| Summary: | tomcat new security issue CVE-2023-28709 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | tomcat-9.0.73-1.1.mga8.src.rpm | CVE: | CVE-2023-28709 |
| Status comment: | |||
|
Description
David Walser
2023-05-22 14:12:53 CEST
David Walser
2023-05-22 14:13:13 CEST
Status comment:
(none) =>
Fixed upstream in 9.0.74 Suggested advisory: ======================== The updated packages fix a security vulnerability: The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur. (CVE-2023-28709) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28709 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.74 ======================== Updated packages in core/updates_testing: ======================== tomcat-9.0.74-1.mga8 tomcat-admin-webapps-9.0.74-1.mga8 tomcat-docs-webapp-9.0.74-1.mga8 tomcat-el-3.0-api-9.0.74-1.mga8 tomcat-jsp-2.3-api-9.0.74-1.mga8 tomcat-lib-9.0.74-1.mga8 tomcat-servlet-4.0-api-9.0.74-1.mga8 tomcat-webapps-9.0.74-1.mga8 from SRPM: tomcat-9.0.74-1.mga8.src.rpm Version:
Cauldron =>
8 MGA8-64 MATE on Acer Aspire 5253
No installation issues
Start tomcat-service OK, but forgot to change the user rights.
The system had in /etc/tomcat the file tomcat-users.xml.rpmsave, so overwrote the new tomcat-users.xml with that one, then
# systemctl restart tomcat.service
# systemctl -l status tomcat.service
● tomcat.service - Apache Tomcat Web Application Container
Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2023-05-26 11:16:21 CEST; 3s ago
Main PID: 17181 (java)
Tasks: 19 (limit: 4364)
Memory: 37.5M
CPU: 4.838s
CGroup: /system.slice/tomcat.service
└─17181 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSour>
May 26 11:16:21 mach7.hviaene.thuis systemd[1]: Started Apache Tomcat Web Application Container.
May 26 11:16:21 mach7.hviaene.thuis server[17181]: Java virtual machine used: /usr/lib/jvm/jre/bin/java
May 26 11:16:21 mach7.hviaene.thuis server[17181]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/t>
Then I could access http://localhost:8080/sample and http://localhost:8080 and log into the 'manager app' with the credentials just configured with manager-gui role. That opens OK.
So good to go.CC:
(none) =>
herman.viaene Validating. Advisory in comment 1. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2023-05-30 18:24:14 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0191.html Status:
ASSIGNED =>
RESOLVED |