Your message dated Fri, 27 Aug 2021 11:19:52 +0000
with message-id <[email protected]>
and subject line Bug#991046: fixed in tomcat9 9.0.31-1~deb10u5
has caused the Debian Bug report #991046,
regarding tomcat9: CVE-2021-33037 CVE-2021-30640 CVE-2021-30639
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
991046: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991046
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tomcat9
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for tomcat9.
Commit references below, although it's worth considering to simply
update to 9.0.47, given that stable-security upgraded to new
Tomcat point releases before.
CVE-2021-33037[0]:
| Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to
| 8.5.66 did not correctly parse the HTTP transfer-encoding request
| header in some circumstances leading to the possibility to request
| smuggling when used with a reverse proxy. Specifically: - Tomcat
| incorrectly ignored the transfer encoding header if the client
| declared it would only accept an HTTP/1.0 response; - Tomcat honoured
| the identify encoding; and - Tomcat did not ensure that, if present,
| the chunked encoding was the final encoding.
https://github.com/apache/tomcat/commit/45d70a86a901cbd534f8f570bed2aec9f7f7b88e
(9.0.47)
https://github.com/apache/tomcat/commit/05f9e8b00f5d9251fcd3c95dcfd6cf84177f46c8
(9.0.47)
https://github.com/apache/tomcat/commit/a2c3dc4c96168743ac0bab613709a5bbdaec41d0
(9.0.47)
CVE-2021-30640[1]:
| A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker
| to authenticate using variations of a valid user name and/or to bypass
| some of the protection provided by the LockOut Realm. This issue
| affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0
| to 8.5.65.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65224
https://github.com/apache/tomcat/commit/c4df8d44a959a937d507d15e5b1ca35c3dbc41eb
(9.0.46)
https://github.com/apache/tomcat/commit/749f3cc192c68c34f2375509aea087be45fc4434
(9.0.46)
https://github.com/apache/tomcat/commit/c6b6e1015ae44c936971b6bf8bce70987935b92e
(9.0.46)
https://github.com/apache/tomcat/commit/91ecdc61ce3420054c04114baaaf1c1e0cbd5d56
(9.0.46)
https://github.com/apache/tomcat/commit/e50067486cf86564175ca0cfdcbf7d209c6df862
(9.0.46)
https://github.com/apache/tomcat/commit/b5585a9e5d4fec020cc5ebadb82f899fae22bc43
(9.0.46)
https://github.com/apache/tomcat/commit/329932012d3a9b95fde0b18618416e659ecffdc0
(9.0.46)
https://github.com/apache/tomcat/commit/3ce84512ed8783577d9945df28da5a033465b945
(9.0.46)
CVE-2021-30639[2]:
| A vulnerability in Apache Tomcat allows an attacker to remotely
| trigger a denial of service. An error introduced as part of a change
| to improve error handling during non-blocking I/O meant that the error
| flag associated with the Request object was not reset between
| requests. This meant that once a non-blocking I/O error occurred, all
| future requests handled by that request object would fail. Users were
| able to trigger non-blocking I/O errors, e.g. by dropping a
| connection, thereby creating the possibility of triggering a DoS.
| Applications that do not use non-blocking I/O are not exposed to this
| vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4;
| 9.0.44; 8.5.64.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65203
https://github.com/apache/tomcat/commit/8ece47c4a9fb9349e8862c84358a4dd23c643a24
(9.0.45)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-33037
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33037
[1] https://security-tracker.debian.org/tracker/CVE-2021-30640
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30640
[2] https://security-tracker.debian.org/tracker/CVE-2021-30639
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30639
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: tomcat9
Source-Version: 9.0.31-1~deb10u5
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
tomcat9, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated tomcat9 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 07 Aug 2021 18:25:15 +0200
Source: tomcat9
Architecture: source
Version: 9.0.31-1~deb10u5
Distribution: buster-security
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 991046
Changes:
tomcat9 (9.0.31-1~deb10u5) buster-security; urgency=high
.
