Bug 10200

Summary:	tomcat (tomcat7) new security issue CVE-2013-2071
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	dmorganec, shlomif, sysadmin-bugs
Version:	3	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/551276/
Whiteboard:	MGA2TOO has_procedure MGA3-64-OK MGA2-64-OK MGA3-32-OK MGA2-32-OK
Source RPM:	tomcat-7.0.34-4.mga3.src.rpm	CVE:
Status comment:

Description David Walser 2013-05-21 19:11:25 CEST

Fedora has issued an advisory on May 13:
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105886.html

This issue is fixed upstream in 7.0.40:
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.40

Reproducible: 

Steps to Reproduce:

David Walser 2013-05-21 19:11:31 CEST

Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 D Morgan 2013-06-25 01:03:37 CEST

fixed for mga2/3

Comment 2 David Walser 2013-06-25 01:12:42 CEST

Thanks D Morgan!

Advisory:
========================

Updated tomcat packages fix security vulnerability:

java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x
before 7.0.40 does not properly handle the throwing of a RuntimeException
in an AsyncListener in an application, which allows context-dependent
attackers to obtain sensitive request information intended for other
applications in opportunistic circumstances via an application that records
the requests that it processes (CVE-2013-2071).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2071
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.40
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105886.html
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.41-3.mga2
tomcat-admin-webapps-7.0.41-3.mga2
tomcat-docs-webapp-7.0.41-3.mga2
tomcat-javadoc-7.0.41-3.mga2
tomcat-systemv-7.0.41-3.mga2
tomcat-jsvc-7.0.41-3.mga2
tomcat-jsp-2.2-api-7.0.41-3.mga2
tomcat-lib-7.0.41-3.mga2
tomcat-servlet-3.0-api-7.0.41-3.mga2
tomcat-el-2.2-api-7.0.41-3.mga2
tomcat-webapps-7.0.41-3.mga2
tomcat-7.0.41-4.mga3
tomcat-admin-webapps-7.0.41-4.mga3
tomcat-docs-webapp-7.0.41-4.mga3
tomcat-javadoc-7.0.41-4.mga3
tomcat-jsvc-7.0.41-4.mga3
tomcat-jsp-2.2-api-7.0.41-4.mga3
tomcat-lib-7.0.41-4.mga3
tomcat-servlet-3.0-api-7.0.41-4.mga3
tomcat-el-2.2-api-7.0.41-4.mga3
tomcat-webapps-7.0.41-4.mga3

from SRPMS:
tomcat-7.0.41-3.mga2.src.rpm
tomcat-7.0.41-4.mga3.src.rpm

CC: (none) => dmorganec
Version: Cauldron => 3
Assignee: dmorganec => qa-bugs
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 3 claire robinson 2013-06-25 12:41:09 CEST

Procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17

Whiteboard: MGA2TOO => MGA2TOO has_procedure

Comment 4 Shlomi Fish 2013-06-27 20:33:06 CEST

(In reply to claire robinson from comment #3)
> Procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17

Hi Claire - it works fine inside a Mageia 3 x86-64 VM.

CC: (none) => shlomif
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure MGA3-64-OK

Comment 5 Shlomi Fish 2013-06-27 20:37:44 CEST

And tomcat from updates_testing is also working fine in a Mageia 2 x86-64 VM.

Whiteboard: MGA2TOO has_procedure MGA3-64-OK => MGA2TOO has_procedure MGA3-64-OK MGA2-64-OK

Comment 6 Shlomi Fish 2013-06-27 21:17:48 CEST

Works fine in a Mageia 3 i586 VM.

Whiteboard: MGA2TOO has_procedure MGA3-64-OK MGA2-64-OK => MGA2TOO has_procedure MGA3-64-OK MGA2-64-OK MGA3-32-OK

Comment 7 Shlomi Fish 2013-06-27 21:49:20 CEST

Tested on a Mageia 2 i586 VM, and it works fine there too.

Whiteboard: MGA2TOO has_procedure MGA3-64-OK MGA2-64-OK MGA3-32-OK => MGA2TOO has_procedure MGA3-64-OK MGA2-64-OK MGA3-32-OK MGA2-32-OK

Comment 8 Shlomi Fish 2013-06-27 22:04:02 CEST

Update validated, thanks. Please push from core/updates_testing to core/updates in both MGA2 and MGA3. Thanks!

Advisory:
========================

Updated tomcat packages fix security vulnerability:

java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x
before 7.0.40 does not properly handle the throwing of a RuntimeException
in an AsyncListener in an application, which allows context-dependent
attackers to obtain sensitive request information intended for other
applications in opportunistic circumstances via an application that records
the requests that it processes (CVE-2013-2071).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2071
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.40
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105886.html
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.41-3.mga2
tomcat-admin-webapps-7.0.41-3.mga2
tomcat-docs-webapp-7.0.41-3.mga2
tomcat-javadoc-7.0.41-3.mga2
tomcat-systemv-7.0.41-3.mga2
tomcat-jsvc-7.0.41-3.mga2
tomcat-jsp-2.2-api-7.0.41-3.mga2
tomcat-lib-7.0.41-3.mga2
tomcat-servlet-3.0-api-7.0.41-3.mga2
tomcat-el-2.2-api-7.0.41-3.mga2
tomcat-webapps-7.0.41-3.mga2
tomcat-7.0.41-4.mga3
tomcat-admin-webapps-7.0.41-4.mga3
tomcat-docs-webapp-7.0.41-4.mga3
tomcat-javadoc-7.0.41-4.mga3
tomcat-jsvc-7.0.41-4.mga3
tomcat-jsp-2.2-api-7.0.41-4.mga3
tomcat-lib-7.0.41-4.mga3
tomcat-servlet-3.0-api-7.0.41-4.mga3
tomcat-el-2.2-api-7.0.41-4.mga3
tomcat-webapps-7.0.41-4.mga3

from SRPMS:
tomcat-7.0.41-3.mga2.src.rpm
tomcat-7.0.41-4.mga3.src.rpm

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 claire robinson 2013-06-27 22:19:48 CEST

Thanks Shlomi

Advisory uploaded.

Comment 10 Nicolas Vigier 2013-07-01 21:20:31 CEST

http://advisories.mageia.org/MGASA-2013-0191.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:05:56 CEST

CC: boklm => (none)