| Summary: | tomcat new security issue CVE-2016-8745 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | brtians1, geiger.david68210, lewyssmith, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://lwn.net/Vulnerabilities/711048/ | ||
| Whiteboard: | mga5-64-ok mga5-32-ok advisory | ||
| Source RPM: | tomcat-8.0.39-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2017-01-06 13:23:54 CET
David Walser
2017-01-06 13:24:10 CET
CC:
(none) =>
geiger.david68210 Debian has issued an advisory for this on January 8: https://www.debian.org/security/2017/dsa-3754 URL:
(none) =>
https://lwn.net/Vulnerabilities/711048/ Done for mga5 updating to latest 7.0.75 release and also freeze push asked for Cauldron! Thanks David! Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17 Advisory: ======================== Updated tomcat packages fix security vulnerability: It was discovered that incorrect error handling in the NIO HTTP connector of the Tomcat servlet and JSP engine could result in information disclosure (CVE-2016-8745). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8745 https://www.debian.org/security/2017/dsa-3754 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.75 ======================== Updated packages in core/updates_testing: ======================== tomcat-7.0.75-1.mga5 tomcat-admin-webapps-7.0.75-1.mga5 tomcat-docs-webapp-7.0.75-1.mga5 tomcat-javadoc-7.0.75-1.mga5 tomcat-jsvc-7.0.75-1.mga5 tomcat-jsp-2.2-api-7.0.75-1.mga5 tomcat-lib-7.0.75-1.mga5 tomcat-servlet-3.0-api-7.0.75-1.mga5 tomcat-el-2.2-api-7.0.75-1.mga5 tomcat-webapps-7.0.75-1.mga5 tomcat-7.0.75-1.mga5.src.rpm Version:
Cauldron =>
5 The following 22 packages are going to be installed: - apache-commons-collections-3.2.2-1.mga5.noarch - apache-commons-daemon-1.0.15-5.mga5.x86_64 - apache-commons-daemon-jsvc-1.0.15-5.mga5.x86_64 - apache-commons-dbcp-1.4-19.mga5.noarch - apache-commons-pool-1.6-10.mga5.noarch - ecj-4.4.0-1.mga5.noarch - geronimo-jta-1.1.1-14.mga5.noarch - jakarta-taglibs-standard-1.1.2-15.mga5.noarch - tomcat-7.0.75-1.mga5.noarch - tomcat-admin-webapps-7.0.75-1.mga5.noarch - tomcat-docs-webapp-7.0.75-1.mga5.noarch - tomcat-el-2.2-api-7.0.75-1.mga5.noarch - tomcat-javadoc-7.0.75-1.mga5.noarch - tomcat-jsp-2.2-api-7.0.75-1.mga5.noarch - tomcat-jsvc-7.0.75-1.mga5.noarch - tomcat-lib-7.0.75-1.mga5.noarch - tomcat-servlet-3.0-api-7.0.75-1.mga5.noarch - tomcat-webapps-7.0.75-1.mga5.noarch - xalan-j2-2.7.1-10.mga5.noarch - xerces-j2-2.11.0-14.1.mga5.noarch - xml-commons-apis-1.4.01-18.mga5.noarch - xml-commons-resolver-1.2-16.mga5.noarch 69MB of additional disk space will be used. 13MB of packages will be retrieved. Is it ok to continue? # systemctl start tomcat.service # ps -ef | grep tom tomcat 6727 1 40 07:55 ? 00:00:10 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start I followed Claire's instructions on setting up admin and used gui-manager. Seems to work as designed. CC:
(none) =>
brtians1
Lewis Smith
2017-02-11 21:51:35 CET
CC:
(none) =>
lewyssmith David, are we affected by this? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851304 https://www.debian.org/security/2017/dsa-3787 https://www.debian.org/security/2017/dsa-3788 Nop we are not affected as this issue was fixed in 7.0.75 and 8.0.41 releases. $ uname -a Linux localhost 4.4.39-desktop-1.mga5 #1 SMP Fri Dec 16 18:52:20 UTC 2016 i686 i686 i686 GNU/Linux The following 12 packages are going to be installed: - apache-commons-collections-3.2.2-1.mga5.noarch - apache-commons-daemon-1.0.15-5.mga5.i586 - apache-commons-dbcp-1.4-19.mga5.noarch - apache-commons-pool-1.6-10.mga5.noarch - ecj-4.4.0-1.mga5.noarch - geronimo-jta-1.1.1-14.mga5.noarch - tomcat-7.0.75-1.mga5.noarch - tomcat-admin-webapps-7.0.75-1.mga5.noarch - tomcat-el-2.2-api-7.0.75-1.mga5.noarch - tomcat-jsp-2.2-api-7.0.75-1.mga5.noarch - tomcat-lib-7.0.75-1.mga5.noarch - tomcat-servlet-3.0-api-7.0.75-1.mga5.noarch 7.9MB of additional disk space will be used. 6.9MB of packages will be retrieved. Is it ok to continue? Edited /etc/tomcat/tomcat-users.xml and uncomment the users, adding manager-gui role to one of them. Started the service and confirmed running. # ps -ef | grep tom tomcat 6136 1 14 09:47 ? 00:00:05 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start followed the links and went into the admin site Browse http://localhost:8080/sample and http://localhost:8080/examples and click the links. Also browse http://localhost:8080 and log into the 'manager app' with the credentials just configured with manager-gui role. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0050.html Status:
NEW =>
RESOLVED |