Bug 10201 - tomcat6 new security issues CVE-2012-3544, CVE-2013-1571, CVE-2013-1976 and CVE-2013-2067
: tomcat6 new security issues CVE-2012-3544, CVE-2013-1571, CVE-2013-1976 and C...
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/552158/
: has_procedure advisory mga3-64-ok mga...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-05-21 19:13 CEST by David Walser
Modified: 2014-03-06 20:39 CET (History)
5 users (show)

See Also:
Source RPM: tomcat6-6.0.36-5.mga3.src.rpm
CVE: CVE-2012-3544, CVE-2013-1571, CVE-2013-1976, CVE-2013-2067


Attachments

Description David Walser 2013-05-21 19:13:07 CEST
Upstream has issued version 6.0.37 on May 10 to fix two vulnerabilities:
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.37

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-05-29 22:38:41 CEST
Ubuntu has issued an advisory for this on May 28:
http://www.ubuntu.com/usn/usn-1841-1/
Comment 2 David Walser 2013-05-29 22:46:57 CEST
RedHat has issued an advisory on May 28:
https://rhn.redhat.com/errata/RHSA-2013-0869.html

This adds two new CVEs:
CVE-2013-2051 - fix in previous update for CVE-2012-5887 was incomplete.
CVE-2013-1976 - issue in tomcat init script from RedHat (also affects tomcat5)

I'm not sure if we are using their init script.

from http://lwn.net/Vulnerabilities/552152/
Comment 3 Oden Eriksson 2013-06-10 14:56:37 CEST
I just pushed 6.0.37 to mga3 updates_testing, but got:

+ ant -Dbase.path=. -Dbuild.compiler=modern -Dcommons-collections.jar=/usr/share/java/apache-commons-collections.jar -Dcommons-daemon.jar=/usr/share/java/apache-commons-daemon.jar -Dcommons-daemon.native.src.tgz=HACK -Djasper-jdt.jar=/usr/share/java/ecj.jar -Djdt.jar=/usr/share/java/ecj.jar -Dtomcat-dbcp.jar=/usr/share/java/apache-commons-dbcp.jar -Dtomcat-native.tar.gz=HACK -Dversion=6.0.37 -Dversion.build=37
Buildfile: /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/build.xml

build-prepare:
    [mkdir] Created dir: /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/output/classes
    [mkdir] Created dir: /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/output/build
    [mkdir] Created dir: /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/output/build/bin
    [mkdir] Created dir: /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/output/build/conf
    [mkdir] Created dir: /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/output/build/lib
    [mkdir] Created dir: /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/output/build/logs
    [mkdir] Created dir: /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/output/build/temp
    [mkdir] Created dir: /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/output/build/webapps

compile:
    [javac] /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/build.xml:148: warning: 'includeantruntime' was not set, defaulting to build.sysclasspath=last; set to false for repeatable builds
    [javac] Compiling 1078 source files to /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/output/classes
    [javac] warning: [options] bootstrap class path not set in conjunction with -source 1.5
    [javac] /home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/java/org/apache/jasper/compiler/JDTCompiler.java:159: error: method ignoreOptionalProblems() is already defined in class CompilationUnit
    [javac]             public boolean ignoreOptionalProblems() {
    [javac]                            ^
    [javac] Note: Some input files use or override a deprecated API.
    [javac] Note: Recompile with -Xlint:deprecation for details.
    [javac] Note: Some input files use unchecked or unsafe operations.
    [javac] Note: Recompile with -Xlint:unchecked for details.
    [javac] 1 error
    [javac] 1 warning

BUILD FAILED
/home/iurt/rpmbuild/BUILD/apache-tomcat-6.0.37-src/build.xml:148: Compile failed; see the compiler error output for details.

Total time: 6 seconds
error: Bad exit status from /home/iurt/rpmbuild/tmp/rpm-tmp.0aBEpK (%build)
Comment 4 D Morgan 2013-06-25 00:19:48 CEST
build fixed
Comment 5 David Walser 2013-06-25 00:49:42 CEST
D Morgan has uploaded tomcat6 6.0.37 for Mageia 3 and Cauldron for now.

I'm assuming it fixes CVE-2013-2051, even though upstream fails to mention it.

I'm not sure whether or not we're affected by CVE-2013-1976.

Packages built for Mageia 3:
tomcat6-6.0.37-1.mga3
tomcat6-admin-webapps-6.0.37-1.mga3
tomcat6-docs-webapp-6.0.37-1.mga3
tomcat6-javadoc-6.0.37-1.mga3
tomcat6-systemv-6.0.37-1.mga3
tomcat6-jsp-2.1-api-6.0.37-1.mga3
tomcat6-lib-6.0.37-1.mga3
tomcat6-servlet-2.5-api-6.0.37-1.mga3
tomcat6-el-2.1-api-6.0.37-1.mga3
tomcat6-webapps-6.0.37-1.mga3

from tomcat6-6.0.37-1.mga3.src.rpm
Comment 6 Oden Eriksson 2013-06-25 09:27:38 CEST
Just submitted tomcat6-6.0.35-4.3.mga2:

- revert back to 6.0.35
- P9: security fix for CVE-2012-3544 (upstream)
- P10: security fix for CVE-2013-2067 (upstream)
Comment 7 David Walser 2013-06-25 12:04:34 CEST
(In reply to Oden Eriksson from comment #6)
> Just submitted tomcat6-6.0.35-4.3.mga2:
> 
> - revert back to 6.0.35
> - P9: security fix for CVE-2012-3544 (upstream)
> - P10: security fix for CVE-2013-2067 (upstream)

Is there a fix for CVE-2013-2051 in there?

Do you know if we're affected by CVE-2013-1976?

Packages built for Mageia 2:
tomcat6-6.0.35-4.3.mga2
tomcat6-admin-webapps-6.0.35-4.3.mga2
tomcat6-docs-webapp-6.0.35-4.3.mga2
tomcat6-javadoc-6.0.35-4.3.mga2
tomcat6-jsp-2.1-api-6.0.35-4.3.mga2
tomcat6-lib-6.0.35-4.3.mga2
tomcat6-servlet-2.5-api-6.0.35-4.3.mga2
tomcat6-el-2.1-api-6.0.35-4.3.mga2
tomcat6-webapps-6.0.35-4.3.mga2

from tomcat6-6.0.35-4.3.mga2.src.rpm
Comment 8 Oden Eriksson 2013-06-25 12:49:54 CEST
(In reply to David Walser from comment #7)
> (In reply to Oden Eriksson from comment #6)
> > Just submitted tomcat6-6.0.35-4.3.mga2:
> > 
> > - revert back to 6.0.35
> > - P9: security fix for CVE-2012-3544 (upstream)
> > - P10: security fix for CVE-2013-2067 (upstream)
> 
> Is there a fix for CVE-2013-2051 in there?
> 
> Do you know if we're affected by CVE-2013-1976?

CVE-2013-2051 is fixed.

CVE-2013-1976, probably. Looking at the rhel6 fixes but have a hard time understanding what it fixes really. Is "TOMCAT_LOG" defined somewhere else? I see in the mga2 tomcat6-6.0-tomcat6-sysd file mageia is probably affected.

diff -Naurp tomcat6-6.0.24-52.el6_4/tomcat6-6.0.init tomcat6-6.0.24-55.el6_4/tomcat6-6.0.init
--- tomcat6-6.0.24-52.el6_4/tomcat6-6.0.init    2013-03-01 21:50:26.000000000 +0000
+++ tomcat6-6.0.24-55.el6_4/tomcat6-6.0.init    2013-05-15 20:28:53.000000000 +0000
@@ -67,7 +67,7 @@ TOMCAT_PROG="${NAME}"
 TOMCAT_USER="${TOMCAT_USER:-tomcat}"
 
 # Define the tomcat log file
-TOMCAT_LOG="${TOMCAT_LOG:-/var/log/tomcat6/${NAME}-initd.log}"
+TOMCAT_LOG="${TOMCAT_LOG:-/var/log/${NAME}-initd.log}"
 
 # Define the pid file name
 # If change is needed, use sysconfig instead of here
@@ -124,10 +124,6 @@ function start() {
     if [ "$RETVAL" -eq "0" -a "$?" -eq "0" ]; then 
       chown ${TOMCAT_USER}:${TOMCAT_USER} $CATALINA_PID
     fi
-    [ "$RETVAL" -eq "0" ] && touch $TOMCAT_LOG 2>&1 || RETVAL="4" 
-    if [ "$RETVAL" -eq "0" -a "$?" -eq "0" ]; then
-      chown ${TOMCAT_USER}:${TOMCAT_USER} $TOMCAT_LOG
-    fi
     parseOptions
     if [ "$RETVAL" -eq "0" -a "$SECURITY_MANAGER" = "true" ]; then
         $SU - $TOMCAT_USER -c "${TOMCAT_SCRIPT} start-security" \
diff -Naurp tomcat6-6.0.24-52.el6_4/tomcat6.spec tomcat6-6.0.24-55.el6_4/tomcat6.spec
--- tomcat6-6.0.24-52.el6_4/tomcat6.spec        2013-03-01 21:50:38.000000000 +0000
+++ tomcat6-6.0.24-55.el6_4/tomcat6.spec        2013-05-15 20:29:07.000000000 +0000
@@ -551,7 +551,7 @@ fi
 %attr(0755,root,root) %{_bindir}/%{name}-tool-wrapper
 %attr(0755,root,root) %{_sbindir}/d%{name}
 %attr(0755,root,root) %{_sbindir}/%{name}
-%attr(0775,root,tomcat) %dir %{logdir}
+%attr(0755,tomcat,root) %dir %{logdir}
 %attr(0644,tomcat,tomcat) %{logdir}/catalina.out
 %attr(0755,root,root) %{_initrddir}/%{name}
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
Comment 9 David Walser 2013-06-25 12:55:09 CEST
(In reply to Oden Eriksson from comment #8)
> Is "TOMCAT_LOG" defined somewhere else?

