Bug 257153

Summary: www/tomcat{7,85,9,10,-devel}: Update to 7.0.109, 8.5.69, 9.0.50, 10.0.8, 10.1.0-M2
Product: Ports & Packages Reporter: VVD <vvd>
Component: Individual Port(s)Assignee: Kevin Bowling <kbowling>
Status: Closed FIXED    
Severity: Affects Many People CC: ahmedsayeed1982, ale, kbowling, ports-secteam, vvd
Priority: Normal Keywords: security
Version: LatestFlags: koobs: maintainer-feedback? (vvd)
kbowling: merge-quarterly+
Hardware: Any   
OS: Any   
URL: https://tomcat.apache.org/
Attachments:
Description Flags
updated to 7.0.109
ale: maintainer-approval+
update to 8.5.69
vvd: maintainer-approval+
update to 9.5.50
vvd: maintainer-approval+
update to 10.0.8
vvd: maintainer-approval+
update to 10.1.0-M2 vvd: maintainer-approval+

Description VVD 2021-07-13 11:42:34 UTC
Created attachment 226422 [details]
updated to 7.0.109

Tested on 12.2-p9 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-7.0-doc/changelog.html#Tomcat_7.0.109_(violetagg)
Comment 1 VVD 2021-07-13 11:43:41 UTC
Created attachment 226423 [details]
update to 8.5.69

Tested on 12.2-p9 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.69_(schultz)
Comment 2 VVD 2021-07-13 11:44:41 UTC
Created attachment 226424 [details]
update to 9.5.50

Tested on 12.2-p9 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.50_(remm)
Comment 3 VVD 2021-07-13 11:45:57 UTC
Created attachment 226425 [details]
update to 10.0.8

Tested on 12.2-p9 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-10.0-doc/changelog.html#Tomcat_10.0.8_(markt)
Comment 4 VVD 2021-07-13 11:47:49 UTC
Created attachment 226426 [details]
update to 10.1.0-M2

Tested on 12.2-p9 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.0-M2_(markt)
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2021-07-13 11:54:07 UTC
Perfect bug report VVD, well done.
Comment 6 VVD 2021-07-13 13:09:53 UTC
(In reply to Kubilay Kocak from comment #5)
Thanks. :-D

Fixed CVEs:
CVE-2021-30639
CVE-2021-30640
CVE-2021-33037
==========================================================
CVE-2021-30639 Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.3 to 10.0.4
Apache Tomcat 9.0.44
Apache Tomcat 8.5.64

Description:
An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS.
Applications that do not use non-blocking I/O are not exposed to this vulnerability.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.0.5 or later
- Upgrade to Apache Tomcat 9.0.45 or later
- Upgrade to Apache Tomcat 8.5.65 or later

History:
2021-07-12 Original advisory
==========================================================
CVE-2021-30640 JNDI Realm Authentication Weakness

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.5
Apache Tomcat 9.0.0.M1 to 9.0.45
Apache Tomcat 8.5.0 to 8.5.65
Apache Tomcat 7.0.0 to 7.0.108

Description:
Queries made by the JNDI Realm did not always correctly escape parameters. Parameter values could be sourced from user provided data (eg user names) as well as configuration data provided by an administrator.
In limited circumstances it was possible for users to authenticate using variations of their user name and/or to bypass some of the protection provided by the LockOut Realm.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.0.6 or later
- Upgrade to Apache Tomcat 9.0.46 or later
- Upgrade to Apache Tomcat 8.5.66 or later
- Upgrade to Apache Tomcat 7.0.109 or later

History:
2021-07-12 Original advisory
==========================================================
CVE-2021-33037 HTTP request smuggling

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.6
Apache Tomcat 9.0.0.M1 to 9.0.46
Apache Tomcat 8.5.0 to 8.5.66

Description:
Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: Tomcat incorrectly ignored the transfer-encoding header if the client declared it would only accept an HTTP/1.0 response; Tomcat honoured the identify encoding; and Tomcat did not ensure that, if present, the chunked encoding was the final encoding.</p>

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.0.7 or later
- Upgrade to Apache Tomcat 9.0.48 or later
- Upgrade to Apache Tomcat 8.5.68 or later
Note that issue was fixed in 9.0.47 and 8.5.67 but the release votes for those versions did not pass.

