| Summary: | tomcat new security issue CVE-2020-13943 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | brtians1, geiger.david68210, ouaurelien, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | tomcat-9.0.37-3.mga8.src.rpm | CVE: | CVE-2020-13943 |
| Status comment: | |||
|
Description
David Walser
2020-10-13 01:10:25 CEST
David Walser
2020-10-13 01:10:35 CEST
Whiteboard:
(none) =>
MGA7TOO Done for both Cauldron and mga7! CC:
(none) =>
geiger.david68210 Advisory: ======================== Updated tomcat packages fix security vulnerability: If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources (CVE-2020-13943). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13943 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.38 ======================== Updated packages in core/updates_testing: ======================== tomcat-9.0.38-1.mga7 tomcat-admin-webapps-9.0.38-1.mga7 tomcat-docs-webapp-9.0.38-1.mga7 tomcat-jsvc-9.0.38-1.mga7 tomcat-jsp-2.3-api-9.0.38-1.mga7 tomcat-lib-9.0.38-1.mga7 tomcat-servlet-4.0-api-9.0.38-1.mga7 tomcat-el-3.0-api-9.0.38-1.mga7 tomcat-webapps-9.0.38-1.mga7 from tomcat-9.0.38-1.mga7.src.rpm Assignee:
java =>
qa-bugs # uname -a Linux linux.local 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux The following 23 packages are going to be installed: - apache-commons-daemon-1.0.15-16.mga7.x86_64 - ecj-4.10-1.mga7.noarch - glibc-devel-2.29-20.mga7.x86_64 - kernel-userspace-headers-5.7.19-3.mga7.x86_64 - lib64apr-devel-1.7.0-1.mga7.x86_64 - lib64apr1_0-1.7.0-1.mga7.x86_64 - lib64openssl-devel-1.1.0l-1.1.mga7.x86_64 - lib64uuid-devel-2.33.2-1.mga7.x86_64 - lib64xcrypt-devel-4.4.6-1.mga7.x86_64 - lib64zlib-devel-1.2.11-7.mga7.x86_64 - libtool-2.4.6-9.mga7.x86_64 - libtool-base-2.4.6-9.mga7.x86_64 - multiarch-utils-1.0.14-2.mga7.noarch - tomcat-9.0.38-1.mga7.noarch - tomcat-admin-webapps-9.0.38-1.mga7.noarch - tomcat-docs-webapp-9.0.38-1.mga7.noarch - tomcat-el-3.0-api-9.0.38-1.mga7.noarch - tomcat-jsp-2.3-api-9.0.38-1.mga7.noarch - tomcat-lib-9.0.38-1.mga7.noarch - tomcat-native-1.2.23-1.mga7.x86_64 - tomcat-servlet-4.0-api-9.0.38-1.mga7.noarch - tomcat-taglibs-standard-1.2.5-4.mga7.noarch - tomcat-webapps-9.0.38-1.mga7.noarch 53MB of additional disk space will be used. 16MB of packages will be retrieved. Is it ok to continue? ---- after install I went into services and set tomcat to start on boot and started the service - went to 127.0.0.1:8080 and confirmed 9.0.38 is showing. - through terminal went to /etc/tomcat and edited the tomcat-users.xml as root - set up the following <role rolename="admin-gui"/> <role rolename="manager-gui"/> <user name="brian" password="both" roles="tomcat,manager-gui"/> </tomcat-users> restarted services and confirmed I could get into the admin pages. works for me. CC:
(none) =>
brtians1 Thanks testing this. Validating this. Advisory pushed to SVN. CC:
(none) =>
ouaurelien
Aurelien Oudelet
2020-10-29 21:01:23 CET
Whiteboard:
(none) =>
MGA7-64-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0397.html Status:
NEW =>
RESOLVED |