Upstream has issued version 6.0.37 on May 10 to fix two vulnerabilities: http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.37 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
Ubuntu has issued an advisory for this on May 28: http://www.ubuntu.com/usn/usn-1841-1/
URL: (none) => http://lwn.net/Vulnerabilities/552158/
RedHat has issued an advisory on May 28: https://rhn.redhat.com/errata/RHSA-2013-0869.html This adds two new CVEs: CVE-2013-2051 - fix in previous update for CVE-2012-5887 was incomplete. CVE-2013-1976 - issue in tomcat init script from RedHat (also affects tomcat5) I'm not sure if we are using their init script. from http://lwn.net/Vulnerabilities/552152/
I just pushed 6.0.37 to mga3 updates_testing, but got: + ant -Dbase.path=. -Dbuild.compiler=modern -Dcommons-collections.jar=/usr/share/java/apache-commons-collections.jar -Dcommons-daemon.jar=/usr/share/java/apache-commons-daemon.jar -Dcommons-daemon.native.src.tgz=HACK -Djasper-jdt.jar=/usr/share/java/ecj.jar -Djdt.jar=/usr/share/java/ecj.jar -Dtomcat-dbcp.jar=/usr/share/java/apache-commons-dbcp.jar -Dtomcat-native.tar.gz=HACK -Dversion=6.0.37 -Dversion.build=37 Buildfile: /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/build.xml build-prepare: [mkdir] Created dir: /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/output/classes [mkdir] Created dir: /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/output/build [mkdir] Created dir: /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/output/build/bin [mkdir] Created dir: /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/output/build/conf [mkdir] Created dir: /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/output/build/lib [mkdir] Created dir: /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/output/build/logs [mkdir] Created dir: /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/output/build/temp [mkdir] Created dir: /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/output/build/webapps compile: [javac] /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/build.xml:148: warning: 'includeantruntime' was not set, defaulting to build.sysclasspath=last; set to false for repeatable builds [javac] Compiling 1078 source files to /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/output/classes [javac] warning: [options] bootstrap class path not set in conjunction with -source 1.5 [javac] /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/java/org/apache/jasper/compiler/JDTCompiler.java:159: error: method ignoreOptionalProblems() is already defined in class CompilationUnit [javac] public boolean ignoreOptionalProblems() { [javac] ^ [javac] Note: Some input files use or override a deprecated API. [javac] Note: Recompile with -Xlint:deprecation for details. [javac] Note: Some input files use unchecked or unsafe operations. [javac] Note: Recompile with -Xlint:unchecked for details. [javac] 1 error [javac] 1 warning BUILD FAILED /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/build.xml:148: Compile failed; see the compiler error output for details. Total time: 6 seconds error: Bad exit status from /home/iurt/rpmbuild/tmp/rpm-tmp.0aBEpK (%build)
CC: (none) => oe
build fixed
D Morgan has uploaded tomcat6 6.0.37 for Mageia 3 and Cauldron for now. I'm assuming it fixes CVE-2013-2051, even though upstream fails to mention it. I'm not sure whether or not we're affected by CVE-2013-1976. Packages built for Mageia 3: tomcat6-6.0.37-1.mga3 tomcat6-admin-webapps-6.0.37-1.mga3 tomcat6-docs-webapp-6.0.37-1.mga3 tomcat6-javadoc-6.0.37-1.mga3 tomcat6-systemv-6.0.37-1.mga3 tomcat6-jsp-2.1-api-6.0.37-1.mga3 tomcat6-lib-6.0.37-1.mga3 tomcat6-servlet-2.5-api-6.0.37-1.mga3 tomcat6-el-2.1-api-6.0.37-1.mga3 tomcat6-webapps-6.0.37-1.mga3 from tomcat6-6.0.37-1.mga3.src.rpm
Just submitted tomcat6-6.0.35-4.3.mga2: - revert back to 6.0.35 - P9: security fix for CVE-2012-3544 (upstream) - P10: security fix for CVE-2013-2067 (upstream)
(In reply to Oden Eriksson from comment #6) > Just submitted tomcat6-6.0.35-4.3.mga2: > > - revert back to 6.0.35 > - P9: security fix for CVE-2012-3544 (upstream) > - P10: security fix for CVE-2013-2067 (upstream) Is there a fix for CVE-2013-2051 in there? Do you know if we're affected by CVE-2013-1976? Packages built for Mageia 2: tomcat6-6.0.35-4.3.mga2 tomcat6-admin-webapps-6.0.35-4.3.mga2 tomcat6-docs-webapp-6.0.35-4.3.mga2 tomcat6-javadoc-6.0.35-4.3.mga2 tomcat6-jsp-2.1-api-6.0.35-4.3.mga2 tomcat6-lib-6.0.35-4.3.mga2 tomcat6-servlet-2.5-api-6.0.35-4.3.mga2 tomcat6-el-2.1-api-6.0.35-4.3.mga2 tomcat6-webapps-6.0.35-4.3.mga2 from tomcat6-6.0.35-4.3.mga2.src.rpm
(In reply to David Walser from comment #7) > (In reply to Oden Eriksson from comment #6) > > Just submitted tomcat6-6.0.35-4.3.mga2: > > > > - revert back to 6.0.35 > > - P9: security fix for CVE-2012-3544 (upstream) > > - P10: security fix for CVE-2013-2067 (upstream) > > Is there a fix for CVE-2013-2051 in there? > > Do you know if we're affected by CVE-2013-1976? CVE-2013-2051 is fixed. CVE-2013-1976, probably. Looking at the rhel6 fixes but have a hard time understanding what it fixes really. Is "TOMCAT_LOG" defined somewhere else? I see in the mga2 tomcat6-6.0-tomcat6-sysd file mageia is probably affected. diff -Naurp tomcat6-6.0.24-52.el6_4/tomcat6-6.0.init tomcat6-6.0.24-55.el6_4/tomcat6-6.0.init --- tomcat6-6.0.24-52.el6_4/tomcat6-6.0.init 2013-03-01 21:50:26.000000000 +0000 +++ tomcat6-6.0.24-55.el6_4/tomcat6-6.0.init 2013-05-15 20:28:53.000000000 +0000 @@ -67,7 +67,7 @@ TOMCAT_PROG="${NAME}" TOMCAT_USER="${TOMCAT_USER:-tomcat}" # Define the tomcat log file -TOMCAT_LOG="${TOMCAT_LOG:-/var/log/tomcat6/${NAME}-initd.log}" +TOMCAT_LOG="${TOMCAT_LOG:-/var/log/${NAME}-initd.log}" # Define the pid file name # If change is needed, use sysconfig instead of here @@ -124,10 +124,6 @@ function start() { if [ "$RETVAL" -eq "0" -a "$?" -eq "0" ]; then chown ${TOMCAT_USER}:${TOMCAT_USER} $CATALINA_PID fi - [ "$RETVAL" -eq "0" ] && touch $TOMCAT_LOG 2>&1 || RETVAL="4" - if [ "$RETVAL" -eq "0" -a "$?" -eq "0" ]; then - chown ${TOMCAT_USER}:${TOMCAT_USER} $TOMCAT_LOG - fi parseOptions if [ "$RETVAL" -eq "0" -a "$SECURITY_MANAGER" = "true" ]; then $SU - $TOMCAT_USER -c "${TOMCAT_SCRIPT} start-security" \ diff -Naurp tomcat6-6.0.24-52.el6_4/tomcat6.spec tomcat6-6.0.24-55.el6_4/tomcat6.spec --- tomcat6-6.0.24-52.el6_4/tomcat6.spec 2013-03-01 21:50:38.000000000 +0000 +++ tomcat6-6.0.24-55.el6_4/tomcat6.spec 2013-05-15 20:29:07.000000000 +0000 @@ -551,7 +551,7 @@ fi %attr(0755,root,root) %{_bindir}/%{name}-tool-wrapper %attr(0755,root,root) %{_sbindir}/d%{name} %attr(0755,root,root) %{_sbindir}/%{name} -%attr(0775,root,tomcat) %dir %{logdir} +%attr(0755,tomcat,root) %dir %{logdir} %attr(0644,tomcat,tomcat) %{logdir}/catalina.out %attr(0755,root,root) %{_initrddir}/%{name} %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
(In reply to Oden Eriksson from comment #8) > Is "TOMCAT_LOG" defined somewhere else? Possibly in /etc/sysconfig/tomcat6.