* Team upload.
* Fix CVE-2021-30640:
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to
authenticate using variations of a valid user name and/or to bypass some of
the protection provided by the LockOut Realm.
* Fix CVE-2021-33037:
Apache Tomcat did not correctly parse the HTTP transfer-encoding request
header in some circumstances leading to the possibility to request
smuggling when used with a reverse proxy. Specifically: - Tomcat
incorrectly ignored the transfer encoding header if the client declared it
would only accept an HTTP/1.0 response; - Tomcat honoured the identify
encoding; and - Tomcat did not ensure that, if present, the chunked
encoding was the final encoding. (Closes: #991046)
Checksums-Sha1:
13ee7b4eecee04bd1a42ab13c9e83efb9b068404 2889 tomcat9_9.0.31-1~deb10u5.dsc
1d55b69e2301380ae8748a47fe5d5f7d82e27cdd 45268
tomcat9_9.0.31-1~deb10u5.debian.tar.xz
c173d62dec80af022a0eb36190235e7d48a1f89c 13962
tomcat9_9.0.31-1~deb10u5_amd64.buildinfo
Checksums-Sha256:
f9a4b8599e83f44403f41bbd196402a30a79ee6484be3b2a096295c506537028 2889
tomcat9_9.0.31-1~deb10u5.dsc
9ab55c9a9eee46b1864bd06e44814676fbdda458bd48183694387e423e0dcb1b 45268
tomcat9_9.0.31-1~deb10u5.debian.tar.xz
6da518549a9daff8359e86064e20518e936d5305b82ae53c609d4ac4a12a3255 13962
tomcat9_9.0.31-1~deb10u5_amd64.buildinfo
Files:
e9c3ec417056a356a7095ed0da98bb87 2889 java optional
tomcat9_9.0.31-1~deb10u5.dsc
b018a1ed7f2557098e011cbd54c786da 45268 java optional
tomcat9_9.0.31-1~deb10u5.debian.tar.xz
837e7325055c9cc38c9a1823b9542fd2 13962 java optional
tomcat9_9.0.31-1~deb10u5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmEP2ZFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkvHUQAJhRnRF1ioH5zDq58Ol8U/LvE0vOlgQkFt5w
9WTx4V+NijH55eUiKTYk86Iy9vFhXOE4exHAKH0mH+3FHk54CiqWBkAJETtFRb/u
pnJ6MAkoHQJXMSNkcpP3LJ9Rgw+zKxhBg+cC96xIw+a+6lVSvsiPPE0qcKp3QuA3
P4f+gkPS4WwaSkcezQVRDvASpk49dOCz5tpxAeoK7AoYpoRePmKuKVt5PNxHAoc8
E4WZZKLvs0baD3AoCxjqaWkXFpOFNZptt7UyT7dIBKM8oxvffaxm9+tCLuJDQLJn
KeeOZde6iWJ6NrczxJ5kyFxRd4jr9jVEGJiRYT3pCH606OPH4p4gdszu3BcQNfZp
i6j4U2rKzjr+iARTINpHbZqGITzdVSNHxPWs/zrlyV5ofMKoQewxXLz3sCMlNmvG
ONGnQ0VAU6ZHbUG/A+mKyaQhMgvyAm8wmwZvWKWAlLMK2QqzfFwZeg2NxKjh3zx5
hOA85YsmeCNC0vWNvJHo/Ux4rMQdVY2k4XW+yzgSpJz4v5luL5wujV+NGQLzXnvW
6zkL0O6yCk6ig0SI7ABj7QYIEO86a6YmdQhWXUtQ+Cn5ZPFkJ/G8WJoXt/tl96kk
5sZvQli/Q6VHV5vpwGfAizNqWqgyLvyIdeOt8QIxzIBrzhl77b4frI2EASokOzk7
amEKYHtq
=LqJi
-----END PGP SIGNATURE-----
--- End Message ---
