[Bug 257153] www/tomcat{7,85,9,10,-devel}: Update to 7.0.109, 8.5.69, 9.0.50, 10.0.8, 10.1.0-M2
Date: Tue, 13 Jul 2021 13:09:53 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=257153 VVD <vvd@unislabs.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |maintainer-feedback+ --- Comment #6 from VVD <vvd@unislabs.com> --- (In reply to Kubilay Kocak from comment #5) Thanks. :-D Fixed CVEs: CVE-2021-30639 CVE-2021-30640 CVE-2021-33037 ========================================================== CVE-2021-30639 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.3 to 10.0.4 Apache Tomcat 9.0.44 Apache Tomcat 8.5.64 Description: An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.0.5 or later - Upgrade to Apache Tomcat 9.0.45 or later - Upgrade to Apache Tomcat 8.5.65 or later History: 2021-07-12 Original advisory ========================================================== CVE-2021-30640 JNDI Realm Authentication Weakness Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.5 Apache Tomcat 9.0.0.M1 to 9.0.45 Apache Tomcat 8.5.0 to 8.5.65 Apache Tomcat 7.0.0 to 7.0.108 Description: Queries made by the JNDI Realm did not always correctly escape parameters. Parameter values could be sourced from user provided data (eg user names) as well as configuration data provided by an administrator. In limited circumstances it was possible for users to authenticate using variations of their user name and/or to bypass some of the protection provided by the LockOut Realm. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.0.6 or later - Upgrade to Apache Tomcat 9.0.46 or later - Upgrade to Apache Tomcat 8.5.66 or later - Upgrade to Apache Tomcat 7.0.109 or later History: 2021-07-12 Original advisory ========================================================== CVE-2021-33037 HTTP request smuggling Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.6 Apache Tomcat 9.0.0.M1 to 9.0.46 Apache Tomcat 8.5.0 to 8.5.66 Description: Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: Tomcat incorrectly ignored the transfer-encoding header if the client declared it would only accept an HTTP/1.0 response; Tomcat honoured the identify encoding; and Tomcat did not ensure that, if present, the chunked encoding was the final encoding.</p> Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.0.7 or later - Upgrade to Apache Tomcat 9.0.48 or later - Upgrade to Apache Tomcat 8.5.68 or later Note that issue was fixed in 9.0.47 and 8.5.67 but the release votes for those versions did not pass. History: 2021-07-12 Original advisory ========================================================== -- You are receiving this mail because: You are the assignee for the bug.