History:
2021-07-12 Original advisory 
==========================================================
Comment 7 Kevin Bowling freebsd_committer 2021-07-14 01:55:30 UTC
This is tricky, will you prepare VuXML patches and attach them?  The main part is 'make newentry' in https://docs.freebsd.org/en/books/porters-handbook/security/#security-notify.
Comment 8 VVD 2021-07-22 23:27:00 UTC
(In reply to Kevin Bowling from comment #7)
Sorry, but no time for learn hot to do this.
Comment 9 commit-hook freebsd_committer 2021-08-01 15:42:12 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c9577aaafdbd34b08c30bfe12cd4690db0749dab

commit c9577aaafdbd34b08c30bfe12cd4690db0749dab
Author:     VVD <vvd@unislabs.com>
AuthorDate: 2021-08-01 15:38:26 +0000
Commit:     Kevin Bowling <kbowling@FreeBSD.org>
CommitDate: 2021-08-01 15:38:26 +0000

    www/tomcat7: Update to 7.0.109

    PR:             257153
    Approved by:    ale (maintainer)
    Security:       CVE-2021-30640

 www/tomcat7/Makefile  |  4 ++--
 www/tomcat7/distinfo  |  6 +++---
 www/tomcat7/pkg-descr | 10 +++++-----
 3 files changed, 10 insertions(+), 10 deletions(-)
Comment 10 commit-hook freebsd_committer 2021-08-01 15:44:14 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=07af47498de63bf4ae2a5d0538e476d8836a7a65

commit 07af47498de63bf4ae2a5d0538e476d8836a7a65
Author:     VVD <vvd@unislabs.com>
AuthorDate: 2021-08-01 15:42:30 +0000
Commit:     Kevin Bowling <kbowling@FreeBSD.org>
CommitDate: 2021-08-01 15:42:30 +0000

    www/tomcat85: Update to 8.5.69

    PR:             257153
    Security:       CVE-2021-30639
                    CVE-2021-30640
                    CVE-2021-33037

 www/tomcat85/Makefile  | 2 +-
 www/tomcat85/distinfo  | 6 +++---
 www/tomcat85/pkg-descr | 8 ++++----
 3 files changed, 8 insertions(+), 8 deletions(-)
Comment 11 commit-hook freebsd_committer 2021-08-01 15:48:15 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=9de1ede0445ba4017cd8b25759417c2c95b23870

commit 9de1ede0445ba4017cd8b25759417c2c95b23870
Author:     VVD <vvd@unislabs.com>
AuthorDate: 2021-08-01 15:45:12 +0000
Commit:     Kevin Bowling <kbowling@FreeBSD.org>
CommitDate: 2021-08-01 15:45:12 +0000

    www/tomcat9: Update to 9.0.50

    PR:             257153
    Security:       CVE-2021-30639
                    CVE-2021-30640
                    CVE-2021-33037

 www/tomcat9/Makefile  | 2 +-
 www/tomcat9/distinfo  | 6 +++---
 www/tomcat9/pkg-descr | 9 ++++-----
 www/tomcat9/pkg-plist | 2 +-
 4 files changed, 9 insertions(+), 10 deletions(-)
Comment 12 commit-hook freebsd_committer 2021-08-01 15:50:17 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c4c1af78fb6a2b548d266c8e490c246052158519

commit c4c1af78fb6a2b548d266c8e490c246052158519
Author:     VVD <vvd@unislabs.com>
AuthorDate: 2021-08-01 15:48:25 +0000
Commit:     Kevin Bowling <kbowling@FreeBSD.org>
CommitDate: 2021-08-01 15:48:25 +0000

    www/tomcat10: Update to 10.0.8

    PR:             257153
    Security:       CVE-2021-30639
                    CVE-2021-30640
                    CVE-2021-33037

 www/tomcat10/Makefile  | 4 +++-
 www/tomcat10/distinfo  | 6 +++---
 www/tomcat10/pkg-descr | 9 ++++-----
 www/tomcat10/pkg-plist | 4 ++--
 4 files changed, 12 insertions(+), 11 deletions(-)
Comment 13 commit-hook freebsd_committer 2021-08-01 15:53:18 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=839de580f358e61f5c00e87457f75cc6d8f263b6

commit 839de580f358e61f5c00e87457f75cc6d8f263b6
Author:     VVD <vvd@unislabs.com>
AuthorDate: 2021-08-01 15:51:28 +0000
Commit:     Kevin Bowling <kbowling@FreeBSD.org>
CommitDate: 2021-08-01 15:51:28 +0000

