Bug 15270

Summary: tomcat new security issue CVE-2014-0227
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, pterjan, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/634232/
Whiteboard: advisory has_procedure MGA4-64-OK MGA4-32-OK
Source RPM: tomcat-7.0.54-5.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-02-11 23:06:17 CET 
A security issue fixed in tomcat 7.0.55 was made public on February 9:
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.55

Fedora has not yet updated to 7.0.55.

Mageia 4 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-02-11 23:06:41 CET

CC: (none) => pterjan
Blocks: (none) => 14674
Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2015-02-16 13:52:42 CET 
Updated packages uploaded for Mageia 4 and Cauldron.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=8307#c17

Advisory:
========================

Updated tomcat packages fix security vulnerability:

In Apache Tomcat 7.x before 7.0.55, it was possible to craft a malformed chunk
as part of a chunked request that caused Tomcat to read part of the request
body as a new request (CVE-2014-0227).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0227
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.55
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.59-1.mga4
tomcat-admin-webapps-7.0.59-1.mga4
tomcat-docs-webapp-7.0.59-1.mga4
tomcat-javadoc-7.0.59-1.mga4
tomcat-jsvc-7.0.59-1.mga4
tomcat-jsp-2.2-api-7.0.59-1.mga4
tomcat-lib-7.0.59-1.mga4
tomcat-servlet-3.0-api-7.0.59-1.mga4
tomcat-el-2.2-api-7.0.59-1.mga4
tomcat-webapps-7.0.59-1.mga4

from tomcat-7.0.59-1.mga4.src.rpm

Version: Cauldron => 4
Blocks: 14674 => (none)
Assignee: dmorganec => qa-bugs
Whiteboard: MGA4TOO => has_procedure

Comment 2 Herman Viaene 2015-02-18 11:42:10 CET 
I found also tomcat-log4j with this version number, so I installed that one as well.

CC: (none) => herman.viaene

Comment 3 Herman Viaene 2015-02-18 14:04:35 CET 
MGA4-64 on HP Probook 6555b KDE.
No installation issues.
Followed procedure as desribed in bug8307 (Comment 1 above). All works OK.

Whiteboard: has_procedure => has_procedure MGA4-64-OK

Comment 4 Herman Viaene 2015-02-18 17:21:10 CET 
MGA4-32 on Acer D620 Xfce
No installation issues.
Followed procedure as desribed in bug8307 (Comment 1 above). All works OK.

Whiteboard: has_procedure MGA4-64-OK => advisory has_procedure MGA4-64-OK MGA4-32-OK

Comment 5 claire robinson 2015-02-19 13:46:30 CET 
Validating.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-02-19 17:38:20 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0081.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-02-20 21:26:15 CET

URL: (none) => http://lwn.net/Vulnerabilities/634232/

Comment 7 David Walser 2015-05-13 20:10:11 CEST 
This also fixed (also fixed in 7.0.55) CVE-2014-0230:
http://lwn.net/Vulnerabilities/644268/
Comment 8 David Walser 2015-05-29 16:57:49 CEST 
This also fixed CVE-2014-7810:
http://lwn.net/Vulnerabilities/646558/