185f053f0c2240e239ef6ad68c82fcdb8c49f2

commit a9185f053f0c2240e239ef6ad68c82fcdb8c49f2
Author:     Fernando Apesteguía <fernape@FreeBSD.org>
AuthorDate: 2023-02-24 13:23:01 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-02-24 13:36:11 +0000

    security/vuxml: document vulnerabilities for net/freerdp

    CVE-2022-39282 and CVE-2022-39283.

    PR:             269667
    Reported by:    grahamperrin@freebsd.org

 security/vuxml/vuln/2023.xml | 63 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)

Comment 9 Fernando Apesteguía 2023-02-24 13:42:10 UTC

Committed,

Thanks.