Debian Bug report logs -
#991046
tomcat9: CVE-2021-33037 CVE-2021-30640 CVE-2021-30639
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#991046; Package src:tomcat9.
(Tue, 13 Jul 2021 12:12:29 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Tue, 13 Jul 2021 12:12:29 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tomcat9
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for tomcat9.
Commit references below, although it's worth considering to simply
update to 9.0.47, given that stable-security upgraded to new
Tomcat point releases before.
CVE-2021-33037[0]:
| Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to
| 8.5.66 did not correctly parse the HTTP transfer-encoding request
| header in some circumstances leading to the possibility to request
| smuggling when used with a reverse proxy. Specifically: - Tomcat
| incorrectly ignored the transfer encoding header if the client
| declared it would only accept an HTTP/1.0 response; - Tomcat honoured
| the identify encoding; and - Tomcat did not ensure that, if present,
| the chunked encoding was the final encoding.
https://github.com/apache/tomcat/commit/45d70a86a901cbd534f8f570bed2aec9f7f7b88e (9.0.47)
https://github.com/apache/tomcat/commit/05f9e8b00f5d9251fcd3c95dcfd6cf84177f46c8 (9.0.47)
https://github.com/apache/tomcat/commit/a2c3dc4c96168743ac0bab613709a5bbdaec41d0 (9.0.47)
CVE-2021-30640[1]:
| A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker
| to authenticate using variations of a valid user name and/or to bypass
| some of the protection provided by the LockOut Realm. This issue
| affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0
| to 8.5.65.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65224
https://github.com/apache/tomcat/commit/c4df8d44a959a937d507d15e5b1ca35c3dbc41eb (9.0.46)
https://github.com/apache/tomcat/commit/749f3cc192c68c34f2375509aea087be45fc4434 (9.0.46)
https://github.com/apache/tomcat/commit/c6b6e1015ae44c936971b6bf8bce70987935b92e (9.0.46)
https://github.com/apache/tomcat/commit/91ecdc61ce3420054c04114baaaf1c1e0cbd5d56 (9.0.46)
https://github.com/apache/tomcat/commit/e50067486cf86564175ca0cfdcbf7d209c6df862 (9.0.46)
https://github.com/apache/tomcat/commit/b5585a9e5d4fec020cc5ebadb82f899fae22bc43 (9.0.46)
https://github.com/apache/tomcat/commit/329932012d3a9b95fde0b18618416e659ecffdc0 (9.0.46)
https://github.com/apache/tomcat/commit/3ce84512ed8783577d9945df28da5a033465b945 (9.0.46)
CVE-2021-30639[2]:
| A vulnerability in Apache Tomcat allows an attacker to remotely
| trigger a denial of service. An error introduced as part of a change
| to improve error handling during non-blocking I/O meant that the error
| flag associated with the Request object was not reset between
| requests. This meant that once a non-blocking I/O error occurred, all
| future requests handled by that request object would fail. Users were
| able to trigger non-blocking I/O errors, e.g. by dropping a
| connection, thereby creating the possibility of triggering a DoS.
| Applications that do not use non-blocking I/O are not exposed to this
| vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4;
| 9.0.44; 8.5.64.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65203
https://github.com/apache/tomcat/commit/8ece47c4a9fb9349e8862c84358a4dd23c643a24 (9.0.45)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-33037
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33037
[1] https://security-tracker.debian.org/tracker/CVE-2021-30640
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30640
[2] https://security-tracker.debian.org/tracker/CVE-2021-30639
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30639
Please adjust the affected versions in the BTS as needed.
Marked as found in versions tomcat9/9.0.43-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 13 Jul 2021 14:42:02 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 13 Jul 2021 14:42:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Jul 13 16:16:39 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon