Bug 12955

Summary: tomcat (tomcat7) new security issues CVE-2013-4286, CVE-2013-4322, CVE-2013-4590
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, dmorganec, mageia, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/589752/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: tomcat-7.0.47-3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2014-03-06 20:42:57 CET 
Three security issues previously fixed upstream in tomcat were made public on February 25:
http://tomcat.apache.org/security-7.html

Ubuntu has issued an advisory including the first two today:
http://www.ubuntu.com/usn/usn-2130-1/

Since CVE-2013-4286 was fixed in 7.0.47, Mageia 4 and Cauldron are not affected.

CVE-2013-4322 and CVE-2013-4590 were fixed in 7.0.50, so Mageia 3, Mageia 4, and Cauldron are all affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-03-06 20:43:05 CET

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-03-30 17:05:36 CEST 
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

The changes in the Mageia 3 package are fairly significant, since I synced it with Cauldron.  I did verify that all of the subpackages install cleanly, the tomcat service starts, and connecting to it on port 8080 does produce a web page.

Advisory (Mageia 3):
========================

Updated tomcat packages fix security vulnerabilities:

Apache Tomcat 7.x before 7.0.47, when an HTTP connector or AJP connector is
used, does not properly handle certain inconsistent HTTP request headers,
which allows remote attackers to trigger incorrect identification of a
request's length and conduct request-smuggling attacks via (1) multiple
Content-Length headers or (2) a Content-Length header and a
"Transfer-Encoding: chunked" header (CVE-2013-4286).

Apache Tomcat 7.x before 7.0.50 processes chunked transfer coding without
properly handling (1) a large total amount of chunked data or (2) whitespace
characters in an HTTP header value within a trailer field, which allows
remote attackers to cause a denial of service by streaming data
(CVE-2013-4322).

Apache Tomcat 7.x before 7.0.50 allows attackers to obtain "Tomcat
internals" information by leveraging the presence of an untrusted web
application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML
document containing an external entity declaration in conjunction with an
entity reference, related to an XML External Entity (XXE) issue
(CVE-2013-4590).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590
http://tomcat.apache.org/security-7.html
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.52-1.mga3
tomcat-admin-webapps-7.0.52-1.mga3
tomcat-docs-webapp-7.0.52-1.mga3
tomcat-javadoc-7.0.52-1.mga3
tomcat-jsvc-7.0.52-1.mga3
tomcat-jsp-2.2-api-7.0.52-1.mga3
tomcat-lib-7.0.52-1.mga3
tomcat-servlet-3.0-api-7.0.52-1.mga3
tomcat-el-2.2-api-7.0.52-1.mga3
tomcat-webapps-7.0.52-1.mga3

from tomcat-7.0.52-1.mga3.src.rpm


Advisory (Mageia 4):
========================

Updated tomcat packages fix security vulnerabilities:

Apache Tomcat 7.x before 7.0.50 processes chunked transfer coding without
properly handling (1) a large total amount of chunked data or (2) whitespace
characters in an HTTP header value within a trailer field, which allows
remote attackers to cause a denial of service by streaming data
(CVE-2013-4322).

Apache Tomcat 7.x before 7.0.50 allows attackers to obtain "Tomcat
internals" information by leveraging the presence of an untrusted web
application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML
document containing an external entity declaration in conjunction with an
entity reference, related to an XML External Entity (XXE) issue
(CVE-2013-4590).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590
http://tomcat.apache.org/security-7.html
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.52-1.mga4
tomcat-admin-webapps-7.0.52-1.mga4
tomcat-docs-webapp-7.0.52-1.mga4
tomcat-javadoc-7.0.52-1.mga4
tomcat-jsvc-7.0.52-1.mga4
tomcat-jsp-2.2-api-7.0.52-1.mga4
tomcat-lib-7.0.52-1.mga4
tomcat-servlet-3.0-api-7.0.52-1.mga4
tomcat-el-2.2-api-7.0.52-1.mga4
tomcat-webapps-7.0.52-1.mga4

from tomcat-7.0.52-1.mga4.src.rpm

CC: (none) => dmorganec, tmb
Version: Cauldron => 4
Assignee: dmorganec => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 claire robinson 2014-03-31 18:35:23 CEST 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 3 Dave Hodgins 2014-03-31 22:20:04 CEST 
Advisories 12955.mga3.adv and 12955.mga4.adv committed to svn.

CC: (none) => davidwhodgins
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure advisory

Comment 4 claire robinson 2014-04-01 15:46:30 CEST 
Testing complete mga3 32 & 64 and mga4 32 & 64

Validating

Could sysadmin please push to 3 & 4 updates. Note, there are separate advisories for this one 12955.mga3.adv and 12955.mga4.adv

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure advisory => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 5 Damien Lallement 2014-04-03 02:17:34 CEST 
http://advisories.mageia.org/MGASA-2014-0148.html
http://advisories.mageia.org/MGASA-2014-0149.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED

Comment 6 David Walser 2014-04-03 16:14:16 CEST 
LWN reference for CVE-2013-4590:
http://lwn.net/Vulnerabilities/592962/