(In reply to Oden Eriksson from comment #8) > (In reply to David Walser from comment #7) > > (In reply to Oden Eriksson from comment #6) > > > Just submitted tomcat6-6.0.35-4.3.mga2: > > > > > > - revert back to 6.0.35 > > > - P9: security fix for CVE-2012-3544 (upstream) > > > - P10: security fix for CVE-2013-2067 (upstream) > > > > Is there a fix for CVE-2013-2051 in there? > > CVE-2013-2051 is fixed. Given that CVE-2012-5887 was about checking for stale nonces, and you can see some of the relevant code for that in the CVE-2012-5885,5886,5887 patch, I don't see anything dealing with that in the CVE-2012-3544 or CVE-2013-2067 patches, so I'm willing to believe CVE-2013-2051 is fixed in the Mageia 3 update to 6.0.37, but doubt it's fixed in the Mageia 2 update currently.
The redhat patch was wrong and generated the CVE-2013-2051 flaw. This is the correct fix: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java?r1=1158180&r2=1380829&pathrev=1380829&view=patch Here's what redhat did to fix CVE-2013-2051: --- tomcat6-6.0.24-52.el6_4/tomcat6-6.0.24-CVE-2012-3439-rhbz-882010.patch 2013-03-01 21:50:26.000000000 +0000 +++ tomcat6-6.0.24-55.el6_4/tomcat6-6.0.24-CVE-2012-3439-rhbz-882010.patch 2013-05-15 20:28:53.000000000 +0000 @@ -160,7 +160,7 @@ + if (digestInfo.validate(request, config)) { + principal = digestInfo.authenticate(context.getRealm()); + } -+ if (principal != null && digestInfo.isNonceStale()) { ++ if (principal != null && !digestInfo.isNonceStale()) { + register(request, response, principal, + HttpServletRequest.DIGEST_AUTH, + digestInfo.getUsername(), null); And their changelog entry was simply: - patch for 3439 corrected
In tomcat6-6.0.35-4.2.mga2.src.rpm you have tomcat6-CVE-2012-5885_5886_5887.diff - P7: CVE-2012-3439 was rejected, correct ones are: CVE-2012-5885,5886,5887 $ head -3 tomcat6-CVE-2012-5885_5886_5887.diff http://svn.apache.org/viewvc?view=revision&revision=1380829 https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0015 And therefore mga is NOT affected by the new CVE-2013-2051 flaw.
(In reply to Oden Eriksson from comment #12) > And therefore mga is NOT affected by the new CVE-2013-2051 flaw. Thank you for clarifying that one!
(In reply to Oden Eriksson from comment #8) > CVE-2013-1976, probably. Looking at the rhel6 fixes but have a hard time > understanding what it fixes really. The CVE entry itself should have all the info you need about this: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1976
(In reply to David Walser from comment #14) > (In reply to Oden Eriksson from comment #8) > > CVE-2013-1976, probably. Looking at the rhel6 fixes but have a hard time > > understanding what it fixes really. > > The CVE entry itself should have all the info you need about this: > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1976 Note that it may affect tomcat5 (and even possibly tomcat) as well.
