Your message dated Sat, 07 Aug 2021 15:18:28 +0000 with message-id <e1mco5k-00015y...@fasolo.debian.org> and subject line Bug#991046: fixed in tomcat9 9.0.43-2 has caused the Debian Bug report #991046, regarding tomcat9: CVE-2021-33037 CVE-2021-30640 CVE-2021-30639 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 991046: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991046 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: tomcat9 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for tomcat9. Commit references below, although it's worth considering to simply update to 9.0.47, given that stable-security upgraded to new Tomcat point releases before. CVE-2021-33037[0]: | Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to | 8.5.66 did not correctly parse the HTTP transfer-encoding request | header in some circumstances leading to the possibility to request | smuggling when used with a reverse proxy. Specifically: - Tomcat | incorrectly ignored the transfer encoding header if the client | declared it would only accept an HTTP/1.0 response; - Tomcat honoured | the identify encoding; and - Tomcat did not ensure that, if present, | the chunked encoding was the final encoding. https://github.com/apache/tomcat/commit/45d70a86a901cbd534f8f570bed2aec9f7f7b88e (9.0.47) https://github.com/apache/tomcat/commit/05f9e8b00f5d9251fcd3c95dcfd6cf84177f46c8 (9.0.47) https://github.com/apache/tomcat/commit/a2c3dc4c96168743ac0bab613709a5bbdaec41d0 (9.0.47) CVE-2021-30640[1]: | A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker | to authenticate using variations of a valid user name and/or to bypass | some of the protection provided by the LockOut Realm. This issue | affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 | to 8.5.65. https://bz.apache.org/bugzilla/show_bug.cgi?id=65224 https://github.com/apache/tomcat/commit/c4df8d44a959a937d507d15e5b1ca35c3dbc41eb (9.0.46) https://github.com/apache/tomcat/commit/749f3cc192c68c34f2375509aea087be45fc4434 (9.0.46) https://github.com/apache/tomcat/commit/c6b6e1015ae44c936971b6bf8bce70987935b92e (9.0.46) https://github.com/apache/tomcat/commit/91ecdc61ce3420054c04114baaaf1c1e0cbd5d56 (9.0.46) https://github.com/apache/tomcat/commit/e50067486cf86564175ca0cfdcbf7d209c6df862 (9.0.46) https://github.com/apache/tomcat/commit/b5585a9e5d4fec020cc5ebadb82f899fae22bc43 (9.0.46) https://github.com/apache/tomcat/commit/329932012d3a9b95fde0b18618416e659ecffdc0 (9.0.46) https://github.com/apache/tomcat/commit/3ce84512ed8783577d9945df28da5a033465b945 (9.0.46) CVE-2021-30639[2]: | A vulnerability in Apache Tomcat allows an attacker to remotely | trigger a denial of service. An error introduced as part of a change | to improve error handling during non-blocking I/O meant that the error | flag associated with the Request object was not reset between | requests. This meant that once a non-blocking I/O error occurred, all | future requests handled by that request object would fail. Users were | able to trigger non-blocking I/O errors, e.g. by dropping a | connection, thereby creating the possibility of triggering a DoS. | Applications that do not use non-blocking I/O are not exposed to this | vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; | 9.0.44; 8.5.64. https://bz.apache.org/bugzilla/show_bug.cgi?id=65203 https://github.com/apache/tomcat/commit/8ece47c4a9fb9349e8862c84358a4dd23c643a24 (9.0.45) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-33037 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33037 [1] https://security-tracker.debian.org/tracker/CVE-2021-30640 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30640 [2] https://security-tracker.debian.org/tracker/CVE-2021-30639 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30639 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: tomcat9 Source-Version: 9.0.43-2 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of tomcat9, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 991...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated tomcat9 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 07 Aug 2021 00:11:43 +0200 Source: tomcat9 Architecture: source Version: 9.0.43-2 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 991046 Changes: tomcat9 (9.0.43-2) unstable; urgency=medium . * Team upload. . [ mirabilos ] * fix /var/log/tomcat9 permissions fixup for commit 51128fe9fb2d4d0b56be675d845cf92e4301a6c3 . [ Markus Koschany ] * Fix CVE-2021-30640: A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. * Fix CVE-2021-33037: Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. (Closes: #991046) Checksums-Sha1: 251269ddf8577c01e26561628d3a1f3c53b74984 2874 tomcat9_9.0.43-2.dsc 77d3e03fa8893c6c8161c21bf748fcc65e859564 38700 tomcat9_9.0.43-2.debian.tar.xz 4d591b8a0051e9c0d59f8e5bfa978d33e82c2c6a 13623 tomcat9_9.0.43-2_amd64.buildinfo Checksums-Sha256: f7d0dd30343eb8276215dc3ccdabede693919c23943d66b6c7a5d6c359c1ecca 2874 tomcat9_9.0.43-2.dsc 199a0169d76f4970f04a9b293ed869f92aa9774e737ff8daa940de1c69ee314a 38700 tomcat9_9.0.43-2.debian.tar.xz 1cd5e3b39ff4c37fb1f68bd9e0794dc2623001c284d49345e27e614412e0a431 13623 tomcat9_9.0.43-2_amd64.buildinfo Files: 8ddb2626f337a8413537f4cd4d785bd7 2874 java optional tomcat9_9.0.43-2.dsc e2dc0fc769b45b4dc4a68682c767bc4b 38700 java optional tomcat9_9.0.43-2.debian.tar.xz 66c4299cf5362c0665218bcf63ef4e08 13623 java optional tomcat9_9.0.43-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmEOoK1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk4VwP/2taeTwUqzbiOqWC2NBHUXJX+qmfAG4PCeS9 EY+l1udnM/kBArILaAWf/okHUnFYhhfVJOWvcOrMphaR6jQG8D0X6MFJxk92a++l WZUqRwvCA+M1m5LOIKxNjTnnJLaC/KCsWXQxBCqkj0XxUtehMUe3MYrE+eImv1jx nCtCcUKyCBEKCieKC4ofrUUk4F7mhfbIc1Q8vTTDvY40IMOI2zBc19G1JzoJpaLe g1BCKE9h0sTtaWUs73xopCj/TJEP4QH/vYviTd3VXt48XnOyjeVtZBPvETYdu60z ZIsF3/Tbr26AMp/ClG/QoX17O70Fck1iB9+hjFo+dCOC8WHegqH6uEqj66GMlbdR +h2z3fW21hkAEHEk9x7rA1wsGC2tuCOwk58uev1cXalL4OBSs87UhNhnIJmqbgp/ 8XYh9TnY99B1/0IJ57yFb/q0AWN5c87wwh4fUAb2dvHYwFAOnFXk0NAENHUVLMWm LpFJPwvGLVIdLpIWDGYFztGh5XsQ1SD7bcPOuDXow3IiUmdmAv/GZzX/Gg6yyNdM HYhNdiA+maB1eKDnyXj9MjllMdZVwzuXnGVCpHVm9cjCtR/vK539IKYSnLOgY4Nt OCFrlh2KiK9Tdy7K2Aa2/7t+wnJIvwFe+SoyebwLQWT8grYS7AxwD8tOG/FSjbvD nvApP+a+ =Ppag -----END PGP SIGNATURE-----
--- End Message ---
