Date: Sun, 29 Dec 2024 13:23:28 GMT From: Fernando =?utf-8?Q?Apestegu=C3=ADa?= <fernape@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 1a35b19e6d46 - main - security/vuxml: TOCTOU Vulnerability in www/apache* Message-ID: <202412291323.4BTDNSO6012958@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=1a35b19e6d46d348da6efa40bb46118cb77a5eb7 commit 1a35b19e6d46d348da6efa40bb46118cb77a5eb7 Author: Fernando ApesteguĂa <fernape@FreeBSD.org> AuthorDate: 2024-12-29 13:22:03 +0000 Commit: Fernando ApesteguĂa <fernape@FreeBSD.org> CommitDate: 2024-12-29 13:22:03 +0000 security/vuxml: TOCTOU Vulnerability in www/apache* CVE-2024-56337 --- security/vuxml/vuln/2024.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index 9ae28639c8fa..fb3c43af60ff 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,63 @@ + <vuln vid="ed0a052a-c5e6-11ef-a457-b42e991fc52e"> + <topic>Apache Tomcat -- RCE due to TOCTOU issue in JSP compilation</topic> + <affects> + <package> + <name>tomcat110</name> + <range> + <gt>11.0.0</gt> + <lt>11.0.1</lt> + </range> + </package> + <package> + <name>tomcat101</name> + <range> + <gt>10.1.0</gt> + <lt>10.1.33</lt> + </range> + </package> + <package> + <name>tomcat9</name> + <range> + <gt>9.0.0</gt> + <lt>9.0.97</lt> + </range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>security@apache.org reports:</p> + <blockquote cite="https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp">; + <p>Time-of-check Time-of-use (TOCTOU) Race Condition + The mitigation for CVE-2024-50379 was incomplete. + Users running Tomcat on a case insensitive file system with the + default servlet write enabled (readonly initialisation parameter + set to the non-default value of false) may need additional configuration + to fully mitigate CVE-2024-50379 depending on which version of Java + they are using with Tomcat: - running on Java 8 or Java 11: the + system propertysun.io.useCanonCaches must be explicitly set to false + (it defaults to true) - running on Java 17: thesystem property + sun.io.useCanonCaches, if set, must be set to false(it defaults to + false) - running on Java 21 onwards: no further configuration is + required(the system property and the problematic cache have been + removed) + Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks + thatsun.io.useCanonCaches is set appropriately before allowing the + default servlet to be write enabled on a case insensitive file + system. Tomcat will also setsun.io.useCanonCaches to false by + default where it can.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2024-56337</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2024-56337</url>; + </references> + <dates> + <discovery>2024-12-20</discovery> + <entry>2024-12-29</entry> + </dates> + </vuln> + <vuln vid="94b2d58a-c1e9-11ef-aa3f-dcfe074bd614"> <topic>kanboard -- Insufficient session invalidation</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202412291323.4BTDNSO6012958>