Possibly in /etc/sysconfig/tomcat6.
Comment 10 David Walser 2013-06-28 00:16:52 CEST
(In reply to Oden Eriksson from comment #8)
> (In reply to David Walser from comment #7)
> > (In reply to Oden Eriksson from comment #6)
> > > Just submitted tomcat6-6.0.35-4.3.mga2:
> > > 
> > > - revert back to 6.0.35
> > > - P9: security fix for CVE-2012-3544 (upstream)
> > > - P10: security fix for CVE-2013-2067 (upstream)
> > 
> > Is there a fix for CVE-2013-2051 in there?
> 
> CVE-2013-2051 is fixed.

Given that CVE-2012-5887 was about checking for stale nonces, and you can see some of the relevant code for that in the CVE-2012-5885,5886,5887 patch, I don't see anything dealing with that in the CVE-2012-3544 or CVE-2013-2067 patches, so I'm willing to believe CVE-2013-2051 is fixed in the Mageia 3 update to 6.0.37, but doubt it's fixed in the Mageia 2 update currently.
Comment 11 Oden Eriksson 2013-06-28 10:30:26 CEST
The redhat patch was wrong and generated the CVE-2013-2051 flaw.

This is the correct fix:

http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java?r1=1158180&r2=1380829&pathrev=1380829&view=patch

Here's what redhat did to fix CVE-2013-2051:

--- tomcat6-6.0.24-52.el6_4/tomcat6-6.0.24-CVE-2012-3439-rhbz-882010.patch      2013-03-01 21:50:26.000000000 +0000
+++ tomcat6-6.0.24-55.el6_4/tomcat6-6.0.24-CVE-2012-3439-rhbz-882010.patch      2013-05-15 20:28:53.000000000 +0000
@@ -160,7 +160,7 @@
 +                                if (digestInfo.validate(request, config)) {
 +                                      principal = digestInfo.authenticate(context.getRealm());
 +                                }
-+                                if (principal != null && digestInfo.isNonceStale()) {
++                                if (principal != null && !digestInfo.isNonceStale()) {
 +                                   register(request, response, principal,
 +                                           HttpServletRequest.DIGEST_AUTH,
 +                                           digestInfo.getUsername(), null);


And their changelog entry was simply:

- patch for 3439 corrected
Comment 12 Oden Eriksson 2013-06-28 10:39:55 CEST
In tomcat6-6.0.35-4.2.mga2.src.rpm you have tomcat6-CVE-2012-5885_5886_5887.diff 

- P7: CVE-2012-3439 was rejected, correct ones are: CVE-2012-5885,5886,5887

$ head -3 tomcat6-CVE-2012-5885_5886_5887.diff

http://svn.apache.org/viewvc?view=revision&revision=1380829

https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0015

And therefore mga is NOT affected by the new CVE-2013-2051 flaw.
Comment 13 David Walser 2013-06-28 14:05:56 CEST
(In reply to Oden Eriksson from comment #12)
> And therefore mga is NOT affected by the new CVE-2013-2051 flaw.

Thank you for clarifying that one!
Comment 14 David Walser 2013-07-19 16:26:23 CEST
(In reply to Oden Eriksson from comment #8)
> CVE-2013-1976, probably. Looking at the rhel6 fixes but have a hard time
> understanding what it fixes really.

