Bug 246657 - security/vuxml tomcat remote code execution
Summary: security/vuxml tomcat remote code execution
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Ports Security Team
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-22 11:43 UTC by rob2g2
Modified: 2020-06-26 06:42 UTC (History)
5 users (show)

See Also:
bugzilla: maintainer-feedback? (ports-secteam)


Attachments
patch for vuxml (1.33 KB, patch)
2020-05-22 11:43 UTC, rob2g2
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description rob2g2 2020-05-22 11:43:40 UTC
Created attachment 214755 [details]
patch for vuxml

add CVE-2020-9484 to vuxml
Comment 1 VVD 2020-05-22 11:54:38 UTC
8.5, 9 and 10 was updated already: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246446
7 isn't updated.
Comment 2 rob2g2 2020-05-22 11:57:21 UTC
yes, that happened crazy fast, thank you. but shouldn't vuxml include this CVE to inform users about the security risk if they run an older version?
Comment 3 VVD 2020-05-22 12:04:15 UTC
(In reply to rob2g2 from comment #2)
Yes, ofc.
CVE was announced less than 2 days ago and nobody has done this job yet…
Comment 4 rob2g2 2020-05-22 12:07:50 UTC
patch in my attachment should work to update vuxml
Comment 5 Jochen Neumeister freebsd_committer 2020-05-22 12:49:06 UTC
Take as a part of ports-secteam.
After that, i will MFH the landed committs.
Comment 6 commit-hook freebsd_committer 2020-05-23 09:22:37 UTC
A commit references this bug:

Author: joneum
Date: Sat May 23 09:22:22 UTC 2020
New revision: 536276
URL: https://svnweb.freebsd.org/changeset/ports/536276

Log:
  Add entry for tomcat

  PR:		246657
  Sponsored by:	Netzkommune GmbH

Changes:
  head/security/vuxml/vuln.xml
Comment 7 commit-hook freebsd_committer 2020-05-23 11:29:03 UTC
A commit references this bug:

Author: joneum
Date: Sat May 23 11:28:25 UTC 2020
New revision: 536288
URL: https://svnweb.freebsd.org/changeset/ports/536288

Log:
  Update to 8.5.55

  PR:		246446 246657
  Approved by:	ports-secteam (with hat)
  Security:	676ca486-9c1e-11ea-8b5e-b42e99a1b9c3
  Sponsored by:	Netzkommune GmbH

Changes:
  branches/2020Q2/www/tomcat85/Makefile
  branches/2020Q2/www/tomcat85/distinfo
Comment 8 commit-hook freebsd_committer 2020-05-23 11:33:06 UTC
A commit references this bug:

Author: joneum
Date: Sat May 23 11:32:25 UTC 2020
New revision: 536289
URL: https://svnweb.freebsd.org/changeset/ports/536289

Log:
  Update to 9.0.35

  PR:		246446 246657
  Approved by:	ports-secteam (with hat)
  Security:	676ca486-9c1e-11ea-8b5e-b42e99a1b9c3
  Sponsored by:	Netzkommune GmbH

Changes:
  branches/2020Q2/www/tomcat9/Makefile
  branches/2020Q2/www/tomcat9/distinfo
  branches/2020Q2/www/tomcat9/pkg-plist
Comment 9 VVD 2020-06-25 22:30:35 UTC
(Tomcat ports already updated)

CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.0-M5
Apache Tomcat 9.0.0.M1 to 9.0.35
Apache Tomcat 8.5.0 to 8.5.55

Description:
A specially crafted sequence of HTTP/2 requests could trigger high CPU
usage for several seconds. If a sufficient number of such requests were
made on concurrent HTTP/2 connections, the server could become unresponsive.

Mitigation:
- Upgrade to Apache Tomcat 10.0.0-M6 or later
- Upgrade to Apache Tomcat 9.0.36 or later
- Upgrade to Apache Tomcat 8.5.56 or later

Credit:
This issue was reported publicly via the Apache Tomcat Users mailing
list without reference to the potential for DoS. The DoS risks were
identified by the Apache Tomcat Security Team.

References:
[1] http://tomcat.apache.org/security-10.html
[2] http://tomcat.apache.org/security-9.html
[3] http://tomcat.apache.org/security-8.html
Comment 10 rob2g2 2020-06-26 06:42:53 UTC
thx, I have made a vuxml entry https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247555