From nobody Wed Feb 22 12:25:19 2023 X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PMFjW2hkcz3swqy for ; Wed, 22 Feb 2023 12:25:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PMFjV70fXz3JVr for ; Wed, 22 Feb 2023 12:25:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1677068719; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MA0v2vEKS7PrcYjXbUGlrZpZNfH6Q3Q4LB0Ie3h+B9Y=; b=ITV6V7ih73QPxKLyvSQvSBtgDqUg55jyW5rlW0zW5QFe08bU9wy8oKEmJ3+Trs77kkZ9BF 4ceIs361qETESfxeuubKodVR8iaEYlHq8IfXFah8MvHoZ0g42J9/KtrB0TyV3UxYSmiey1 /bP11GJsPZriMkG8BjjaVIKm+pm55P4KFe5sV+HbnYFJl3dfIaSsnx9UhTAboh4m0/A6OE gpl/QCvfcLxvycOYZcTua/wira1RaUohWLzgg8UwSdRc4qw1mO/a1asTedmpmdCw1WGaqd 47UgPZfWwhkkiF6k6PhCpJPLYjP0V6tT2hnCa1vuhocGYP53s8hmeZv6COj7XQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1677068719; a=rsa-sha256; cv=none; b=LmKCNX4aavSrQT9kcl5+pzqRSRR2lDx7ZYDydzfMVXFl+c10LqE81vbbGsXAlHrF+1vyIr ck4DrJmVNaZStj9AR+KjzpoCsG33T71Pix6DviHMBqBtu67DSx64ksy7PALBdn1TbYo1EC 7JbsHimnBTbW7wEhw2dtsMDSgzvOx9W/osW4i0RZNkR+Wixw8af+96KM8ZVnx2uP/1X9OD wqpKc2HmPZ4eAbPd71dushWSUe+ybHgMGzjRH0wMEFJs8OHQXXKXtD/ODFx28Cv8Q4gNJ3 AgwcCV2Hso7ho57IUj+BJHKCMQHgwrZMIX2+fVJB6WKZR1hFlIUuGuhnlGtdzA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PMFjV5vzdz11bf for ; Wed, 22 Feb 2023 12:25:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 31MCPIYq086857 for ; Wed, 22 Feb 2023 12:25:18 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 31MCPI3i086856 for ports-bugs@FreeBSD.org; Wed, 22 Feb 2023 12:25:18 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 269652] www/tomcat{85,9,101}: Update to 8.5.85, 9.0.71, 10.1.5 (CVE-2023-24998 FileUpload DoS with excessive parts) Date: Wed, 22 Feb 2023 12:25:19 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: vvd@unislabs.com X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ports-bugs@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback+ X-Bugzilla-Changed-Fields: short_desc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Ports bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports-bugs@freebsd.org X-BeenThere: freebsd-ports-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D269652 VVD changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|www/tomcat{85,9,101}: |www/tomcat{85,9,101}: |Update to 8.5.85, 9.0.71, |Update to 8.5.85, 9.0.71, |10.1.5 |10.1.5 (CVE-2023-24998 | |FileUpload DoS with | |excessive parts) --- Comment #5 from VVD --- CVE-2023-24998 Apache Tomcat - FileUpload DoS with excessive parts Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 Apache Tomcat 10.1.0-M1 to 10.1.4 Apache Tomcat 9.0.0-M1 to 9.0.70 Apache Tomcat 8.5.0 to 8.5.84 Description: Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Apache Tomcat was, therefore, also vulnerable to the Apache Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to the number of request parts processed. This resulted in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M3 or later when released - Upgrade to Apache Tomcat 10.1.5 or later - Upgrade to Apache Tomcat 9.0.71 or later - Upgrade to Apache Tomcat 8.5.85 or later - Note 11.0.0-M2 was not released Credit: This issue was identified by Jakob Ackermann History: 2023-01-03 Original advisory 2023-01-03 Corrected credit References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html https://tomcat.apache.org/security-11.html --=20 You are receiving this mail because: You are the assignee for the bug.=