265821 – www/tomcat{85,9,10,-devel}: Update to 8.5.82, 9.0.65, 10.0.23, 10.1.0-M17 (CVE-2022-34305 - a low severity XSS vulnerability in the Form authentication example)

Bug 265821 - www/tomcat{85,9,10,-devel}: Update to 8.5.82, 9.0.65, 10.0.23, 10.1.0-M17 (CVE-2022-34305 - a low severity XSS vulnerability in the Form authentication example)

Summary: www/tomcat{85,9,10,-devel}: Update to 8.5.82, 9.0.65, 10.0.23, 10.1.0-M17 (CV...

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	Nuno Teixeira

URL:	https://tomcat.apache.org
Keywords:

Depends on:
Blocks:

Reported:	2022-08-13 19:59 UTC by Vladimir Druzenko
Modified:	2022-08-14 17:06 UTC (History)
CC List:	3 users (show)

See Also:

Flags:	eduardo: merge-quarterly+

Attachments
update to 8.5.82 (816 bytes, patch) 2022-08-13 19:59 UTC, Vladimir Druzenko	vvd: maintainer-approval+	Details \| Diff
update to 9.0.65 (807 bytes, patch) 2022-08-13 20:01 UTC, Vladimir Druzenko	vvd: maintainer-approval+	Details \| Diff
update to 10.0.23 (1.24 KB, patch) 2022-08-13 20:02 UTC, Vladimir Druzenko	vvd: maintainer-approval+	Details \| Diff
update to 10.1.0-M17 (1.24 KB, patch) 2022-08-13 20:03 UTC, Vladimir Druzenko	vvd: maintainer-approval+	Details \| Diff
vuxml.diff (1.81 KB, patch) 2022-08-13 22:45 UTC, Nuno Teixeira	riggs: maintainer-approval+	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vladimir Druzenko freebsd_committer

2022-08-13 19:59:37 UTC

Created attachment 235883 [details]
update to 8.5.82

Tested on 13.1-p1 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.82_(schultz)

Comment 1 Vladimir Druzenko freebsd_committer

2022-08-13 20:01:27 UTC

Created attachment 235884 [details]
update to 9.0.65

Tested on 13.1-p1 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.65_(remm)

Comment 2 Vladimir Druzenko freebsd_committer

2022-08-13 20:02:43 UTC

Created attachment 235885 [details]
update to 10.0.23

Tested on 13.1-p1 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-10.0-doc/changelog.html#Tomcat_10.0.23_(markt)

Comment 3 Vladimir Druzenko freebsd_committer

2022-08-13 20:03:48 UTC

Created attachment 235886 [details]
update to 10.1.0-M17

Tested on 13.1-p5 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.0-M17_(markt)

Comment 4 Nuno Teixeira freebsd_committer

2022-08-13 20:58:29 UTC

Hi,

Could you upload a vuxml entry?

Thanks

Comment 5 Vladimir Druzenko freebsd_committer

2022-08-13 21:26:11 UTC

(In reply to Nuno Teixeira from comment #4)
I never learned how to making it. :-(

Comment 6 Nuno Teixeira freebsd_committer

2022-08-13 21:31:37 UTC

(In reply to VVD from comment #5)

That's why I've asked for it :)

Tommorrow I will do a vuxml entry and upload it and ask ports-secteam for approval since I don't have much practice on that.

