Bug 10200 - tomcat (tomcat7) new security issue CVE-2013-2071
: tomcat (tomcat7) new security issue CVE-2013-2071
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/551276/
: MGA2TOO has_procedure MGA3-64-OK MGA2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-05-21 19:11 CEST by David Walser
Modified: 2014-05-08 18:05 CEST (History)
3 users (show)

See Also:
Source RPM: tomcat-7.0.34-4.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-05-21 19:11:25 CEST
Fedora has issued an advisory on May 13:
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105886.html

This issue is fixed upstream in 7.0.40:
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.40

Reproducible: 

Steps to Reproduce:
Comment 1 D Morgan 2013-06-25 01:03:37 CEST
fixed for mga2/3
Comment 2 David Walser 2013-06-25 01:12:42 CEST
Thanks D Morgan!

Advisory:
========================

Updated tomcat packages fix security vulnerability:

java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x
before 7.0.40 does not properly handle the throwing of a RuntimeException
in an AsyncListener in an application, which allows context-dependent
attackers to obtain sensitive request information intended for other
applications in opportunistic circumstances via an application that records
the requests that it processes (CVE-2013-2071).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2071
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.40
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105886.html
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.41-3.mga2
tomcat-admin-webapps-7.0.41-3.mga2
tomcat-docs-webapp-7.0.41-3.mga2
tomcat-javadoc-7.0.41-3.mga2
tomcat-systemv-7.0.41-3.mga2
tomcat-jsvc-7.0.41-3.mga2
tomcat-jsp-2.2-api-7.0.41-3.mga2
tomcat-lib-7.0.41-3.mga2
tomcat-servlet-3.0-api-7.0.41-3.mga2
tomcat-el-2.2-api-7.0.41-3.mga2
tomcat-webapps-7.0.41-3.mga2
tomcat-7.0.41-4.mga3
tomcat-admin-webapps-7.0.41-4.mga3
tomcat-docs-webapp-7.0.41-4.mga3
tomcat-javadoc-7.0.41-4.mga3
tomcat-jsvc-7.0.41-4.mga3
tomcat-jsp-2.2-api-7.0.41-4.mga3
tomcat-lib-7.0.41-4.mga3
tomcat-servlet-3.0-api-7.0.41-4.mga3
tomcat-el-2.2-api-7.0.41-4.mga3
tomcat-webapps-7.0.41-4.mga3

from SRPMS:
tomcat-7.0.41-3.mga2.src.rpm
tomcat-7.0.41-4.mga3.src.rpm
Comment 3 claire robinson 2013-06-25 12:41:09 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17
Comment 4 Shlomi Fish 2013-06-27 20:33:06 CEST
(In reply to claire robinson from comment #3)
> Procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17

Hi Claire - it works fine inside a Mageia 3 x86-64 VM.
Comment 5 Shlomi Fish 2013-06-27 20:37:44 CEST
And tomcat from updates_testing is also working fine in a Mageia 2 x86-64 VM.
Comment 6 Shlomi Fish 2013-06-27 21:17:48 CEST
Works fine in a Mageia 3 i586 VM.
Comment 7 Shlomi Fish 2013-06-27 21:49:20 CEST
Tested on a Mageia 2 i586 VM, and it works fine there too.
Comment 8 Shlomi Fish 2013-06-27 22:04:02 CEST
Update validated, thanks. Please push from core/updates_testing to core/updates in both MGA2 and MGA3. Thanks!

Advisory:
========================

Updated tomcat packages fix security vulnerability:

java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x
before 7.0.40 does not properly handle the throwing of a RuntimeException
in an AsyncListener in an application, which allows context-dependent
attackers to obtain sensitive request information intended for other
applications in opportunistic circumstances via an application that records
the requests that it processes (CVE-2013-2071).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2071
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.40
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105886.html
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.41-3.mga2
tomcat-admin-webapps-7.0.41-3.mga2
tomcat-docs-webapp-7.0.41-3.mga2
tomcat-javadoc-7.0.41-3.mga2
tomcat-systemv-7.0.41-3.mga2
tomcat-jsvc-7.0.41-3.mga2
tomcat-jsp-2.2-api-7.0.41-3.mga2
tomcat-lib-7.0.41-3.mga2
tomcat-servlet-3.0-api-7.0.41-3.mga2
tomcat-el-2.2-api-7.0.41-3.mga2
tomcat-webapps-7.0.41-3.mga2
tomcat-7.0.41-4.mga3
tomcat-admin-webapps-7.0.41-4.mga3
tomcat-docs-webapp-7.0.41-4.mga3
tomcat-javadoc-7.0.41-4.mga3
tomcat-jsvc-7.0.41-4.mga3
tomcat-jsp-2.2-api-7.0.41-4.mga3
tomcat-lib-7.0.41-4.mga3
tomcat-servlet-3.0-api-7.0.41-4.mga3
tomcat-el-2.2-api-7.0.41-4.mga3
tomcat-webapps-7.0.41-4.mga3

from SRPMS:
tomcat-7.0.41-3.mga2.src.rpm
tomcat-7.0.41-4.mga3.src.rpm
Comment 9 claire robinson 2013-06-27 22:19:48 CEST
Thanks Shlomi

Advisory uploaded.
Comment 10 Nicolas Vigier 2013-07-01 21:20:31 CEST
http://advisories.mageia.org/MGASA-2013-0191.html

Note You need to log in before you can comment on or make changes to this bug.