Severity: normal => critical
(In reply to David Walser from comment #15) > (In reply to David Walser from comment #14) > > (In reply to Oden Eriksson from comment #8) > > > CVE-2013-1976, probably. Looking at the rhel6 fixes but have a hard time > > > understanding what it fixes really. > > > > The CVE entry itself should have all the info you need about this: > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1976 > > Note that it may affect tomcat5 (and even possibly tomcat) as well. OpenSuSE also had a comment about this one here: https://bugzilla.novell.com/show_bug.cgi?id=822177#c7
Blocks: (none) => 11726
Removing Mageia 2 from the whiteboard due to EOL. http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/
Whiteboard: MGA3TOO, MGA2TOO => MGA3TOO
Current status of this: tomcat5 and tomcat6 have been removed from Cauldron. tomcat6 has an update candidate in updates_testing for Mageia 3. The only thing that still needs clarified is the status of CVE-2013-1976, as it may still affect the tomcat6 package, as well as possibly tomcat (tomcat7) in Cauldron, and tomcat and tomcat5 in Mageia 3.
tomcat7 should be OK we have the very last one in cauldron
i don't find any patches for this CVE. Do you see one ?
Version: Cauldron => 3
(In reply to D Morgan from comment #20) > i don't find any patches for this CVE. Do you see one ? Oden posted it in Comment 8. It's not a patch to the code, but a change to the SPEC file. If the tomcat7 SPEC file is synced with Fedora, I'll remove this bug from Cauldron, but we'll still need this looked at for the packages in Mageia 3.
Confirmed the Cauldron tomcat spec is in sync with Fedora.
Blocks: 11726 => (none)Whiteboard: MGA3TOO => (none)
I've added similar changes that Fedora did in these two commits: http://pkgs.fedoraproject.org/cgit/tomcat6.git/commit/?h=f18&id=6d5704edbc4d0c5cc40645bdadca0b5e034aabb2 http://pkgs.fedoraproject.org/cgit/tomcat6.git/commit/?h=f18&id=c6a80ff0b6632d7aff4a52242655847609cd20f7 in my commit here: http://svnweb.mageia.org/packages?view=revision&revision=583952 I also added similar changes to the init script in tomcat (tomcat7) in SVN, but I'll let that lie until/unless we issue another update for that during Mageia 3's lifetime. Similarly, I've also synced the same changes from RHEL5's tomcat5 init script to ours in SVN. Advisory: ======================== Updated tomcat6 packages fix security vulnerabilities: It was discovered that Tomcat incorrectly handled certain requests submitted using chunked transfer encoding. A remote attacker could use this flaw to cause the Tomcat server to stop responding, resulting in a denial of service (CVE-2012-3544). It was discovered that Tomcat incorrectly handled certain authentication requests. A remote attacker could possibly use this flaw to inject a request that would get executed with a victim's credentials (CVE-2013-2067). A flaw was found in the way the tomcat6 init script handled the tomcat6-initd.log log file. A malicious web application deployed on Tomcat could use this flaw to perform a symbolic link attack to change the ownership of an arbitrary system file to that of the tomcat user, allowing them to escalate their privileges to root (CVE-2013-1976). Note: With this update, tomcat6-initd.log has been moved from /var/log/tomcat6/ to the /var/log/ directory. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3544 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1976 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2067 http://www.ubuntu.com/usn/usn-1841-1/ https://rhn.redhat.com/errata/RHSA-2013-0869.html http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.37 ======================== Updated packages in core/updates_testing: ======================== tomcat6-6.0.37-1.1.mga3 tomcat6-admin-webapps-6.0.37-1.1.mga3 tomcat6-docs-webapp-6.0.37-1.1.mga3 tomcat6-javadoc-6.0.37-1.1.mga3 tomcat6-systemv-6.0.37-1.1.mga3 tomcat6-jsp-2.1-api-6.0.37-1.1.mga3 tomcat6-lib-6.0.37-1.1.mga3 tomcat6-servlet-2.5-api-6.0.37-1.1.mga3 tomcat6-el-2.1-api-6.0.37-1.1.mga3 tomcat6-webapps-6.0.37-1.1.mga3 from tomcat6-6.0.37-1.1.mga3.src.rpm