    www/tomcat-devel: Update to 10.1.0-M2

    PR:             257153
    Security:       CVE-2021-30639
                    CVE-2021-30640
                    CVE-2021-33037

 www/tomcat-devel/Makefile  | 8 ++++----
 www/tomcat-devel/distinfo  | 6 +++---
 www/tomcat-devel/pkg-descr | 8 ++++----
 www/tomcat-devel/pkg-plist | 4 ++--
 4 files changed, 13 insertions(+), 13 deletions(-)
Comment 14 commit-hook freebsd_committer 2021-08-01 16:09:23 UTC
A commit in branch 2021Q3 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=686382e0620f6978817ede59223d59db26cb47c9

commit 686382e0620f6978817ede59223d59db26cb47c9
Author:     VVD <vvd@unislabs.com>
AuthorDate: 2021-08-01 15:45:12 +0000
Commit:     Kevin Bowling <kbowling@FreeBSD.org>
CommitDate: 2021-08-01 16:07:54 +0000

    www/tomcat9: Update to 9.0.50

    PR:             257153
    Security:       CVE-2021-30639
                    CVE-2021-30640
                    CVE-2021-33037
    (cherry picked from commit 9de1ede0445ba4017cd8b25759417c2c95b23870)

 www/tomcat9/Makefile  | 2 +-
 www/tomcat9/distinfo  | 6 +++---
 www/tomcat9/pkg-descr | 9 ++++-----
 www/tomcat9/pkg-plist | 2 +-
 4 files changed, 9 insertions(+), 10 deletions(-)
Comment 15 commit-hook freebsd_committer 2021-08-01 16:09:24 UTC
A commit in branch 2021Q3 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c088ad5cc07a54e94997f543cca67e6e2ba8c291

commit c088ad5cc07a54e94997f543cca67e6e2ba8c291
Author:     VVD <vvd@unislabs.com>
AuthorDate: 2021-08-01 15:42:30 +0000
Commit:     Kevin Bowling <kbowling@FreeBSD.org>
CommitDate: 2021-08-01 16:07:35 +0000

    www/tomcat85: Update to 8.5.69

    PR:             257153
    Security:       CVE-2021-30639
                    CVE-2021-30640
                    CVE-2021-33037
    (cherry picked from commit 07af47498de63bf4ae2a5d0538e476d8836a7a65)

 www/tomcat85/Makefile  | 2 +-
 www/tomcat85/distinfo  | 6 +++---
 www/tomcat85/pkg-descr | 8 ++++----
 3 files changed, 8 insertions(+), 8 deletions(-)
Comment 16 commit-hook freebsd_committer 2021-08-01 16:09:25 UTC
A commit in branch 2021Q3 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=3e9bbc6dbb6b794fd9b1227629a040d70a5f482b

commit 3e9bbc6dbb6b794fd9b1227629a040d70a5f482b
Author:     VVD <vvd@unislabs.com>
AuthorDate: 2021-08-01 15:48:25 +0000
Commit:     Kevin Bowling <kbowling@FreeBSD.org>
CommitDate: 2021-08-01 16:08:12 +0000

    www/tomcat10: Update to 10.0.8

    PR:             257153
    Security:       CVE-2021-30639
                    CVE-2021-30640
                    CVE-2021-33037
    (cherry picked from commit c4c1af78fb6a2b548d266c8e490c246052158519)

 www/tomcat10/Makefile  | 4 +++-
 www/tomcat10/distinfo  | 6 +++---
 www/tomcat10/pkg-descr | 9 ++++-----
 www/tomcat10/pkg-plist | 4 ++--
 4 files changed, 12 insertions(+), 11 deletions(-)
Comment 17 commit-hook freebsd_committer 2021-08-01 16:09:26 UTC
A commit in branch 2021Q3 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=387db17c7f9eae9f3ac9ba636fae8893bfe77189

commit 387db17c7f9eae9f3ac9ba636fae8893bfe77189
Author:     VVD <vvd@unislabs.com>
AuthorDate: 2021-08-01 15:38:26 +0000
Commit:     Kevin Bowling <kbowling@FreeBSD.org>
CommitDate: 2021-08-01 16:07:24 +0000

    www/tomcat7: Update to 7.0.109

    PR:             257153
    Approved by:    ale (maintainer)
    Security:       CVE-2021-30640

