Source: tomcat9 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for tomcat9. Commit references below, although it's worth considering to simply update to 9.0.47, given that stable-security upgraded to new Tomcat point releases before. CVE-2021-33037[0]: | Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to | 8.5.66 did not correctly parse the HTTP transfer-encoding request | header in some circumstances leading to the possibility to request | smuggling when used with a reverse proxy. Specifically: - Tomcat | incorrectly ignored the transfer encoding header if the client | declared it would only accept an HTTP/1.0 response; - Tomcat honoured | the identify encoding; and - Tomcat did not ensure that, if present, | the chunked encoding was the final encoding. https://github.com/apache/tomcat/commit/45d70a86a901cbd534f8f570bed2aec9f7f7b88e (9.0.47) https://github.com/apache/tomcat/commit/05f9e8b00f5d9251fcd3c95dcfd6cf84177f46c8 (9.0.47) https://github.com/apache/tomcat/commit/a2c3dc4c96168743ac0bab613709a5bbdaec41d0 (9.0.47) CVE-2021-30640[1]: | A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker | to authenticate using variations of a valid user name and/or to bypass | some of the protection provided by the LockOut Realm. This issue | affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 | to 8.5.65. https://bz.apache.org/bugzilla/show_bug.cgi?id=65224 https://github.com/apache/tomcat/commit/c4df8d44a959a937d507d15e5b1ca35c3dbc41eb (9.0.46) https://github.com/apache/tomcat/commit/749f3cc192c68c34f2375509aea087be45fc4434 (9.0.46) https://github.com/apache/tomcat/commit/c6b6e1015ae44c936971b6bf8bce70987935b92e (9.0.46) https://github.com/apache/tomcat/commit/91ecdc61ce3420054c04114baaaf1c1e0cbd5d56 (9.0.46) https://github.com/apache/tomcat/commit/e50067486cf86564175ca0cfdcbf7d209c6df862 (9.0.46) https://github.com/apache/tomcat/commit/b5585a9e5d4fec020cc5ebadb82f899fae22bc43 (9.0.46) https://github.com/apache/tomcat/commit/329932012d3a9b95fde0b18618416e659ecffdc0 (9.0.46) https://github.com/apache/tomcat/commit/3ce84512ed8783577d9945df28da5a033465b945 (9.0.46) CVE-2021-30639[2]: | A vulnerability in Apache Tomcat allows an attacker to remotely | trigger a denial of service. An error introduced as part of a change | to improve error handling during non-blocking I/O meant that the error | flag associated with the Request object was not reset between | requests. This meant that once a non-blocking I/O error occurred, all | future requests handled by that request object would fail. Users were | able to trigger non-blocking I/O errors, e.g. by dropping a | connection, thereby creating the possibility of triggering a DoS. | Applications that do not use non-blocking I/O are not exposed to this | vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; | 9.0.44; 8.5.64. https://bz.apache.org/bugzilla/show_bug.cgi?id=65203 https://github.com/apache/tomcat/commit/8ece47c4a9fb9349e8862c84358a4dd23c643a24 (9.0.45) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-33037 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33037 [1] https://security-tracker.debian.org/tracker/CVE-2021-30640 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30640 [2] https://security-tracker.debian.org/tracker/CVE-2021-30639 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30639 Please adjust the affected versions in the BTS as needed.