Cheers

Comment 7 Nuno Teixeira freebsd_committer

2022-08-13 22:45:18 UTC

Created attachment 235894 [details]
vuxml.diff

VE-2022-34305 Apache Tomcat - XSS in examples web application

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.1.0-M1 to 10.1.0-M16
Apache Tomcat 10.0.0-M1 to 10.0.22
Apache Tomcat 9.0.30 to 9.0.64
Apache Tomcat 8.5.50 to 8.5.81

Comment 8 commit-hook freebsd_committer

2022-08-14 17:01:19 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ce95f567dd1f33e832620d43dd00a74fb1cf974d

commit ce95f567dd1f33e832620d43dd00a74fb1cf974d
Author:     VVD <vvd@unislabs.com>
AuthorDate: 2022-08-14 16:56:45 +0000
Commit:     Nuno Teixeira <eduardo@FreeBSD.org>
CommitDate: 2022-08-14 17:00:29 +0000

    www/tomcat{85,9,10,-devel}: Update to 8.5.82, 9.0.65, 10.0.23, 10.1.0-M17 (CVE-2022-34305 - a low severity XSS vulnerability in the Form authentication example)

    PR:             265821
    MFH:            2022Q3
    Security:       e2e7faf9-1b51-11ed-ae46-002b67dfc673

 www/tomcat-devel/Makefile  | 2 +-
 www/tomcat-devel/distinfo  | 6 +++---
 www/tomcat-devel/pkg-plist | 2 +-
 www/tomcat10/Makefile      | 2 +-
 www/tomcat10/distinfo      | 6 +++---
 www/tomcat10/pkg-plist     | 2 +-
 www/tomcat85/Makefile      | 2 +-
 www/tomcat85/distinfo      | 6 +++---
 www/tomcat9/Makefile       | 2 +-
 www/tomcat9/distinfo       | 6 +++---
 10 files changed, 18 insertions(+), 18 deletions(-)

Comment 9 commit-hook freebsd_committer

2022-08-14 17:01:20 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=38ed2b0a6bbff1b4b89ae84b89d1cf044779c3c7

commit 38ed2b0a6bbff1b4b89ae84b89d1cf044779c3c7
Author:     Nuno Teixeira <eduardo@FreeBSD.org>
AuthorDate: 2022-08-14 16:50:46 +0000
Commit:     Nuno Teixeira <eduardo@FreeBSD.org>
CommitDate: 2022-08-14 17:00:29 +0000

    security/vuxml: Document Apache Tomcat vulnerability

    CVE-2022-34305 Apache Tomcat - XSS in examples web application

    PR:             265821
    Approved by:    riggs (ports-secteam)

 security/vuxml/vuln-2022.xml | 45 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

Comment 10 commit-hook freebsd_committer

2022-08-14 17:05:22 UTC

A commit in branch 2022Q3 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a9760a296adfb1329ed96e6cef221bfaac9a301e

commit a9760a296adfb1329ed96e6cef221bfaac9a301e
Author:     VVD <vvd@unislabs.com>
AuthorDate: 2022-08-14 16:56:45 +0000
Commit:     Nuno Teixeira <eduardo@FreeBSD.org>
CommitDate: 2022-08-14 17:04:09 +0000

    www/tomcat{85,9,10,-devel}: Update to 8.5.82, 9.0.65, 10.0.23, 10.1.0-M17 (CVE-2022-34305 - a low severity XSS vulnerability in the Form authentication example)

    PR:             265821
    MFH:            2022Q3
    Security:       e2e7faf9-1b51-11ed-ae46-002b67dfc673
    (cherry picked from commit ce95f567dd1f33e832620d43dd00a74fb1cf974d)

 www/tomcat-devel/Makefile  | 2 +-
 www/tomcat-devel/distinfo  | 6 +++---
 www/tomcat-devel/pkg-plist | 2 +-
 www/tomcat10/Makefile      | 2 +-
 www/tomcat10/distinfo      | 6 +++---
 www/tomcat10/pkg-plist     | 2 +-
 www/tomcat85/Makefile      | 2 +-
 www/tomcat85/distinfo      | 6 +++---
 www/tomcat9/Makefile       | 2 +-
 www/tomcat9/distinfo       | 6 +++---
 10 files changed, 18 insertions(+), 18 deletions(-)

Comment 11 Nuno Teixeira freebsd_committer

2022-08-14 17:06:46 UTC

Committed, thanks!