Fedora has issued an advisory on May 13: http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105886.html This issue is fixed upstream in 7.0.40: http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.40 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
fixed for mga2/3
Thanks D Morgan! Advisory: ======================== Updated tomcat packages fix security vulnerability: java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes (CVE-2013-2071). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2071 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.40 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105886.html ======================== Updated packages in core/updates_testing: ======================== tomcat-7.0.41-3.mga2 tomcat-admin-webapps-7.0.41-3.mga2 tomcat-docs-webapp-7.0.41-3.mga2 tomcat-javadoc-7.0.41-3.mga2 tomcat-systemv-7.0.41-3.mga2 tomcat-jsvc-7.0.41-3.mga2 tomcat-jsp-2.2-api-7.0.41-3.mga2 tomcat-lib-7.0.41-3.mga2 tomcat-servlet-3.0-api-7.0.41-3.mga2 tomcat-el-2.2-api-7.0.41-3.mga2 tomcat-webapps-7.0.41-3.mga2 tomcat-7.0.41-4.mga3 tomcat-admin-webapps-7.0.41-4.mga3 tomcat-docs-webapp-7.0.41-4.mga3 tomcat-javadoc-7.0.41-4.mga3 tomcat-jsvc-7.0.41-4.mga3 tomcat-jsp-2.2-api-7.0.41-4.mga3 tomcat-lib-7.0.41-4.mga3 tomcat-servlet-3.0-api-7.0.41-4.mga3 tomcat-el-2.2-api-7.0.41-4.mga3 tomcat-webapps-7.0.41-4.mga3 from SRPMS: tomcat-7.0.41-3.mga2.src.rpm tomcat-7.0.41-4.mga3.src.rpm
CC: (none) => dmorganecVersion: Cauldron => 3Assignee: dmorganec => qa-bugsWhiteboard: MGA3TOO, MGA2TOO => MGA2TOO
Procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17
Whiteboard: MGA2TOO => MGA2TOO has_procedure
(In reply to claire robinson from comment #3) > Procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17 Hi Claire - it works fine inside a Mageia 3 x86-64 VM.
CC: (none) => shlomifWhiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure MGA3-64-OK
And tomcat from updates_testing is also working fine in a Mageia 2 x86-64 VM.
Whiteboard: MGA2TOO has_procedure MGA3-64-OK => MGA2TOO has_procedure MGA3-64-OK MGA2-64-OK
Works fine in a Mageia 3 i586 VM.
Whiteboard: MGA2TOO has_procedure MGA3-64-OK MGA2-64-OK => MGA2TOO has_procedure MGA3-64-OK MGA2-64-OK MGA3-32-OK
Tested on a Mageia 2 i586 VM, and it works fine there too.
Whiteboard: MGA2TOO has_procedure MGA3-64-OK MGA2-64-OK MGA3-32-OK => MGA2TOO has_procedure MGA3-64-OK MGA2-64-OK MGA3-32-OK MGA2-32-OK
Update validated, thanks. Please push from core/updates_testing to core/updates in both MGA2 and MGA3. Thanks! Advisory: ======================== Updated tomcat packages fix security vulnerability: java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes (CVE-2013-2071). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2071 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.40 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105886.html ======================== Updated packages in core/updates_testing: ======================== tomcat-7.0.41-3.mga2 tomcat-admin-webapps-7.0.41-3.mga2 tomcat-docs-webapp-7.0.41-3.mga2 tomcat-javadoc-7.0.41-3.mga2 tomcat-systemv-7.0.41-3.mga2 tomcat-jsvc-7.0.41-3.mga2 tomcat-jsp-2.2-api-7.0.41-3.mga2 tomcat-lib-7.0.41-3.mga2 tomcat-servlet-3.0-api-7.0.41-3.mga2 tomcat-el-2.2-api-7.0.41-3.mga2 tomcat-webapps-7.0.41-3.mga2 tomcat-7.0.41-4.mga3 tomcat-admin-webapps-7.0.41-4.mga3 tomcat-docs-webapp-7.0.41-4.mga3 tomcat-javadoc-7.0.41-4.mga3 tomcat-jsvc-7.0.41-4.mga3 tomcat-jsp-2.2-api-7.0.41-4.mga3 tomcat-lib-7.0.41-4.mga3 tomcat-servlet-3.0-api-7.0.41-4.mga3 tomcat-el-2.2-api-7.0.41-4.mga3 tomcat-webapps-7.0.41-4.mga3 from SRPMS: tomcat-7.0.41-3.mga2.src.rpm tomcat-7.0.41-4.mga3.src.rpm
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Thanks Shlomi Advisory uploaded.
http://advisories.mageia.org/MGASA-2013-0191.html
Status: NEW => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
CC: boklm => (none)