CC: (none) => dmorganecAssignee: dmorganec => qa-bugs
Testing i586 with procedure from https://bugs.mageia.org/show_bug.cgi?id=8307#c13
CC: (none) => stormiWhiteboard: (none) => has_procedure
------- Summary ------- * Testing procedure given * 2 bugs, 0 regression. Packager feedback welcome but not mandatory regarding those. * I can't connect to http://localhost:8080 what am I missing? ------------------------------------------ Testing procedure, adapted from bug# #8307 ------------------------------------------ # urpmi.update "Updates Testing" # urpmi tomcat6 tomcat6-webapps tomcat6-admin-webapps --search-media "Updates Testing" Edit /etc/tomcat6/tomcat-users.xml and uncomment the users, adding manager-gui role to one of them. # systemctl restart tomcat6.service # systemctl status tomcat6.service Browse http://localhost:8080/sample and http://localhost:8080/examples and click the links. Also browse http://localhost:8080 and log into the 'manager app' with the credentials just configured with manager-gui role. ------- Results ------- [root@localhost ~]# LC_ALL=C urpmi tomcat6 tomcat6-admin-webapps tomcat6-webapps --search-media "Updates Testing" In order to satisfy the 'jakarta-commons-logging' dependency, one of the following packages is needed: 1- jakarta-commons-logging-1.1-5.mga3.noarch: Jakarta Commons Logging Package (to install) 2- apache-commons-logging-1.1.1-21.mga3.noarch: Apache Commons Logging (to install) What is your choice? (1-2) To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release") apache-commons-collections 3.2.1 14.mga3 noarch apache-commons-daemon 1.0.10 4.mga3 i586 apache-commons-dbcp 1.4 10.mga3 noarch apache-commons-pool 1.6 2.mga3 noarch ecj 4.2.1 5.mga3 i586 jakarta-commons-logging 1.1 5.mga3 noarch jakarta-taglibs-standard 1.1.2 9.mga3 noarch javapackages-tools 0.12.0 2.mga3 noarch jline 0.9.94 5.mga3 noarch jpackage-utils 1.7.5 20.mga3 i586 rhino 1.7R3 8.mga3 noarch xalan-j2 2.7.1 5.mga3 noarch xerces-j2 2.11.0 8.mga3 noarch xml-commons-apis 1.4.01 8.mga3 noarch xml-commons-resolver 1.2 11.mga3 noarch xsltproc 1.1.28 2.mga3 i586 (medium "Core Updates") java-1.7.0-openjdk 1.7.0.60 2.4.4.1.mga3 i586 java-1.7.0-openjdk-headless 1.7.0.60 2.4.4.1.mga3 i586 lcms2 2.5 1.mga3 i586 rootcerts-java 20131204.00 1.mga3 i586 timezone-java 2013g 2.mga3 i586 tomcat-jsp-2.2-api 7.0.41 4.mga3 noarch tomcat-servlet-3.0-api 7.0.41 4.mga3 noarch (medium "Core Updates Testing") tomcat6 6.0.37 1.1.mga3 noarch tomcat6-admin-webapps 6.0.37 1.1.mga3 noarch tomcat6-el-2.1-api 6.0.37 1.1.mga3 noarch tomcat6-jsp-2.1-api 6.0.37 1.1.mga3 noarch tomcat6-lib 6.0.37 1.1.mga3 noarch tomcat6-servlet-2.5-api 6.0.37 1.1.mga3 noarch tomcat6-webapps 6.0.37 1.1.mga3 noarch 108MB of additional disk space will be used. 34MB of packages will be retrieved. => bug 1: it pulls tomcat 7 packages! (Not a regression) [root@localhost ~]# vim /etc/tomcat6/tomcat-users.xml #note: removed the comments to make it shorter [root@localhost ~]# cat /etc/tomcat6/tomcat-users.xml <?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="tomcat"/> <role rolename="role1"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="role1" password="tomcat" roles="role1"/> <!-- The host manager webapp is restricted to users with role "admin" --> <user name="tomcat" password="password" roles="admin" /> <!-- The manager webapp is restricted to users with role "manager" --> <user name="tomcat" password="password" roles="manager" /> </tomcat-users> [root@localhost ~]# systemctl restart tomcat6.service [root@localhost ~]# systemctl status tomcat6.service tomcat6.service - Apache Tomcat6 Web Application Container Loaded: loaded (/usr/lib/systemd/system/tomcat6.service; enabled) Active: inactive (dead) since Mon, 2014-02-10 13:49:20 CET; 6s ago Process: 14422 ExecStop=/usr/sbin/tomcat6-sysd stop (code=exited, status=0/SUCCESS) Process: 14377 ExecStart=/usr/sbin/tomcat6-sysd start (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/tomcat6.service Feb 10 13:48:47 localhost systemd[1]: Starting Apache Tomcat6 Web Application Container... Feb 10 13:48:47 localhost su[14386]: (to tomcat) root on none Feb 10 13:48:47 localhost su[14432]: (to tomcat) root on none Feb 10 13:49:20 localhost tomcat6-sysd[14422]: /usr/sbin/tomcat6-sysd: ligne102: log_success_msg : commande introuvable Feb 10 13:49:20 localhost systemd[1]: Started Apache Tomcat6 Web Application Container. => bug 2: it doesn't find the log_success_msg function. (Not a regression) Then browsing to http://localhost:8080 or http://localhost:8080/samples gives a page not found.
Whiteboard: has_procedure => has_procedure feedback
Taking the bug while sorting it out
CC: (none) => tmbAssignee: qa-bugs => tmb
Ok, so tomcat6 failing to work (or actually it starts but dies some ~30 sec later) comes from a crappy systemd implementation, asn running the server with legacy sysv script makes it work properly
tomcat6 fixed, and tested on mga3 x86_64 (so technically a: MGA3-64-OK, but I'll let someone else ack too) testing as in comment 25 I also updated to latest 6.0.39 to squash: Low severity: Frame injection in documentation Javadoc CVE-2013-1571 SRPM: ***** tomcat6-6.0.39-1.1.mga3.src.rpm i586: ***** tomcat6-6.0.39-1.1.mga3.noarch.rpm tomcat6-admin-webapps-6.0.39-1.1.mga3.noarch.rpm tomcat6-docs-webapp-6.0.39-1.1.mga3.noarch.rpm tomcat6-el-2.1-api-6.0.39-1.1.mga3.noarch.rpm tomcat6-javadoc-6.0.39-1.1.mga3.noarch.rpm tomcat6-jsp-2.1-api-6.0.39-1.1.mga3.noarch.rpm tomcat6-lib-6.0.39-1.1.mga3.noarch.rpm tomcat6-servlet-2.5-api-6.0.39-1.1.mga3.noarch.rpm tomcat6-systemv-6.0.39-1.1.mga3.noarch.rpm tomcat6-webapps-6.0.39-1.1.mga3.noarch.rpm x86_64: ******* tomcat6-6.0.39-1.1.mga3.noarch.rpm tomcat6-admin-webapps-6.0.39-1.1.mga3.noarch.rpm tomcat6-docs-webapp-6.0.39-1.1.mga3.noarch.rpm tomcat6-el-2.1-api-6.0.39-1.1.mga3.noarch.rpm tomcat6-javadoc-6.0.39-1.1.mga3.noarch.rpm tomcat6-jsp-2.1-api-6.0.39-1.1.mga3.noarch.rpm tomcat6-lib-6.0.39-1.1.mga3.noarch.rpm tomcat6-servlet-2.5-api-6.0.39-1.1.mga3.noarch.rpm tomcat6-systemv-6.0.39-1.1.mga3.noarch.rpm tomcat6-webapps-6.0.39-1.1.mga3.noarch.rpm Updated advisory: **************** Updated tomcat6 packages fix security vulnerabilities: It was discovered that Tomcat incorrectly handled certain requests submitted using chunked transfer encoding. A remote attacker could use this flaw to cause the Tomcat server to stop responding, resulting in a denial of service (CVE-2012-3544). A frame injection in the Javadoc component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier; JavaFX 2.2.21 and earlier; and OpenJDK 7 allows remote attackers to affect integrity via unknown vectors related to Javadoc (CVE-2013-1571) A flaw was found in the way the tomcat6 init script handled the tomcat6-initd.log log file. A malicious web application deployed on Tomcat could use this flaw to perform a symbolic link attack to change the ownership of an arbitrary system file to that of the tomcat user, allowing them to escalate their privileges to root (CVE-2013-1976). It was discovered that Tomcat incorrectly handled certain authentication requests. A remote attacker could possibly use this flaw to inject a request that would get executed with a victim's credentials (CVE-2013-2067). Note: With this update, tomcat6-initd.log has been moved from /var/log/tomcat6/ to the /var/log/ directory. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3544 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1976 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2067 http://www.ubuntu.com/usn/usn-1841-1/ https://rhn.redhat.com/errata/RHSA-2013-0869.html http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.39
CVE: (none) => CVE-2012-3544, CVE-2013-1571, CVE-2013-1976, CVE-2013-2067Assignee: tmb => qa-bugsSummary: tomcat6 new security issues CVE-2012-3544 and CVE-2013-2067 => tomcat6 new security issues CVE-2012-3544, CVE-2013-1571, CVE-2013-1976 and CVE-2013-2067Whiteboard: has_procedure feedback => has_procedure
Testing complete mga3 64, thanks Thomas. Configured user/pass tomcat/tomcat to use manager-gui at the bottom of /etc/tomcat6/tomcat-user.xml as below, removing the comment arrows from the role section and adding a line.. <role rolename="tomcat"/> <role rolename="role1"/> <user username="tomcat" password="tomcat" roles="tomcat, manager-gui"/> <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="role1" password="tomcat" roles="role1"/> <!-- The host manager webapp is restricted to users with role "admin" --> <!--<user name="tomcat" password="password" roles="admin" />--> <!-- The manager webapp is restricted to users with role "manager" --> <!--<user name="tomcat" password="password" roles="manager" />--> </tomcat-users> Started tomcat6 service (which took a short while) and browsed to http://localhost:8080 to ensure it was working before installing the update. Installed the updated packages, restarted the service (systemctl restart tomcat6.service) and logged in at http://localhost:8080 with user/pass tomcat/tomcat. Also checked http://localhost:8080/sample and 'executed' each of the jsp examples at http://localhost:8080/examples looking for obvious errors. Checked the service could be started and stopped without issue
Whiteboard: has_procedure => has_procedure mga3-64-ok
Tip: urpmi -ya tomcat6- to install all the packages.
Testing complete mga3 32 I'll validate in a few mins
Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok
Advisory uploaded. Validating. Could sysadmin please push to 3 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga3-64-ok mga3-32-ok => has_procedure advisory mga3-64-ok mga3-32-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0082.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
On February 25, a few more CVEs for tomcat6 were announced, which were fixed in 6.0.39, so when Thomas updated it to 6.0.39 at the last minute for this update, we unknowingly solved several more security issues :o) They are CVE-2013-4286, CVE-2013-4322, CVE-2013-4590, CVE-2014-0033: http://tomcat.apache.org/security-6.html Ubuntu listed three of those in an advisory today (March 6): http://www.ubuntu.com/usn/usn-2130-1/ from http://lwn.net/Vulnerabilities/589752/ CVE-2014-0033 does not affect tomcat 7, but the others do (fixed in 7.0.47 and 7.0.50), so we'll need another tomcat 7 update for those.