Bug 27739

Fedora has issued an advisory for this today (December 5):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VLNRDHJJDZSUJSOSLSHLENY4YUFCYK46/

Fixed for Cauldron but doesn't build on mga7!

tomcat-9.0.40-1.mga8 uploaded for Cauldron.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Build error log for mga7:
http://pkgsubmit.mageia.org/uploads/failure/7/core/updates_testing/20201206091407.daviddavid.duvel.11996/log/tomcat-9.0.40-1.mga7/build.0.20201206091522.log

I wonder if 9.0.41 fixes it:
http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.41_(markt)

Fedora has updated to 9.0.41 today (December 18):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VRAVUNRYP2U5HRU5ERC73MBPM32WA5TF/

Patched package uploaded for Mageia 7 by David.

Advisory:
========================

Updated tomcat packages fix security vulnerability:

While investigating Apache issue 64830 it was discovered that Apache Tomcat
could re-use an HTTP request header value from the previous stream received on
an HTTP/2 connection for the request associated with the subsequent stream.
While this would most likely lead to an error and the closure of the HTTP/2
connection, it is possible that information could leak between requests
(CVE-2020-17527).

The tomcat package has been updated to version 9.0.39, and patched to fix
this issue.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17527
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.40
========================

Updated packages in core/updates_testing:
========================
tomcat-9.0.39-1.mga7
tomcat-admin-webapps-9.0.39-1.mga7
tomcat-docs-webapp-9.0.39-1.mga7
tomcat-jsvc-9.0.39-1.mga7
tomcat-jsp-2.3-api-9.0.39-1.mga7
tomcat-lib-9.0.39-1.mga7
tomcat-servlet-4.0-api-9.0.39-1.mga7
tomcat-el-3.0-api-9.0.39-1.mga7
tomcat-webapps-9.0.39-1.mga7

from tomcat-9.0.39-1.mga7.src.rpm

Assignee: java => qa-bugs

# uname -a
Linux linux.local 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

The following 20 packages are going to be installed:

- apache-commons-daemon-1.0.15-16.mga7.x86_64
- apache-commons-daemon-jsvc-1.0.15-16.mga7.x86_64
- ecj-4.10-1.mga7.noarch
- lib64apr-devel-1.7.0-1.mga7.x86_64
- lib64apr1_0-1.7.0-1.mga7.x86_64
- lib64openssl-devel-1.1.0l-1.2.mga7.x86_64
- lib64uuid-devel-2.33.2-1.mga7.x86_64
- libtool-2.4.6-9.mga7.x86_64
- libtool-base-2.4.6-9.mga7.x86_64
- tomcat-9.0.39-1.mga7.noarch
- tomcat-admin-webapps-9.0.39-1.mga7.noarch
- tomcat-docs-webapp-9.0.39-1.mga7.noarch
- tomcat-el-3.0-api-9.0.39-1.mga7.noarch
- tomcat-jsp-2.3-api-9.0.39-1.mga7.noarch
- tomcat-jsvc-9.0.39-1.mga7.noarch
- tomcat-lib-9.0.39-1.mga7.noarch
- tomcat-native-1.2.23-1.mga7.x86_64
- tomcat-servlet-4.0-api-9.0.39-1.mga7.noarch
- tomcat-taglibs-standard-1.2.5-4.mga7.noarch
- tomcat-webapps-9.0.39-1.mga7.noarch

30MB of additional disk space will be used.

13MB of packages will be retrieved.

---

update tomcat-users.xml and restarted the services

---

able to work in admin module without issues.

works as designed.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => brtians1

Validating. Advisory in Comment 7.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Advisory pushed to SVN.

CVE: (none) => CVE-2020-17527
CC: (none) => ouaurelien
Keywords: (none) => advisory

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0020.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED