Bug 17847

Summary: tomcat (tomcat7) new security issues fixed upstream in 7.0.65, 7.0.67, and 7.0.68
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/677975/
Whiteboard: has_procedure advisory MGA5-64-OK MGA5-32-OK
Source RPM: tomcat-7.0.59-2.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-03-01 00:18:33 CET 
Upstream revealed several new security issues on February 22:
http://tomcat.apache.org/security-7.html

Updated packages uploaded for Mageia 5.

Advisory:
========================

Updated tomcat packages fix security vulnerabilities:

Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 7.x
before 7.0.65 allows remote authenticated users to bypass intended
SecurityManager restrictions and list a parent directory via a /.. (slash dot
dot) in a pathname used by a web application in a getResource,
getResourceAsStream, or getResourcePaths call, as demonstrated by the
$CATALINA_BASE/webapps directory (CVE-2015-5174).

The Mapper component in 7.x before 7.0.67 processes redirects before
considering security constraints and Filters, which allows remote attackers
to determine the existence of a directory via a URL that lacks a trailing /
(slash) character (CVE-2015-5345).

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, when
different session settings are used for deployments of multiple versions of
the same web application, might allow remote attackers to hijack web sessions
by leveraging use of a requestedSessionSSL field for an unintended request,
related to CoyoteAdapter.java and Request.java (CVE-2015-5346).

The Manager and Host Manager applications in Apache Tomcat 7.x before 7.0.68
establish sessions and send CSRF tokens for arbitrary new requests, which
allows remote attackers to bypass a CSRF protection mechanism by using a
token (CVE-2015-5351).

Apache Tomcat 7.x before 7.0.68 does not place
org.apache.catalina.manager.StatusManagerServlet on the
org/apache/catalina/core/RestrictedServlets.properties list, which allows
remote authenticated users to bypass intended SecurityManager restrictions
and read arbitrary HTTP requests, and consequently discover session ID
values, via a crafted web application (CVE-2016-0706).

The session-persistence implementation in Apache Tomcat 7.x before 7.0.68
mishandles session attributes, which allows remote authenticated users to
bypass intended SecurityManager restrictions and execute arbitrary code in a
privileged context via a web application that places a crafted object in a
session (CVE-2016-0714).

The setGlobalContext method in
org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x
before 7.0.68 does not consider whether ResourceLinkFactory.setGlobalContext
callers are authorized, which allows remote authenticated users to bypass
intended SecurityManager restrictions and read or write to arbitrary
application data, or cause a denial of service (application disruption), via
a web application that sets a crafted global context (CVE-2016-0763).

The tomcat package has been updated to version 7.0.68 to fix these issues.
The tomcat-native package has also been updated to version 1.1.34 for
compatibility with the updated tomcat.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5174
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5346
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5351
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0706
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0763
http://tomcat.apache.org/security-7.html
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.68-1.mga5
tomcat-admin-webapps-7.0.68-1.mga5
tomcat-docs-webapp-7.0.68-1.mga5
tomcat-javadoc-7.0.68-1.mga5
tomcat-jsvc-7.0.68-1.mga5
tomcat-jsp-2.2-api-7.0.68-1.mga5
tomcat-lib-7.0.68-1.mga5
tomcat-servlet-3.0-api-7.0.68-1.mga5
tomcat-el-2.2-api-7.0.68-1.mga5
tomcat-webapps-7.0.68-1.mga5
libtcnative1-1.1.34-1.mga5
libtcnative1-devel-1.1.34-1.mga5

from SRPMS:
tomcat-7.0.68-1.mga5.src.rpm
tomcat-native-1.1.34-1.mga5.src.rpm
Comment 1 David Walser 2016-03-01 00:18:43 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=8307#c17

Ideas for testing tomcat-native can be found in Bug 16568.

Whiteboard: (none) => has_procedure

Comment 2 claire robinson 2016-03-01 19:37:17 CET 
Advisory uploaded.

Whiteboard: has_procedure => has_procedure advisory

Comment 3 Brian Rockwell 2016-03-02 15:10:00 CET 
installed packages on mageia 5_64  Installation went fine.


http://127.0.0.1:8080/

Results
----------------------

Apache Tomcat/7.0.68
If you're seeing this, you've successfully installed Tomcat. Congratulations!

--------------------------

CC: (none) => brtians1
Whiteboard: has_procedure advisory => has_procedure advisory MGA5-64-OK

Comment 4 Brian Rockwell 2016-03-02 16:13:39 CET 
David - I'm not finding 7.0.68 in MGA5-32 repository to download.

Can you re-trigger it and see if my mirror loads?

Thanks,
brian
Comment 5 David Walser 2016-03-02 16:15:14 CET 
No, I'm not rebuilding it when it's already there.  Confirmed by checking kernel.org.  Try a different mirror.
Comment 6 Brian Rockwell 2016-03-02 17:30:41 CET 
I don't know how many times I did an update and it didn't take.  Finally dropped and re-added the media.  That worked.  Sorry for the burden David.

Mageia 5_32.  Installation went fine.

Results
-----------------

Apache Tomcat/7.0.68
If you're seeing this, you've successfully installed Tomcat. Congratulations!
-----------------

Whiteboard: has_procedure advisory MGA5-64-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK

Comment 7 claire robinson 2016-03-02 18:15:49 CET 
Well done Brian. Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2016-03-02 19:30:25 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0090.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2016-03-03 19:22:56 CET 
LWN reference for CVE-2015-5346:
http://lwn.net/Vulnerabilities/678633/