[Bug 257153] www/tomcat{7,85,9,10,-devel}: Update to 7.0.109, 8.5.69, 9.0.50, 10.0.8, 10.1.0-M2
Date: Tue, 13 Jul 2021 13:09:53 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=257153
VVD <vvd@unislabs.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Flags| |maintainer-feedback+
--- Comment #6 from VVD <vvd@unislabs.com> ---
(In reply to Kubilay Kocak from comment #5)
Thanks. :-D
Fixed CVEs:
CVE-2021-30639
CVE-2021-30640
CVE-2021-33037
==========================================================
CVE-2021-30639 Denial of Service
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 10.0.3 to 10.0.4
Apache Tomcat 9.0.44
Apache Tomcat 8.5.64
Description:
An error introduced as part of a change to improve error handling during
non-blocking I/O meant that the error flag associated with the Request object
was not reset between requests. This meant that once a non-blocking I/O error
occurred, all future requests handled by that request object would fail. Users
were able to trigger non-blocking I/O errors, e.g. by dropping a connection,
thereby creating the possibility of triggering a DoS.
Applications that do not use non-blocking I/O are not exposed to this
vulnerability.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.0.5 or later
- Upgrade to Apache Tomcat 9.0.45 or later
- Upgrade to Apache Tomcat 8.5.65 or later
History:
2021-07-12 Original advisory
==========================================================
CVE-2021-30640 JNDI Realm Authentication Weakness
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.5
Apache Tomcat 9.0.0.M1 to 9.0.45
Apache Tomcat 8.5.0 to 8.5.65
Apache Tomcat 7.0.0 to 7.0.108
Description:
Queries made by the JNDI Realm did not always correctly escape parameters.
Parameter values could be sourced from user provided data (eg user names) as
well as configuration data provided by an administrator.
In limited circumstances it was possible for users to authenticate using
variations of their user name and/or to bypass some of the protection provided
by the LockOut Realm.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.0.6 or later
- Upgrade to Apache Tomcat 9.0.46 or later
- Upgrade to Apache Tomcat 8.5.66 or later
- Upgrade to Apache Tomcat 7.0.109 or later
History:
2021-07-12 Original advisory
==========================================================
CVE-2021-33037 HTTP request smuggling
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.6
Apache Tomcat 9.0.0.M1 to 9.0.46
Apache Tomcat 8.5.0 to 8.5.66
Description:
Apache Tomcat did not correctly parse the HTTP transfer-encoding request header
in some circumstances leading to the possibility to request smuggling when used
with a reverse proxy. Specifically: Tomcat incorrectly ignored the
transfer-encoding header if the client declared it would only accept an
HTTP/1.0 response; Tomcat honoured the identify encoding; and Tomcat did not
ensure that, if present, the chunked encoding was the final encoding.</p>
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.0.7 or later
- Upgrade to Apache Tomcat 9.0.48 or later
- Upgrade to Apache Tomcat 8.5.68 or later
Note that issue was fixed in 9.0.47 and 8.5.67 but the release votes for those
versions did not pass.
History:
2021-07-12 Original advisory
==========================================================
--
You are receiving this mail because:
You are the assignee for the bug.