Created attachment 214755 [details] patch for vuxml add CVE-2020-9484 to vuxml
8.5, 9 and 10 was updated already: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246446 7 isn't updated.
yes, that happened crazy fast, thank you. but shouldn't vuxml include this CVE to inform users about the security risk if they run an older version?
(In reply to rob2g2 from comment #2) Yes, ofc. CVE was announced less than 2 days ago and nobody has done this job yet…
patch in my attachment should work to update vuxml
Take as a part of ports-secteam. After that, i will MFH the landed committs.
A commit references this bug: Author: joneum Date: Sat May 23 09:22:22 UTC 2020 New revision: 536276 URL: https://svnweb.freebsd.org/changeset/ports/536276 Log: Add entry for tomcat PR: 246657 Sponsored by: Netzkommune GmbH Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: joneum Date: Sat May 23 11:28:25 UTC 2020 New revision: 536288 URL: https://svnweb.freebsd.org/changeset/ports/536288 Log: Update to 8.5.55 PR: 246446 246657 Approved by: ports-secteam (with hat) Security: 676ca486-9c1e-11ea-8b5e-b42e99a1b9c3 Sponsored by: Netzkommune GmbH Changes: branches/2020Q2/www/tomcat85/Makefile branches/2020Q2/www/tomcat85/distinfo
A commit references this bug: Author: joneum Date: Sat May 23 11:32:25 UTC 2020 New revision: 536289 URL: https://svnweb.freebsd.org/changeset/ports/536289 Log: Update to 9.0.35 PR: 246446 246657 Approved by: ports-secteam (with hat) Security: 676ca486-9c1e-11ea-8b5e-b42e99a1b9c3 Sponsored by: Netzkommune GmbH Changes: branches/2020Q2/www/tomcat9/Makefile branches/2020Q2/www/tomcat9/distinfo branches/2020Q2/www/tomcat9/pkg-plist
(Tomcat ports already updated) CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.0-M5 Apache Tomcat 9.0.0.M1 to 9.0.35 Apache Tomcat 8.5.0 to 8.5.55 Description: A specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive. Mitigation: - Upgrade to Apache Tomcat 10.0.0-M6 or later - Upgrade to Apache Tomcat 9.0.36 or later - Upgrade to Apache Tomcat 8.5.56 or later Credit: This issue was reported publicly via the Apache Tomcat Users mailing list without reference to the potential for DoS. The DoS risks were identified by the Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-10.html [2] http://tomcat.apache.org/security-9.html [3] http://tomcat.apache.org/security-8.html
thx, I have made a vuxml entry https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247555