Bug 215865

Summary:

www/tomcat8 {tomcat7,tomcat6}: update to 8.0.40, 7.0.74, 6.0.49

Product:

Ports & Packages

Reporter:

Jason Unovitch <junovitch>

Component:

Individual Port(s)

Assignee:

Alex Dupre <ale>

Status:

Closed FIXED

Severity:

Affects Some People

CC:

asomers, erik, ports-secteam, tez, vvd

Priority:

---

Keywords:

needs-patch, needs-qa, security

Version:

Latest

Flags:

bugzilla: maintainer-feedback? (ale)
junovitch: merge-quarterly+

Hardware:

Any

OS:

Any

URL:

http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40

Attachments:

Description	Flags
tomcat 8.0.39 to 8.0.41 update	none

Description Jason Unovitch freebsd_committer

2017-01-07 22:50:52 UTC

As soon as these releases are out we need to update.

http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.49
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.74
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40

Comment 1 commit-hook freebsd_committer

2017-01-07 22:55:48 UTC

A commit references this bug:

Author: junovitch
Date: Sat Jan  7 22:55:04 UTC 2017
New revision: 430842
URL: https://svnweb.freebsd.org/changeset/ports/430842

Log:
  Document last quarter of Tomcat security advisories

  Latest advisory is awaiting upstream release

  PR:		214599
  PR:		215865
  Security:	CVE-2016-0762
  Security:	CVE-2016-5018
  Security:	CVE-2016-6794
  Security:	CVE-2016-6796
  Security:	CVE-2016-6797
  Security:	CVE-2016-6816
  Security:	CVE-2016-8735
  Security:	CVE-2016-8745
  Security:	https://vuxml.FreeBSD.org/freebsd/0b9af110-d529-11e6-ae1b-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/3ae106e2-d521-11e6-ae1b-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/e5ec2767-d529-11e6-ae1b-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml

Comment 2 Erik Cederstrand 2017-01-29 15:03:09 UTC

Version 8.0.41 has been released, according to http://tomcat.apache.org/download-80.cgi

The www/tomcat8 port is currently at 8.0.39.

Comment 3 Tim Z 2017-02-07 20:50:47 UTC

Created attachment 179725 [details]
tomcat 8.0.39 to 8.0.41 update

I created this patch to update tomcat from 8.0.39 to 8.0.41 for my own use, thought I would share it and maybe save someone some work.

Comment 4 Alan Somers freebsd_committer

2017-02-14 19:55:00 UTC

Poudriere warns that we could set NO_ARCH for this port.  It's probably not new in 8.0.41, but we should do it anyway.

pkg-static: DEVELOPER_MODE: Notice: arch "FreeBSD:11:amd64" -- no architecture specific files found:
**** could this package use a wildcard architecture?

Comment 5 Alan Somers freebsd_committer

2017-02-14 22:40:34 UTC

I've tested tomcat-8.0.41 with your patch.  You can consider it reviewed by me.

Comment 6 commit-hook freebsd_committer

2017-02-16 09:17:41 UTC

A commit references this bug:

Author: ale
Date: Thu Feb 16 09:17:22 UTC 2017
New revision: 434199
URL: https://svnweb.freebsd.org/changeset/ports/434199

Log:
  Update to 8.0.41 release.

  PR:		215865
  Submitted by:	junovitch

Changes:
  head/www/tomcat8/Makefile
  head/www/tomcat8/distinfo
  head/www/tomcat8/pkg-plist

Comment 7 Vladimir Druzenko freebsd_committer

2017-02-16 22:32:47 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=215290

Comment 8 commit-hook freebsd_committer

2017-03-05 02:43:15 UTC

A commit references this bug:

Author: junovitch
Date: Sun Mar  5 02:42:39 UTC 2017
New revision: 435441
URL: https://svnweb.freebsd.org/changeset/ports/435441

Log:
  MFH: r434199

  Update to 8.0.41 release.

  PR:		215865
  Submitted by:	Tim Z <tez@netbsd.org>
  Reviewed by:	asomers
  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2017Q1/
  branches/2017Q1/www/tomcat8/Makefile
  branches/2017Q1/www/tomcat8/distinfo
  branches/2017Q1/www/tomcat8/pkg-plist

Comment 9 commit-hook freebsd_committer

2017-03-05 02:48:22 UTC

A commit references this bug:

Author: junovitch
Date: Sun Mar  5 02:47:49 UTC 2017
New revision: 435442
URL: https://svnweb.freebsd.org/changeset/ports/435442

Log:
  MFH: r434198

  Update to 7.0.75 release.

  PR:		215865
  PR:		216604
  Reported by:	Dani <i.dani@outlook.com>
  Approved by:	ports-secteam (with hat)
  Security:	CVE-2016-8745
  Security:	https://vuxml.FreeBSD.org/freebsd/e5ec2767-d529-11e6-ae1b-002590263bf5.html

Changes:
_U  branches/2017Q1/
  branches/2017Q1/www/tomcat7/Makefile
  branches/2017Q1/www/tomcat7/distinfo
  branches/2017Q1/www/tomcat7/pkg-plist

Comment 10 Jason Unovitch freebsd_committer

2017-03-05 02:53:08 UTC

Reopen pending an upstream fix for the CVE-2016-8745 that this PR was opened for. The only remaining update is the www/tomcat6 port which is "not yet released" per Apache.org as of right now.

Comment 11 commit-hook freebsd_committer

2017-03-18 01:36:01 UTC

A commit references this bug:

Author: junovitch
Date: Sat Mar 18 01:35:43 UTC 2017
New revision: 436372
URL: https://svnweb.freebsd.org/changeset/ports/436372

Log:
  www/tomcat6: update 6.0.48 -> 6.0.51

  PR:		215865
  Approved by:	ports-secteam (with hat)
  Security:	CVE-2016-8745
  Security:	https://vuxml.FreeBSD.org/freebsd/e5ec2767-d529-11e6-ae1b-002590263bf5.html
  MFH:		2017Q1

Changes:
  head/www/tomcat6/Makefile
  head/www/tomcat6/distinfo
  head/www/tomcat6/pkg-plist

Comment 12 commit-hook freebsd_committer

2017-03-18 01:37:05 UTC

A commit references this bug:

Author: junovitch
Date: Sat Mar 18 01:36:30 UTC 2017
New revision: 436373
URL: https://svnweb.freebsd.org/changeset/ports/436373

Log:
  MFH: r436372

  www/tomcat6: update 6.0.48 -> 6.0.51

  PR:		215865
  Approved by:	ports-secteam (with hat)
  Security:	CVE-2016-8745
  Security:	https://vuxml.FreeBSD.org/freebsd/e5ec2767-d529-11e6-ae1b-002590263bf5.html

Changes:
_U  branches/2017Q1/
  branches/2017Q1/www/tomcat6/Makefile
  branches/2017Q1/www/tomcat6/distinfo
  branches/2017Q1/www/tomcat6/pkg-plist

Comment 13 Jason Unovitch freebsd_committer

2017-03-18 01:48:30 UTC

All associated updates for the CVE-2016-8745 that this PR was opened for have fixed.