Re: git: e021f7c2c5cb - main - security/vuxml: document tomcat vulnerabilities

Reply: Jan Beich : "Re: git: e021f7c2c5cb - main - security/vuxml: document tomcat vulnerabilities"
In reply to: Sergey A. Osokin: "git: e021f7c2c5cb - main - security/vuxml: document tomcat vulnerabilities"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Michael Osipov <michaelo_at_FreeBSD.org>
Date: Mon, 14 Jul 2025 09:08:40 UTC

On 2025-07-10 23:25, Sergey A. Osokin wrote:
> The branch main has been updated by osa:
> 
> URL: https://cgit.FreeBSD.org/ports/commit/?id=e021f7c2c5cb428f54e3590d8889ce6fec957163
> 
> commit e021f7c2c5cb428f54e3590d8889ce6fec957163
> Author:     Sergey A. Osokin <osa@FreeBSD.org>
> AuthorDate: 2025-07-10 21:24:29 +0000
> Commit:     Sergey A. Osokin <osa@FreeBSD.org>
> CommitDate: 2025-07-10 21:24:29 +0000
> 
>      security/vuxml: document tomcat vulnerabilities

Something seems off here:
> # pkg audit -F
> vulnxml file up-to-date
> ...
> 
> tomcat9-9.0.107 is vulnerable:
>   Apache Tomcat -- Multiple Vulnerabilities
>   CVE: CVE-2025-53506
>   CVE: CVE-2025-52520
>   CVE: CVE-2025-52434
>   WWW: https://vuxml.FreeBSD.org/freebsd/ef87346f-5dd0-11f0-beb2-ac5afc632ba3.html
> ...

All of them are addressed in 9.0.107: 
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.107

My fault? I build with poudriere and then distribute.

> root@deblndw013x2j:~
> # pkg info tomcat9 | grep Version
> Version        : 9.0.107

Michael