Bug 22568

Summary: tomcat-native new security issue CVE-2017-15698
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: geiger.david68210, herman.viaene, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: tomcat-native-1.2.12-1.mga6.src.rpm CVE:
Status comment: Fixed upstream in 1.2.16

Description David Walser 2018-02-10 22:33:47 CET 
Fedora has issued an advisory on February 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J3AMZRPNW5L27APAWB4IW3SRJQR6HL4G/

The issue is fixed upstream in 1.2.16.

Mageia 5 is also affected (but doesn't need to be updated).
David Walser 2018-02-10 22:41:51 CET

Status comment: (none) => Fixed upstream in 1.2.16

Comment 1 David GEIGER 2018-02-17 13:11:19 CET 
Done for mga6!
Comment 2 David Walser 2018-02-17 17:06:12 CET 
Thanks David!

Advisory:
========================

Updated tomcat-native package fixes security vulnerability:

When parsing the AIA-Extension field of a client certificate, Apache Tomcat
Native did not correctly handle fields longer than 127 bytes. The result of the
parsing error was to skip the OCSP check. It was therefore possible for client
certificates that should have been rejected (if the OCSP check had been made) to
be accepted. Users not using OCSP checks are not affected by this vulnerability
(CVE-2017-15698).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15698
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J3AMZRPNW5L27APAWB4IW3SRJQR6HL4G/
========================

Updated packages in core/updates_testing:
========================
tomcat-native-1.2.16-1.mga6

from tomcat-native-1.2.16-1.mga6.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 3 Herman Viaene 2018-02-22 14:33:19 CET 
MGA6-32 on Dell Latitude D600 Mate
No installation issues
# urmpq --whatrequires tomcat-native
guacamole
hadoop-pfs
tomcat-native
Had a look what guacamole is, looks interesting, but too heavy on this laptop. If I get rid of the possible updates on this 32 machine, I'd like to give it a go on MGA6-64.

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2018-02-25 10:45:21 CET 
MGA6-64 on Lenovo B50 Plasma
Installed guacamole. Expected this to draw in tomcat-native as the reverse is indicated (see Comment 3 above), but that didn't happen. Installed tomcat-native afterwarts. All well til then.
Tried to run tomcat (is required by guacamole), is OK. Starting guacd brings me into configuration problems and guacamole documentation did not offer much help, neither googling on the errors. Spent some hours on this and gave up.
If the higher powers decide a clean install and no obvious adverse effects, is good enough, I agree to OK this update.
Comment 5 Lewis Smith 2018-02-27 21:51:28 CET 
Poking M6 x64
No previous package-equivalent updates.

BEFORE the update: tomcat-native-1.2.12-1.mga6
against which I had used Tomcat - if that is relevant.

AFTER the update: tomcat-native-1.2.16-1.mga6
Tomcat itself still works normally. For the rest, I agree with Herman that 'guacamole' is too heavy to play with to test-drive 'tomcat-native'.

On the basis of a clean update, & Herman's clean install, update OK.

Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2018-02-28 14:56:21 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0150.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED