Summary: | www/tomcat{7,85,9,10,-devel}: Update to 7.0.109, 8.5.69, 9.0.50, 10.0.8, 10.1.0-M2 | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Vladimir Druzenko <vvd> | ||||||||||||
Component: | Individual Port(s) | Assignee: | Kevin Bowling <kbowling> | ||||||||||||
Status: | Closed FIXED | ||||||||||||||
Severity: | Affects Many People | CC: | ahmedsayeed1982, ale, kbowling, ports-secteam, vvd | ||||||||||||
Priority: | Normal | Keywords: | security | ||||||||||||
Version: | Latest | Flags: | koobs:
maintainer-feedback?
(vvd) kbowling: merge-quarterly+ |
||||||||||||
Hardware: | Any | ||||||||||||||
OS: | Any | ||||||||||||||
URL: | https://tomcat.apache.org/ | ||||||||||||||
Attachments: |
|
Description
Vladimir Druzenko
![]() ![]() Created attachment 226423 [details] update to 8.5.69 Tested on 12.2-p9 amd64: make check-plist/install/run. https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.69_(schultz) Created attachment 226424 [details] update to 9.5.50 Tested on 12.2-p9 amd64: make check-plist/install/run. https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.50_(remm) Created attachment 226425 [details] update to 10.0.8 Tested on 12.2-p9 amd64: make check-plist/install/run. https://tomcat.apache.org/tomcat-10.0-doc/changelog.html#Tomcat_10.0.8_(markt) Created attachment 226426 [details] update to 10.1.0-M2 Tested on 12.2-p9 amd64: make check-plist/install/run. https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.0-M2_(markt) Perfect bug report VVD, well done. (In reply to Kubilay Kocak from comment #5) Thanks. :-D Fixed CVEs: CVE-2021-30639 CVE-2021-30640 CVE-2021-33037 ========================================================== CVE-2021-30639 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.3 to 10.0.4 Apache Tomcat 9.0.44 Apache Tomcat 8.5.64 Description: An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.0.5 or later - Upgrade to Apache Tomcat 9.0.45 or later - Upgrade to Apache Tomcat 8.5.65 or later History: 2021-07-12 Original advisory ========================================================== CVE-2021-30640 JNDI Realm Authentication Weakness Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.5 Apache Tomcat 9.0.0.M1 to 9.0.45 Apache Tomcat 8.5.0 to 8.5.65 Apache Tomcat 7.0.0 to 7.0.108 Description: Queries made by the JNDI Realm did not always correctly escape parameters. Parameter values could be sourced from user provided data (eg user names) as well as configuration data provided by an administrator. In limited circumstances it was possible for users to authenticate using variations of their user name and/or to bypass some of the protection provided by the LockOut Realm. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.0.6 or later - Upgrade to Apache Tomcat 9.0.46 or later - Upgrade to Apache Tomcat 8.5.66 or later - Upgrade to Apache Tomcat 7.0.109 or later History: 2021-07-12 Original advisory ========================================================== CVE-2021-33037 HTTP request smuggling Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.6 Apache Tomcat 9.0.0.M1 to 9.0.46 Apache Tomcat 8.5.0 to 8.5.66 Description: Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: Tomcat incorrectly ignored the transfer-encoding header if the client declared it would only accept an HTTP/1.0 response; Tomcat honoured the identify encoding; and Tomcat did not ensure that, if present, the chunked encoding was the final encoding.</p> Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.0.7 or later - Upgrade to Apache Tomcat 9.0.48 or later - Upgrade to Apache Tomcat 8.5.68 or later Note that issue was fixed in 9.0.47 and 8.5.67 but the release votes for those versions did not pass. History: 2021-07-12 Original advisory ========================================================== This is tricky, will you prepare VuXML patches and attach them? The main part is 'make newentry' in https://docs.freebsd.org/en/books/porters-handbook/security/#security-notify. (In reply to Kevin Bowling from comment #7) Sorry, but no time for learn hot to do this. A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=c9577aaafdbd34b08c30bfe12cd4690db0749dab commit c9577aaafdbd34b08c30bfe12cd4690db0749dab Author: VVD <vvd@unislabs.com> AuthorDate: 2021-08-01 15:38:26 +0000 Commit: Kevin Bowling <kbowling@FreeBSD.org> CommitDate: 2021-08-01 15:38:26 +0000 www/tomcat7: Update to 7.0.109 PR: 257153 Approved by: ale (maintainer) Security: CVE-2021-30640 www/tomcat7/Makefile | 4 ++-- www/tomcat7/distinfo | 6 +++--- www/tomcat7/pkg-descr | 10 +++++----- 3 files changed, 10 insertions(+), 10 deletions(-) A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=07af47498de63bf4ae2a5d0538e476d8836a7a65 commit 07af47498de63bf4ae2a5d0538e476d8836a7a65 Author: VVD <vvd@unislabs.com> AuthorDate: 2021-08-01 15:42:30 +0000 Commit: Kevin Bowling <kbowling@FreeBSD.org> CommitDate: 2021-08-01 15:42:30 +0000 www/tomcat85: Update to 8.5.69 PR: 257153 Security: CVE-2021-30639 CVE-2021-30640 CVE-2021-33037 www/tomcat85/Makefile | 2 +- www/tomcat85/distinfo | 6 +++--- www/tomcat85/pkg-descr | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=9de1ede0445ba4017cd8b25759417c2c95b23870 commit 9de1ede0445ba4017cd8b25759417c2c95b23870 Author: VVD <vvd@unislabs.com> AuthorDate: 2021-08-01 15:45:12 +0000 Commit: Kevin Bowling <kbowling@FreeBSD.org> CommitDate: 2021-08-01 15:45:12 +0000 www/tomcat9: Update to 9.0.50 PR: 257153 Security: CVE-2021-30639 CVE-2021-30640 CVE-2021-33037 www/tomcat9/Makefile | 2 +- www/tomcat9/distinfo | 6 +++--- www/tomcat9/pkg-descr | 9 ++++----- www/tomcat9/pkg-plist | 2 +- 4 files changed, 9 insertions(+), 10 deletions(-) A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=c4c1af78fb6a2b548d266c8e490c246052158519 commit c4c1af78fb6a2b548d266c8e490c246052158519 Author: VVD <vvd@unislabs.com> AuthorDate: 2021-08-01 15:48:25 +0000 Commit: Kevin Bowling <kbowling@FreeBSD.org> CommitDate: 2021-08-01 15:48:25 +0000 www/tomcat10: Update to 10.0.8 PR: 257153 Security: CVE-2021-30639 CVE-2021-30640 CVE-2021-33037 www/tomcat10/Makefile | 4 +++- www/tomcat10/distinfo | 6 +++--- www/tomcat10/pkg-descr | 9 ++++----- www/tomcat10/pkg-plist | 4 ++-- 4 files changed, 12 insertions(+), 11 deletions(-) A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=839de580f358e61f5c00e87457f75cc6d8f263b6 commit 839de580f358e61f5c00e87457f75cc6d8f263b6 Author: VVD <vvd@unislabs.com> AuthorDate: 2021-08-01 15:51:28 +0000 Commit: Kevin Bowling <kbowling@FreeBSD.org> CommitDate: 2021-08-01 15:51:28 +0000 www/tomcat-devel: Update to 10.1.0-M2 PR: 257153 Security: CVE-2021-30639 CVE-2021-30640 CVE-2021-33037 www/tomcat-devel/Makefile | 8 ++++---- www/tomcat-devel/distinfo | 6 +++--- www/tomcat-devel/pkg-descr | 8 ++++---- www/tomcat-devel/pkg-plist | 4 ++-- 4 files changed, 13 insertions(+), 13 deletions(-) A commit in branch 2021Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=686382e0620f6978817ede59223d59db26cb47c9 commit 686382e0620f6978817ede59223d59db26cb47c9 Author: VVD <vvd@unislabs.com> AuthorDate: 2021-08-01 15:45:12 +0000 Commit: Kevin Bowling <kbowling@FreeBSD.org> CommitDate: 2021-08-01 16:07:54 +0000 www/tomcat9: Update to 9.0.50 PR: 257153 Security: CVE-2021-30639 CVE-2021-30640 CVE-2021-33037 (cherry picked from commit 9de1ede0445ba4017cd8b25759417c2c95b23870) www/tomcat9/Makefile | 2 +- www/tomcat9/distinfo | 6 +++--- www/tomcat9/pkg-descr | 9 ++++----- www/tomcat9/pkg-plist | 2 +- 4 files changed, 9 insertions(+), 10 deletions(-) A commit in branch 2021Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=c088ad5cc07a54e94997f543cca67e6e2ba8c291 commit c088ad5cc07a54e94997f543cca67e6e2ba8c291 Author: VVD <vvd@unislabs.com> AuthorDate: 2021-08-01 15:42:30 +0000 Commit: Kevin Bowling <kbowling@FreeBSD.org> CommitDate: 2021-08-01 16:07:35 +0000 www/tomcat85: Update to 8.5.69 PR: 257153 Security: CVE-2021-30639 CVE-2021-30640 CVE-2021-33037 (cherry picked from commit 07af47498de63bf4ae2a5d0538e476d8836a7a65) www/tomcat85/Makefile | 2 +- www/tomcat85/distinfo | 6 +++--- www/tomcat85/pkg-descr | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) A commit in branch 2021Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=3e9bbc6dbb6b794fd9b1227629a040d70a5f482b commit 3e9bbc6dbb6b794fd9b1227629a040d70a5f482b Author: VVD <vvd@unislabs.com> AuthorDate: 2021-08-01 15:48:25 +0000 Commit: Kevin Bowling <kbowling@FreeBSD.org> CommitDate: 2021-08-01 16:08:12 +0000 www/tomcat10: Update to 10.0.8 PR: 257153 Security: CVE-2021-30639 CVE-2021-30640 CVE-2021-33037 (cherry picked from commit c4c1af78fb6a2b548d266c8e490c246052158519) www/tomcat10/Makefile | 4 +++- www/tomcat10/distinfo | 6 +++--- www/tomcat10/pkg-descr | 9 ++++----- www/tomcat10/pkg-plist | 4 ++-- 4 files changed, 12 insertions(+), 11 deletions(-) A commit in branch 2021Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=387db17c7f9eae9f3ac9ba636fae8893bfe77189 commit 387db17c7f9eae9f3ac9ba636fae8893bfe77189 Author: VVD <vvd@unislabs.com> AuthorDate: 2021-08-01 15:38:26 +0000 Commit: Kevin Bowling <kbowling@FreeBSD.org> CommitDate: 2021-08-01 16:07:24 +0000 www/tomcat7: Update to 7.0.109 PR: 257153 Approved by: ale (maintainer) Security: CVE-2021-30640 (cherry picked from commit c9577aaafdbd34b08c30bfe12cd4690db0749dab) www/tomcat7/Makefile | 4 ++-- www/tomcat7/distinfo | 6 +++--- www/tomcat7/pkg-descr | 10 +++++----- 3 files changed, 10 insertions(+), 10 deletions(-) A commit in branch 2021Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=0fb3c1b3f8c41d41f633bc6fae0353793c3ada0e commit 0fb3c1b3f8c41d41f633bc6fae0353793c3ada0e Author: VVD <vvd@unislabs.com> AuthorDate: 2021-08-01 15:51:28 +0000 Commit: Kevin Bowling <kbowling@FreeBSD.org> CommitDate: 2021-08-01 16:08:22 +0000 www/tomcat-devel: Update to 10.1.0-M2 PR: 257153 Security: CVE-2021-30639 CVE-2021-30640 CVE-2021-33037 (cherry picked from commit 839de580f358e61f5c00e87457f75cc6d8f263b6) www/tomcat-devel/Makefile | 8 ++++---- www/tomcat-devel/distinfo | 6 +++--- www/tomcat-devel/pkg-descr | 8 ++++---- www/tomcat-devel/pkg-plist | 4 ++-- 4 files changed, 13 insertions(+), 13 deletions(-) A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=9462edd84baf7bc7e2716da90f81661080f273e0 commit 9462edd84baf7bc7e2716da90f81661080f273e0 Author: Kevin Bowling <kbowling@FreeBSD.org> AuthorDate: 2021-08-01 21:34:18 +0000 Commit: Kevin Bowling <kbowling@FreeBSD.org> CommitDate: 2021-08-01 21:35:55 +0000 security/vuxml: document tomcat CVE-2021-30639 PR: 257153 security/vuxml/vuln-2021.xml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=63c4db72a03aec209d37720f1e0eaaf00e1fd02d commit 63c4db72a03aec209d37720f1e0eaaf00e1fd02d Author: Kevin Bowling <kbowling@FreeBSD.org> AuthorDate: 2021-08-01 21:42:39 +0000 Commit: Kevin Bowling <kbowling@FreeBSD.org> CommitDate: 2021-08-01 21:42:39 +0000 security/vuxml: correct tomcat package name/versions PR: 257153 Fixes: 9462edd84baf security/vuxml/vuln-2021.xml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=9c1924450f57ec143cd6f72aa1c9a48f30f755ee commit 9c1924450f57ec143cd6f72aa1c9a48f30f755ee Author: Kevin Bowling <kbowling@FreeBSD.org> AuthorDate: 2021-08-01 21:51:39 +0000 Commit: Kevin Bowling <kbowling@FreeBSD.org> CommitDate: 2021-08-01 21:52:40 +0000 security/vuxml: document tomcat CVE-2021-30640 PR: 257153 security/vuxml/vuln-2021.xml | 41 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=515969d6d65fd8c492a84fcb31cfae377ef2dd5e commit 515969d6d65fd8c492a84fcb31cfae377ef2dd5e Author: Kevin Bowling <kbowling@FreeBSD.org> AuthorDate: 2021-08-01 21:57:10 +0000 Commit: Kevin Bowling <kbowling@FreeBSD.org> CommitDate: 2021-08-01 21:57:10 +0000 security/vuxml: document tomcat CVE-2021-33037 PR: 257153 security/vuxml/vuln-2021.xml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) (In reply to VVD from comment #8) Thanks for your contributions! Please review my commits for validation and to learn how VuXML works take a look at those commits and https://docs.freebsd.org/en/books/porters-handbook/security/. (In reply to Kevin Bowling from comment #23) Thanks! MARKED AS SPAM |