| Summary: | tomcat (tomcat7) new security issue CVE-2016-5388 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, geiger.david68210, marja11, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/699807/ | ||
| Whiteboard: | has_procedure MGA5-32-OK advisory | ||
| Source RPM: | tomcat-7.0.68-1.1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-09-07 19:58:47 CEST
Assigning to maintainer CC:
(none) =>
marja11 David found the fix. Cauldron updated. Mageia 5 patched. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17 Advisory: ======================== Updated tomcat packages fix security vulnerability: Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue (CVE-2016-5388). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5388 http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html ======================== Updated packages in core/updates_testing: ======================== tomcat-7.0.68-1.2.mga5 tomcat-admin-webapps-7.0.68-1.2.mga5 tomcat-docs-webapp-7.0.68-1.2.mga5 tomcat-javadoc-7.0.68-1.2.mga5 tomcat-jsvc-7.0.68-1.2.mga5 tomcat-jsp-2.2-api-7.0.68-1.2.mga5 tomcat-lib-7.0.68-1.2.mga5 tomcat-servlet-3.0-api-7.0.68-1.2.mga5 tomcat-el-2.2-api-7.0.68-1.2.mga5 tomcat-webapps-7.0.68-1.2.mga5 from tomcat-7.0.68-1.2.mga5.src.rpm Version:
Cauldron =>
5 Installed and configured, and confirmed tomcat working as per bug 8307. Installed the updates, and restarted tomcat. After that http://localhost:8080/sample/hello works, but http://localhost:8080/examples returns a 404, as does http://localhost:8080 CC:
(none) =>
davidwhodgins David, do you have any idea? This 404 error doesn't look like it should be happening because of the patch. CC:
(none) =>
geiger.david68210 Found it. Had to add the closing --> to line 357 of /etc/tomcat/web.xml, the last line added in the changes to the file. Wow!! my bad :( A typo when I had rebased the upstream patch. Thanks Dave to pointing that out, so should be fixed now for mga5. Updated packages in core/updates_testing: ======================== tomcat-7.0.68-1.3.mga5 tomcat-admin-webapps-7.0.68-1.3.mga5 tomcat-docs-webapp-7.0.68-1.3.mga5 tomcat-javadoc-7.0.68-1.3.mga5 tomcat-jsvc-7.0.68-1.3.mga5 tomcat-jsp-2.2-api-7.0.68-1.3.mga5 tomcat-lib-7.0.68-1.3.mga5 tomcat-servlet-3.0-api-7.0.68-1.3.mga5 tomcat-el-2.2-api-7.0.68-1.3.mga5 tomcat-webapps-7.0.68-1.3.mga5 from tomcat-7.0.68-1.3.mga5.src.rpm Whiteboard:
has_procedure feedback =>
has_procedure Fixed now. Validating. Thanks. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0312.html Status:
NEW =>
RESOLVED |