Bug 266984 - www/tomcat{85,9,10,101,-devel}: Update to 8.5.83, 9.0.68, 10.0.27, 10.1.1, 10.1.1
Summary: www/tomcat{85,9,10,101,-devel}: Update to 8.5.83, 9.0.68, 10.0.27, 10.1.1, 10...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Nuno Teixeira
URL: https://tomcat.apache.org
Keywords:
Depends on:
Blocks:
 
Reported: 2022-10-12 06:42 UTC by Vladimir Druzenko
Modified: 2022-11-18 22:11 UTC (History)
2 users (show)

See Also:
vvd: maintainer-feedback+
eduardo: merge-quarterly+

Attachments
update to 8.5.83 (814 bytes, patch)
2022-10-12 06:42 UTC, Vladimir Druzenko 		vvd: maintainer-approval+
Details | Diff
update to 9.0.68 (805 bytes, patch)
2022-10-12 06:44 UTC, Vladimir Druzenko 		vvd: maintainer-approval+
Details | Diff
update to 10.0.27 (821 bytes, patch)
2022-10-12 06:45 UTC, Vladimir Druzenko 		vvd: maintainer-approval+
Details | Diff
update to 10.1.1 (1.17 KB, patch)
2022-10-12 06:46 UTC, Vladimir Druzenko 		vvd: maintainer-approval+
Details | Diff
update to 10.1.1 (1.21 KB, patch)
2022-10-12 06:47 UTC, Vladimir Druzenko 		vvd: maintainer-approval+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vladimir Druzenko freebsd_committer freebsd_triage 2022-10-12 06:42:53 UTC 
Created attachment 237226 [details]
update to 8.5.83

Tested on 13.1-p2 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.83_(markt)
Comment 1 Vladimir Druzenko freebsd_committer freebsd_triage 2022-10-12 06:44:17 UTC 
Created attachment 237227 [details]
update to 9.0.68

Tested on 13.1-p2 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.68_(markt)
Comment 2 Vladimir Druzenko freebsd_committer freebsd_triage 2022-10-12 06:45:21 UTC 
Created attachment 237228 [details]
update to 10.0.27

Tested on 13.1-p2 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-10.0-doc/changelog.html#Tomcat_10.0.27_(markt)
Comment 3 Vladimir Druzenko freebsd_committer freebsd_triage 2022-10-12 06:46:27 UTC 
Created attachment 237229 [details]
update to 10.1.1

Tested on 13.1-p2 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.1_(markt)
Comment 4 Vladimir Druzenko freebsd_committer freebsd_triage 2022-10-12 06:47:17 UTC 
Created attachment 237230 [details]
update to 10.1.1

Tested on 13.1-p2 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.1_(markt)
Comment 5 commit-hook freebsd_committer freebsd_triage 2022-10-12 09:51:24 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=fd3e68d563493e13f2a89530e27b00275f8fddc1

commit fd3e68d563493e13f2a89530e27b00275f8fddc1
Author:     VVD <vvd@unislabs.com>
AuthorDate: 2022-10-12 09:46:21 +0000
Commit:     Nuno Teixeira <eduardo@FreeBSD.org>
CommitDate: 2022-10-12 09:46:21 +0000

    www/tomcat{85,9,10,101,-devel}: Update to 8.5.83, 9.0.68, 10.0.27, 10.1.1, 10.1.1

    ChangeLog:

    https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.83_(markt)
    https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.68_(markt)
    https://tomcat.apache.org/tomcat-10.0-doc/changelog.html#Tomcat_10.0.27_(markt)
    https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.1_(markt)

