Bug 13571

Summary: tomcat-el security fix regression due to missing mvn(javax.el:javax.el-api) dependency
Product: Mageia Reporter: Dan Fandrich <dan>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: luigiwalser, mageia, pterjan, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard: MGA3TOO has_procedure advisory mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok
Source RPM: tomcat-7.0.54-1.mga3.src.rpm CVE:
Status comment:

Description Dan Fandrich 2014-06-22 00:24:04 CEST 
The security release tomcat-el-2.2-api-7.0.54-1.mga3 is missing the dependency mvn(javax.el:javax.el-api) which causes glassfish-jsp-2.2.6-2.mga3.noarch to be uninstallable which ends up causing applications (such as freemind-0.9.0-4.mga3.noarch) to be uninstallable.

Bug #13442 contains more details of the problem and a solution.

Reproducible: 

Steps to Reproduce:
Dan Fandrich 2014-06-22 00:26:11 CEST

CC: (none) => luigiwalser, pterjan, tmb

Comment 1 David Walser 2014-06-22 00:33:03 CEST 
Thanks.

Pascal's proposed solution was reverting this commit:
http://pkgs.fedoraproject.org/cgit/tomcat.git/commit/tomcat.spec?id=7290014b82f31331b44e6483eeaeabf47e14536e

Reminder to self to also add this commit:
http://pkgs.fedoraproject.org/cgit/tomcat.git/commit/?id=be711a2ff6efc98e2fc8ce27b4ad75dbf449b212

I'll deal with this during the week.
Comment 2 David Walser 2014-06-23 16:04:53 CEST 
Please try the tomcat build in updates_testing (it's in mga3 and mga4).

This should make freemind and maven installable.

CC: (none) => mageia
Version: 3 => 4
Whiteboard: (none) => MGA3TOO
Severity: major => normal

Comment 3 Colin Guthrie 2014-06-23 16:32:59 CEST 
Tested: urpmi --searchmedia test tomcat-el-2.2-api tomcat-jsp-2.2-api tomcat-servlet-3.0-api

This worked fine and didn't pull in glassfish-el-api or glassfish-servlet-api as deps which the previous update tried to do.

So an ACK from me on mga4 64

Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK

Comment 4 Dan Fandrich 2014-06-23 17:49:05 CEST 
Installing those three tomcat packages solves the problem for me on mga3 x86. Freemind is installed just fineâthanks!

Version: 4 => 3
Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-64-OK MGA3-32-OK

Comment 5 David Walser 2014-06-23 18:41:55 CEST 
Thanks.  Pushing to QA now.

Note to QA: we've already tested the functionality of the tomcat 7.0.54 update, so we don't need to test that again.  We just need to verify that freemind and maven are co-installable with this update, as they were not with the previous update.

Advisory:
----------------------------------------

The previous Tomcat update removed a provided dependency that is needed by
some other Java packages.  This update restores that dependency.

References:
http://advisories.mageia.org/MGASA-2014-0268.html
----------------------------------------
Updated packages in core/updates_testing:
----------------------------------------
tomcat-7.0.54-1.1mga3
tomcat-admin-webapps-7.0.54-1.1mga3
tomcat-docs-webapp-7.0.54-1.1mga3
tomcat-javadoc-7.0.54-1.1mga3
tomcat-jsvc-7.0.54-1.1mga3
tomcat-jsp-2.2-api-7.0.54-1.1mga3
tomcat-log4j-7.0.54-1.1mga3
tomcat-lib-7.0.54-1.1mga3
tomcat-servlet-3.0-api-7.0.54-1.1mga3
tomcat-el-2.2-api-7.0.54-1.1mga3
tomcat-webapps-7.0.54-1.1mga3
tomcat-7.0.54-1.1mga4
tomcat-admin-webapps-7.0.54-1.1mga4
tomcat-docs-webapp-7.0.54-1.1mga4
tomcat-javadoc-7.0.54-1.1mga4
tomcat-jsvc-7.0.54-1.1mga4
tomcat-jsp-2.2-api-7.0.54-1.1mga4
tomcat-log4j-7.0.54-1.1mga4
tomcat-lib-7.0.54-1.1mga4
tomcat-servlet-3.0-api-7.0.54-1.1mga4
tomcat-el-2.2-api-7.0.54-1.1mga4
tomcat-webapps-7.0.54-1.1mga4

from SRPMS:
tomcat-7.0.54-1.1mga3.src.rpm
tomcat-7.0.54-1.1mga4.src.rpm

Version: 3 => 4
Assignee: bugsquad => qa-bugs

claire robinson 2014-06-23 18:46:06 CEST

Whiteboard: MGA3TOO MGA4-64-OK MGA3-32-OK => MGA3TOO

claire robinson 2014-06-23 18:46:25 CEST

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 6 claire robinson 2014-06-23 18:48:49 CEST 
Oops restoring previous test results. Thanks Both.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-32-ok mga3-64-ok

Comment 7 Colin Guthrie 2014-06-23 18:54:27 CEST 
[correct slightly incorrect whiteboard restoration]

Whiteboard: MGA3TOO has_procedure mga4-32-ok mga3-64-ok => MGA3TOO has_procedure mga4-64-ok mga3-32-ok

Comment 8 claire robinson 2014-06-23 18:57:52 CEST 
Sorry, I'm not used to receiving updates half tested already. Could definitely learn to get used to it though! :)


Advisory uploaded.

