| Summary: | tomcat new security issue CVE-2017-12617 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David GEIGER <geiger.david68210> |
| Component: | RPM Packages | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, lewyssmith, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, has_procedure, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA5-32-OK MGA6-64-OK MGA6-32-OK MGA5-64-OK | ||
| Source RPM: | tomcat-8.0.46-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David GEIGER
2017-10-25 23:00:51 CEST
David GEIGER
2017-10-25 23:02:59 CEST
Whiteboard:
(none) =>
MGA6TOO MGA5TOO Fixed for Cauldron, mga6 and mga5! Thanks David! CVE-2017-12615 was actually fixed in the previous update (Bug 21714). Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17 Advisory: ======================== Updated tomcat packages fix security vulnerability: When running with HTTP PUTs enabled (e.g. via setting the readonly initialization parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server (CVE-2017-12617). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.47 ======================== Updated packages in core/updates_testing: ======================== tomcat-7.0.82-1.mga5 tomcat-admin-webapps-7.0.82-1.mga5 tomcat-docs-webapp-7.0.82-1.mga5 tomcat-javadoc-7.0.82-1.mga5 tomcat-jsvc-7.0.82-1.mga5 tomcat-jsp-2.2-api-7.0.82-1.mga5 tomcat-lib-7.0.82-1.mga5 tomcat-servlet-3.0-api-7.0.82-1.mga5 tomcat-el-2.2-api-7.0.82-1.mga5 tomcat-webapps-7.0.82-1.mga5 tomcat-8.0.47-1.mga6 tomcat-admin-webapps-8.0.47-1.mga6 tomcat-docs-webapp-8.0.47-1.mga6 tomcat-javadoc-8.0.47-1.mga6 tomcat-jsvc-8.0.47-1.mga6 tomcat-jsp-2.3-api-8.0.47-1.mga6 tomcat-lib-8.0.47-1.mga6 tomcat-servlet-3.1-api-8.0.47-1.mga6 tomcat-el-3.0-api-8.0.47-1.mga6 tomcat-webapps-8.0.47-1.mga6 from SRPMS: tomcat-7.0.82-1.mga5.src.rpm tomcat-8.0.47-1.mga6.src.rpm Summary:
tomcat new security issues CVE-2017-12615 and CVE-2017-12617 =>
tomcat new security issue CVE-2017-12617 MGA5-32 on Asus A6000VM Xfce No installation issues. This was an update to an existing previous tomcat installation. Exercised a whole range of examples as per bug 8307 Comment 17. All work OK. CC:
(none) =>
herman.viaene
Lewis Smith
2017-10-29 21:19:51 CET
Keywords:
(none) =>
advisory Testing M6/64 using https://bugs.mageia.org/show_bug.cgi?id=21714#c3 Already installed, updated to: - tomcat-8.0.47-1.mga6.noarch - tomcat-admin-webapps-8.0.47-1.mga6.noarch - tomcat-el-3.0-api-8.0.47-1.mga6.noarch - tomcat-jsp-2.3-api-8.0.47-1.mga6.noarch - tomcat-jsvc-8.0.47-1.mga6.noarch - tomcat-lib-8.0.47-1.mga6.noarch - tomcat-servlet-3.1-api-8.0.47-1.mga6.noarch - tomcat-webapps-8.0.47-1.mga6.noarch Ensured /etc/tomcat/tomcat-users.xml had the following lines: <role rolename="admin-gui"/> <role rolename="manager-gui"/> <user username="..." password="..." roles="manager-gui,admin-gui"/> # systemctl restart tomcat http://localhost:8080/ showed "Apache Tomcat/8.0.47" 'server status' button 1st use asked for user/password. Result sensible. 'manager app' button showed correct screen. 'host manager' button 1st use asked for user/password. Result sensible. The equivalent direct links: http://localhost:8080/manager/status http://localhost:8080/manager/html http://localhost:8080/host-manager/html also worked as per the buttons on the home page. Tried many of the applications. They mostly worked, but some groups yielded: "HTTP Status 500 - The absolute uri: http://java.sun.com/jsp/jstl/core cannot be resolved in either web.xml or the jar files deployed with this application" which has become normal. OK for M6/64. Whiteboard:
MGA5TOO MGA5-32-OK =>
MGA5TOO MGA5-32-OK MGA6-64-OK RedHat has issued an advisory for this on October 29: https://access.redhat.com/errata/RHSA-2017:3081 MGA6-32 on Asus A6000VM MATE No installation issues. This fresh tomcat installation. Edited tomcat users as per bug 8307 Comment 17. Exercised a whole range of examples as per bug 8307 Comment 17. All work OK. Whiteboard:
MGA5TOO MGA5-32-OK MGA6-64-OK =>
MGA5TOO MGA5-32-OK MGA6-64-OK MGA6-32-OK Testing M5/64 Updated existing installation to: - tomcat-7.0.82-1.mga5.noarch - tomcat-admin-webapps-7.0.82-1.mga5.noarch - tomcat-el-2.2-api-7.0.82-1.mga5.noarch - tomcat-jsp-2.2-api-7.0.82-1.mga5.noarch - tomcat-lib-7.0.82-1.mga5.noarch - tomcat-servlet-3.0-api-7.0.82-1.mga5.noarch - tomcat-webapps-7.0.82-1.mga5.noarch with the usual provisons that /etc/tomcat/tomcat-users.xml had the following lines: <role rolename="admin-gui"/> <role rolename="manager-gui"/> <user username="..." password="..." roles="manager-gui,admin-gui"/> and # systemctl restart tomcat http://localhost:8080/ showed correctly "Apache Tomcat/7.0.82" Otherwise tests as per comment 4 were the same, correct. OK. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0400.html Resolution:
(none) =>
FIXED |