    PR:             266984

 www/tomcat-devel/Makefile  | 2 +-
 www/tomcat-devel/distinfo  | 6 +++---
 www/tomcat-devel/pkg-plist | 2 +-
 www/tomcat10/Makefile      | 2 +-
 www/tomcat10/distinfo      | 6 +++---
 www/tomcat101/Makefile     | 2 +-
 www/tomcat101/distinfo     | 6 +++---
 www/tomcat101/pkg-plist    | 2 +-
 www/tomcat85/Makefile      | 2 +-
 www/tomcat85/distinfo      | 6 +++---
 www/tomcat9/Makefile       | 2 +-
 www/tomcat9/distinfo       | 6 +++---
 12 files changed, 22 insertions(+), 22 deletions(-)
Comment 6 Nuno Teixeira freebsd_committer freebsd_triage 2022-10-12 09:52:14 UTC 
Committed, thanks!
Comment 7 geoffroy desvernay 2022-11-18 10:30:42 UTC 
Seems to fix CVE-2022-42252, shouldn't it be merged in quarterly ?
Comment 8 Nuno Teixeira freebsd_committer freebsd_triage 2022-11-18 13:02:01 UTC 
(In reply to geoffroy desvernay from comment #7)

Can't find CVE-2022-42252 mentioned in release notes, could you provide a link to it?
Comment 9 geoffroy desvernay 2022-11-18 18:40:11 UTC 
I found this by cve search: https://nvd.nist.gov/vuln/detail/CVE-2022-42252
Vendor advisory seems to be here: https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq
(With a typo noted in reply: 8.5.82 is affected, not only 8.5.52)
Comment 10 Nuno Teixeira freebsd_committer freebsd_triage 2022-11-18 21:07:13 UTC 
(In reply to geoffroy desvernay from comment #9)

Working on it, thanks.
Comment 11 commit-hook freebsd_committer freebsd_triage 2022-11-18 21:58:56 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c42efc2b00b09f75badbd82788ed8c33157470b8

commit c42efc2b00b09f75badbd82788ed8c33157470b8
Author:     Nuno Teixeira <eduardo@FreeBSD.org>
AuthorDate: 2022-11-18 21:53:01 +0000
Commit:     Nuno Teixeira <eduardo@FreeBSD.org>
CommitDate: 2022-11-18 21:57:50 +0000

    security/vuxml: Document Apache Tomcat vulnerability

     * CVE-2022-42252 Apache Tomcat - Request Smuggling

    PR:             266984

 security/vuxml/vuln/2022.xml | 52 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
Comment 12 commit-hook freebsd_committer freebsd_triage 2022-11-18 22:00:57 UTC 
A commit in branch 2022Q4 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=328f7ac7040e1d353e0898a391662393ec3e7f3d

commit 328f7ac7040e1d353e0898a391662393ec3e7f3d
Author:     VVD <vvd@unislabs.com>
AuthorDate: 2022-10-12 09:46:21 +0000
Commit:     Nuno Teixeira <eduardo@FreeBSD.org>
CommitDate: 2022-11-18 21:58:49 +0000

    www/tomcat{85,9,10,101,-devel}: Update to 8.5.83, 9.0.68, 10.0.27, 10.1.1, 10.1.1

    ChangeLog:

    https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.83_(markt)
    https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.68_(markt)
    https://tomcat.apache.org/tomcat-10.0-doc/changelog.html#Tomcat_10.0.27_(markt)
    https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.1_(markt)

    PR:             266984
    MFH:            2022Q4
    Security:       556fdf03-6785-11ed-953b-002b67dfc673
    (cherry picked from commit fd3e68d563493e13f2a89530e27b00275f8fddc1)

 www/tomcat-devel/Makefile  | 2 +-
 www/tomcat-devel/distinfo  | 6 +++---
 www/tomcat-devel/pkg-plist | 2 +-
 www/tomcat10/Makefile      | 2 +-
 www/tomcat10/distinfo      | 6 +++---
 www/tomcat101/Makefile     | 2 +-
 www/tomcat101/distinfo     | 6 +++---
 www/tomcat101/pkg-plist    | 2 +-
 www/tomcat85/Makefile      | 2 +-
 www/tomcat85/distinfo      | 6 +++---
 www/tomcat9/Makefile       | 2 +-
 www/tomcat9/distinfo       | 6 +++---
 12 files changed, 22 insertions(+), 22 deletions(-)
Comment 13 Nuno Teixeira freebsd_committer freebsd_triage 2022-11-18 22:07:45 UTC 
(In reply to geoffroy desvernay from comment #9)

Nice catch up.
Committed, thank you