Whiteboard: MGA3TOO has_procedure mga4-64-ok mga3-32-ok => MGA3TOO has_procedure advisory mga4-64-ok mga3-32-ok

Comment 9 Colin Guthrie 2014-06-23 19:01:41 CEST 
(In reply to claire robinson from comment #8)
> Sorry, I'm not used to receiving updates half tested already. Could
> definitely learn to get used to it though! :)

:)

I don't think it actually mattered in this case anyway as they are noarch pkgs, but figured it was nice to correct them anyway!
Comment 10 claire robinson 2014-06-23 19:14:23 CEST 
Confirmed mga4 64 (as I was sat there anyway)

# urpmi maven glassfish-jsp glassfish-el

Before
------
# urpmi tomcat tomcat-webapps tomcat-admin-webapps
A requested package cannot be installed:
xstream-1.4.5-1.mga4.noarch (in order to keep xstream-1.4.7-1.mga4.noarch)
Continue installation anyway? (Y/n) n


After
-----
# urpmi tomcat tomcat-webapps tomcat-admin-webapps
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release")
  apache-commons-daemon          1.0.15       2.mga4        x86_64  
  apache-commons-dbcp            1.4          15.mga4       noarch  
  apache-commons-pool            1.6          5.mga4        noarch  
  ecj                            4.2.1        7.mga4        x86_64  
  geronimo-jta                   1.1.1        12.mga4       noarch  
  jakarta-taglibs-standard       1.1.2        12.mga4       noarch  
(medium "Core Updates Testing")
  tomcat                         7.0.54       1.1.mga4      noarch  
  tomcat-admin-webapps           7.0.54       1.1.mga4      noarch  
  tomcat-el-2.2-api              7.0.54       1.1.mga4      noarch  
  tomcat-jsp-2.2-api             7.0.54       1.1.mga4      noarch  
  tomcat-lib                     7.0.54       1.1.mga4      noarch  
  tomcat-servlet-3.0-api         7.0.54       1.1.mga4      noarch  
  tomcat-webapps                 7.0.54       1.1.mga4      noarch  
7.8MB of additional disk space will be used.
6.4MB of packages will be retrieved.
Proceed with the installation of the 13 packages? (Y/n)

# service tomcat start

Checked at http://localhost:8080/examples

Testing the others shortly
Comment 11 claire robinson 2014-06-23 19:35:41 CEST 
Testing mga3 64

Before
------
# urpmi freemind maven glassfish-jsp
Some requested packages cannot be installed:
tomcat-jsp-2.2-api-7.0.54-1.mga3.noarch (due to conflicts with tomcat-jsp-2.2-api-7.0.52-1.mga3.noarch, due to conflicts with tomcat-jsp-2.2-api-7.0.52-1.mga3.noarch, due to unsatisfied tomcat-servlet-3.0-api[== 0:7.0.54-1.mga3])
tomcat-lib-7.0.54-1.mga3.noarch (due to unsatisfied tomcat-jsp-2.2-api[== 0:7.0.54-1.mga3])
tomcat-servlet-3.0-api-7.0.54-1.mga3.noarch (due to conflicts with tomcat-servlet-3.0-api-7.0.52-1.mga3.noarch, due to conflicts with tomcat-servlet-3.0-api-7.0.52-1.mga3.noarch)
Continue installation anyway? (Y/n) n

After
-----
# urpmi freemind maven glassfish-jsp
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release")
  SimplyHTML                     0.13.1       3.mga3        noarch  
  aether                         1.13.1       8.mga3        noarch  
  animal-sniffer                 1.8          2.mga3        noarch 
(...etc)
  xpp3-minimal                   1.1.3.8      8.mga3        noarch  
  xz-java                        1.1          4.mga3        noarch  
(medium "Core Updates")
  lib64svnjavahl1                1.7.14       1.1.mga3      x86_64  
  plexus-archiver                2.3          1.1.mga3      noarch  
  svn-javahl                     1.7.14       1.1.mga3      x86_64  
  tomcat6-servlet-2.5-api        6.0.41       1.mga3        noarch  
  xalan-j2                       2.7.1        5.1.mga3      noarch  
  xstream                        1.3.1        6.1.mga3      noarch  
(medium "Core Updates Testing")
  tomcat-el-2.2-api              7.0.54       1.1.mga3      noarch  
  tomcat-jsp-2.2-api             7.0.54       1.1.mga3      noarch  
  tomcat-lib                     7.0.54       1.1.mga3      noarch  
  tomcat-servlet-3.0-api         7.0.54       1.1.mga3      noarch  
228MB of additional disk space will be used.
169MB of packages will be retrieved.
Proceed with the installation of the 353 packages? (Y/n) y

# service tomcat start

Checked at http://localhost:8080/examples


Also tested mga4 32

Whiteboard: MGA3TOO has_procedure advisory mga4-64-ok mga3-32-ok => MGA3TOO has_procedure advisory mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok

Comment 12 claire robinson 2014-06-23 19:37:03 CEST 
Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 13 Thomas Backlund 2014-06-24 00:15:52 CEST 
Update pushed:
http://advisories.mageia.org/MGAA-2014-0136.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED