Bug 20655

Summary: tomcat new security issues CVE-2017-5647 and CVE-2017-5648
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, geiger.david68210, herman.viaene, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK advisory
Source RPM: tomcat-8.0.41-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-04-11 00:41:09 CEST 
Apache has issued advisories today (April 10):
http://openwall.com/lists/oss-security/2017/04/10/24
http://openwall.com/lists/oss-security/2017/04/10/23

Mageia 5 is also affected.

The issues are fixed upstream in 7.0.77 and 8.0.43.
David Walser 2017-04-11 00:41:31 CEST

Whiteboard: (none) => MGA5TOO
CC: (none) => geiger.david68210

Nicolas Lécureuil 2017-04-21 11:01:15 CEST

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

Comment 1 Nicolas Lécureuil 2017-04-21 11:07:27 CEST 
pushed in updates_testing:

srpms: tomcat-7.0.77-1.mga5

Assignee: mageia => qa-bugs

Comment 2 David Walser 2017-04-21 12:16:56 CEST 
Thanks Nicolas!

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=8307#c17

Advisory:
========================

Updated tomcat packages fix security vulnerabilities:

A bug in the handling of the pipelined requests when send file was used
resulted in the pipelined request being lost when send file processing of the
previous request completed. This could result in responses appearing to be
sent for the wrong request. For example, a user agent that sent requests A, B
and C could see the correct response for request A, the response for request
C for request B and no response for request C (CVE-2017-5647).

While investigating bug 60718, it was noticed that some calls to application
listeners did not use the appropriate facade object. When running an
untrusted application under a SecurityManager, it was therefore possible for
that untrusted application to retain a reference to the request or response
object and thereby access and/or modify information associated with another
web application (CVE-2017-5648).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5647
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5648
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.77
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.77-1.mga5
tomcat-admin-webapps-7.0.77-1.mga5
tomcat-docs-webapp-7.0.77-1.mga5
tomcat-javadoc-7.0.77-1.mga5
tomcat-jsvc-7.0.77-1.mga5
tomcat-jsp-2.2-api-7.0.77-1.mga5
tomcat-lib-7.0.77-1.mga5
tomcat-servlet-3.0-api-7.0.77-1.mga5
tomcat-el-2.2-api-7.0.77-1.mga5
tomcat-webapps-7.0.77-1.mga5

from tomcat-7.0.77-1.mga5.src.rpm

Whiteboard: (none) => has_procedure
Severity: normal => critical

Comment 3 Herman Viaene 2017-04-21 15:40:32 CEST 
MGA-32 on Asus A6000VM Xfce
No installtion issues.
Followed procedure as per Comment 2, all works OK.

CC: (none) => herman.viaene
Whiteboard: has_procedure => has_procedure MGA5-32-OK

Dave Hodgins 2017-04-24 01:35:13 CEST

Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory
CC: (none) => davidwhodgins

Comment 4 Herman Viaene 2017-04-25 19:52:47 CEST 
MGA5-64 on Lenovo B50KDE
No installation issues.
Followed procedure as per Comment 2, all works OK.

Whiteboard: has_procedure MGA5-32-OK advisory => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 5 Dave Hodgins 2017-04-27 20:36:40 CEST 
Validating the update. Thanks for the testing Herman.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2017-04-28 00:22:03 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0117.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED