Your message dated Mon, 09 Aug 2021 21:19:52 +0000 with message-id <e1mdcga-0002hu...@fasolo.debian.org> and subject line Bug#991046: fixed in tomcat9 9.0.43-2~deb11u1 has caused the Debian Bug report #991046, regarding tomcat9: CVE-2021-33037 CVE-2021-30640 CVE-2021-30639 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 991046: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991046 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: tomcat9 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for tomcat9. Commit references below, although it's worth considering to simply update to 9.0.47, given that stable-security upgraded to new Tomcat point releases before. CVE-2021-33037[0]: | Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to | 8.5.66 did not correctly parse the HTTP transfer-encoding request | header in some circumstances leading to the possibility to request | smuggling when used with a reverse proxy. Specifically: - Tomcat | incorrectly ignored the transfer encoding header if the client | declared it would only accept an HTTP/1.0 response; - Tomcat honoured | the identify encoding; and - Tomcat did not ensure that, if present, | the chunked encoding was the final encoding. https://github.com/apache/tomcat/commit/45d70a86a901cbd534f8f570bed2aec9f7f7b88e (9.0.47) https://github.com/apache/tomcat/commit/05f9e8b00f5d9251fcd3c95dcfd6cf84177f46c8 (9.0.47) https://github.com/apache/tomcat/commit/a2c3dc4c96168743ac0bab613709a5bbdaec41d0 (9.0.47) CVE-2021-30640[1]: | A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker | to authenticate using variations of a valid user name and/or to bypass | some of the protection provided by the LockOut Realm. This issue | affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 | to 8.5.65. https://bz.apache.org/bugzilla/show_bug.cgi?id=65224 https://github.com/apache/tomcat/commit/c4df8d44a959a937d507d15e5b1ca35c3dbc41eb (9.0.46) https://github.com/apache/tomcat/commit/749f3cc192c68c34f2375509aea087be45fc4434 (9.0.46) https://github.com/apache/tomcat/commit/c6b6e1015ae44c936971b6bf8bce70987935b92e (9.0.46) https://github.com/apache/tomcat/commit/91ecdc61ce3420054c04114baaaf1c1e0cbd5d56 (9.0.46) https://github.com/apache/tomcat/commit/e50067486cf86564175ca0cfdcbf7d209c6df862 (9.0.46) https://github.com/apache/tomcat/commit/b5585a9e5d4fec020cc5ebadb82f899fae22bc43 (9.0.46) https://github.com/apache/tomcat/commit/329932012d3a9b95fde0b18618416e659ecffdc0 (9.0.46) https://github.com/apache/tomcat/commit/3ce84512ed8783577d9945df28da5a033465b945 (9.0.46) CVE-2021-30639[2]: | A vulnerability in Apache Tomcat allows an attacker to remotely | trigger a denial of service. An error introduced as part of a change | to improve error handling during non-blocking I/O meant that the error | flag associated with the Request object was not reset between | requests. This meant that once a non-blocking I/O error occurred, all | future requests handled by that request object would fail. Users were | able to trigger non-blocking I/O errors, e.g. by dropping a | connection, thereby creating the possibility of triggering a DoS. | Applications that do not use non-blocking I/O are not exposed to this | vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; | 9.0.44; 8.5.64. https://bz.apache.org/bugzilla/show_bug.cgi?id=65203 https://github.com/apache/tomcat/commit/8ece47c4a9fb9349e8862c84358a4dd23c643a24 (9.0.45) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-33037 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33037 [1] https://security-tracker.debian.org/tracker/CVE-2021-30640 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30640 [2] https://security-tracker.debian.org/tracker/CVE-2021-30639 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30639 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: tomcat9 Source-Version: 9.0.43-2~deb11u1 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of tomcat9, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 991...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated tomcat9 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 08 Aug 2021 15:19:44 +0200 Source: tomcat9 Architecture: source Version: 9.0.43-2~deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 991046 Changes: tomcat9 (9.0.43-2~deb11u1) bullseye-security; urgency=medium . * Team upload. * Rebuild for bullseye-security. . tomcat9 (9.0.43-2) unstable; urgency=medium . * Team upload. . [ mirabilos ] * fix /var/log/tomcat9 permissions fixup for commit 51128fe9fb2d4d0b56be675d845cf92e4301a6c3 . [ Markus Koschany ] * Fix CVE-2021-30640: A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. * Fix CVE-2021-33037: Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. (Closes: #991046) Checksums-Sha1: 61fc2c80eeedb603e340ee2985ac8a4441a9ba6d 2906 tomcat9_9.0.43-2~deb11u1.dsc ea110ef5cd867c48a5c01608a1e15e1f6cc57157 3949672 tomcat9_9.0.43.orig.tar.xz 569815562dd55fddf2c3b097a2087ccea0bd82d7 38716 tomcat9_9.0.43-2~deb11u1.debian.tar.xz 0f6fa8acee7d20f93fe615432ea864561ca9e1d5 13847 tomcat9_9.0.43-2~deb11u1_amd64.buildinfo Checksums-Sha256: 61a7ec4f43007def48de2a1af783b0b4d1ec2ec908dc4e576fac0e951ff91683 2906 tomcat9_9.0.43-2~deb11u1.dsc f40d140f643f2e64e712c5160a220acd5db55c1766dd1feec82e5711ab48978d 3949672 tomcat9_9.0.43.orig.tar.xz 1adb6e1403ab60778e69dc0319da127d47fb8f9e3620d87b3c4961cfc8644555 38716 tomcat9_9.0.43-2~deb11u1.debian.tar.xz 12b7441fd69a67324147aa48943ebe96cedaacd39afd257580d53af736b8d05d 13847 tomcat9_9.0.43-2~deb11u1_amd64.buildinfo Files: 26c9db98612810b308c83ee1ea281eca 2906 java optional tomcat9_9.0.43-2~deb11u1.dsc 9e72899cab97f8906aa7bdb643af1987 3949672 java optional tomcat9_9.0.43.orig.tar.xz b4d877b970a523b54d5d13e94aba154b 38716 java optional tomcat9_9.0.43-2~deb11u1.debian.tar.xz c46ba4ebe662ea2004ac3e00634c2fc3 13847 java optional tomcat9_9.0.43-2~deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmEP3LRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk5dwQAMIOYwgIsdM3kAaB8WzLISN+6fgE4+bwc2Cx 9gAg/Rtd6HrJrg/7vI2/4LpyUBfQD525ZwLv6wvcSQA+NjdPET67z2fEe5eg+62Y eA2VfEd8jqPDkDe4xe0UYlJQGm/tezCBHCJW19iSkU5c2Gq98AgnFra6hikB/i6z WNjNoemMxs/toRJEX6Ybx0mS+C3WjvdWUANoEeRDB+WAcsJ4kM9i3hBUir5Kbh/7 p4Fe6HMpMoyJJ2HCbayXcPj5aRfkLgzhVCpLQQ+59wuR7hNO1A6+HPREBw2/Hk9K 6o/ecU6XGn4CKtMZy/OhO4WbqqlRnkeTggWmGVEfUVqxK4dxWZDxZvI6t47zcBsW Zl57R5TfgyjRY3KJl+U3hZ1jVaWx3pBhMgE57jbatwwEw5nxX5e6WK0ZnvTbXbEd OshoWxQb6XxQA7xwKAMcw/C5vkojhGYsiMiQ1fruA+N/CK14Pb9iuKZW3R+AiKTm UwhQdD1fdwics+2kB+8kAETdYFS6wD73ELL5k94nS3bHwbaHd17gJVftP8maC7dt ngihwcJYqaLDebVUGmfyFKQjNzSgJCkyO3KwoYCsc0s346ctxVOWhDmncn+lMRQG A0ZEwTQJfR+psAs4zWQa+HMS0+yaqND0IKJG3NThSdhdB6r/BxqLYmw3NrhKoo7x mFcPvCYG =98qi -----END PGP SIGNATURE-----
--- End Message ---