    (cherry picked from commit c9577aaafdbd34b08c30bfe12cd4690db0749dab)

 www/tomcat7/Makefile  |  4 ++--
 www/tomcat7/distinfo  |  6 +++---
 www/tomcat7/pkg-descr | 10 +++++-----
 3 files changed, 10 insertions(+), 10 deletions(-)
Comment 18 commit-hook freebsd_committer 2021-08-01 16:09:27 UTC
A commit in branch 2021Q3 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=0fb3c1b3f8c41d41f633bc6fae0353793c3ada0e

commit 0fb3c1b3f8c41d41f633bc6fae0353793c3ada0e
Author:     VVD <vvd@unislabs.com>
AuthorDate: 2021-08-01 15:51:28 +0000
Commit:     Kevin Bowling <kbowling@FreeBSD.org>
CommitDate: 2021-08-01 16:08:22 +0000

    www/tomcat-devel: Update to 10.1.0-M2

    PR:             257153
    Security:       CVE-2021-30639
                    CVE-2021-30640
                    CVE-2021-33037
    (cherry picked from commit 839de580f358e61f5c00e87457f75cc6d8f263b6)

 www/tomcat-devel/Makefile  | 8 ++++----
 www/tomcat-devel/distinfo  | 6 +++---
 www/tomcat-devel/pkg-descr | 8 ++++----
 www/tomcat-devel/pkg-plist | 4 ++--
 4 files changed, 13 insertions(+), 13 deletions(-)
Comment 19 commit-hook freebsd_committer 2021-08-01 21:37:22 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=9462edd84baf7bc7e2716da90f81661080f273e0

commit 9462edd84baf7bc7e2716da90f81661080f273e0
Author:     Kevin Bowling <kbowling@FreeBSD.org>
AuthorDate: 2021-08-01 21:34:18 +0000
Commit:     Kevin Bowling <kbowling@FreeBSD.org>
CommitDate: 2021-08-01 21:35:55 +0000

    security/vuxml: document tomcat CVE-2021-30639

    PR:             257153

 security/vuxml/vuln-2021.xml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
Comment 20 commit-hook freebsd_committer 2021-08-01 21:44:24 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=63c4db72a03aec209d37720f1e0eaaf00e1fd02d

commit 63c4db72a03aec209d37720f1e0eaaf00e1fd02d
Author:     Kevin Bowling <kbowling@FreeBSD.org>
AuthorDate: 2021-08-01 21:42:39 +0000
Commit:     Kevin Bowling <kbowling@FreeBSD.org>
CommitDate: 2021-08-01 21:42:39 +0000

    security/vuxml: correct tomcat package name/versions

    PR:             257153
    Fixes:  9462edd84baf

 security/vuxml/vuln-2021.xml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
Comment 21 commit-hook freebsd_committer 2021-08-01 21:53:26 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=9c1924450f57ec143cd6f72aa1c9a48f30f755ee

commit 9c1924450f57ec143cd6f72aa1c9a48f30f755ee
Author:     Kevin Bowling <kbowling@FreeBSD.org>
AuthorDate: 2021-08-01 21:51:39 +0000
Commit:     Kevin Bowling <kbowling@FreeBSD.org>
CommitDate: 2021-08-01 21:52:40 +0000

    security/vuxml: document tomcat CVE-2021-30640

    PR:             257153

 security/vuxml/vuln-2021.xml | 41 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 40 insertions(+), 1 deletion(-)
Comment 22 commit-hook freebsd_committer 2021-08-01 21:58:28 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=515969d6d65fd8c492a84fcb31cfae377ef2dd5e

commit 515969d6d65fd8c492a84fcb31cfae377ef2dd5e
Author:     Kevin Bowling <kbowling@FreeBSD.org>
AuthorDate: 2021-08-01 21:57:10 +0000
Commit:     Kevin Bowling <kbowling@FreeBSD.org>
CommitDate: 2021-08-01 21:57:10 +0000

    security/vuxml: document tomcat CVE-2021-33037

    PR:             257153

 security/vuxml/vuln-2021.xml | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
Comment 23 Kevin Bowling freebsd_committer 2021-08-01 22:02:01 UTC
(In reply to VVD from comment #8)
Thanks for your contributions!

Please review my commits for validation and to learn how VuXML works take a look at those commits and https://docs.freebsd.org/en/books/porters-handbook/security/.
Comment 24 VVD 2021-08-01 23:01:33 UTC
(In reply to Kevin Bowling from comment #23)
Thanks!
Comment 25 Ahmed 2021-11-02 19:48:29 UTC
MARKED AS SPAM