The CVE entry itself should have all the info you need about this:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1976
Comment 15 David Walser 2013-07-19 16:26:59 CEST
(In reply to David Walser from comment #14)
> (In reply to Oden Eriksson from comment #8)
> > CVE-2013-1976, probably. Looking at the rhel6 fixes but have a hard time
> > understanding what it fixes really.
> 
> The CVE entry itself should have all the info you need about this:
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1976

Note that it may affect tomcat5 (and even possibly tomcat) as well.
Comment 16 David Walser 2013-08-07 20:30:59 CEST
(In reply to David Walser from comment #15)
> (In reply to David Walser from comment #14)
> > (In reply to Oden Eriksson from comment #8)
> > > CVE-2013-1976, probably. Looking at the rhel6 fixes but have a hard time
> > > understanding what it fixes really.
> > 
> > The CVE entry itself should have all the info you need about this:
> > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1976
> 
> Note that it may affect tomcat5 (and even possibly tomcat) as well.

OpenSuSE also had a comment about this one here:
https://bugzilla.novell.com/show_bug.cgi?id=822177#c7
Comment 17 David Walser 2013-11-22 16:08:46 CET
Removing Mageia 2 from the whiteboard due to EOL.

http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/
Comment 18 David Walser 2014-01-03 14:33:27 CET
Current status of this:
tomcat5 and tomcat6 have been removed from Cauldron.

tomcat6 has an update candidate in updates_testing for Mageia 3.

The only thing that still needs clarified is the status of CVE-2013-1976, as it may still affect the tomcat6 package, as well as possibly tomcat (tomcat7) in Cauldron, and tomcat and tomcat5 in Mageia 3.
Comment 19 D Morgan 2014-01-07 13:35:45 CET
tomcat7 should be OK we have the very last one in cauldron
Comment 20 D Morgan 2014-01-07 13:36:08 CET
i don't find any patches for this CVE. Do you see one ?
Comment 21 David Walser 2014-01-07 16:17:03 CET
(In reply to D Morgan from comment #20)
> i don't find any patches for this CVE. Do you see one ?

Oden posted it in Comment 8.  It's not a patch to the code, but a change to the SPEC file.

If the tomcat7 SPEC file is synced with Fedora, I'll remove this bug from Cauldron, but we'll still need this looked at for the packages in Mageia 3.
Comment 22 David Walser 2014-01-17 17:29:35 CET
Confirmed the Cauldron tomcat spec is in sync with Fedora.
Comment 23 David Walser 2014-02-06 00:37:33 CET
I've added similar changes that Fedora did in these two commits:
http://pkgs.fedoraproject.org/cgit/tomcat6.git/commit/?h=f18&id=6d5704edbc4d0c5cc40645bdadca0b5e034aabb2
http://pkgs.fedoraproject.org/cgit/tomcat6.git/commit/?h=f18&id=c6a80ff0b6632d7aff4a52242655847609cd20f7

in my commit here:
http://svnweb.mageia.org/packages?view=revision&revision=583952

I also added similar changes to the init script in tomcat (tomcat7) in SVN, but I'll let that lie until/unless we issue another update for that during Mageia 3's lifetime.  Similarly, I've also synced the same changes from RHEL5's tomcat5 init script to ours in SVN.

Advisory:
========================

Updated tomcat6 packages fix security vulnerabilities:

It was discovered that Tomcat incorrectly handled certain requests
submitted using chunked transfer encoding. A remote attacker could use this
flaw to cause the Tomcat server to stop responding, resulting in a denial
of service (CVE-2012-3544).

It was discovered that Tomcat incorrectly handled certain authentication
requests. A remote attacker could possibly use this flaw to inject a
request that would get executed with a victim's credentials (CVE-2013-2067).

A flaw was found in the way the tomcat6 init script handled the
tomcat6-initd.log log file. A malicious web application deployed on Tomcat
could use this flaw to perform a symbolic link attack to change the
ownership of an arbitrary system file to that of the tomcat user, allowing
them to escalate their privileges to root (CVE-2013-1976).

Note: With this update, tomcat6-initd.log has been moved from
/var/log/tomcat6/ to the /var/log/ directory.

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3544
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1976
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2067
http://www.ubuntu.com/usn/usn-1841-1/
https://rhn.redhat.com/errata/RHSA-2013-0869.html
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.37
========================

Updated packages in core/updates_testing:
========================
tomcat6-6.0.37-1.1.mga3
tomcat6-admin-webapps-6.0.37-1.1.mga3
tomcat6-docs-webapp-6.0.37-1.1.mga3
tomcat6-javadoc-6.0.37-1.1.mga3
tomcat6-systemv-6.0.37-1.1.mga3
tomcat6-jsp-2.1-api-6.0.37-1.1.mga3
tomcat6-lib-6.0.37-1.1.mga3
tomcat6-servlet-2.5-api-6.0.37-1.1.mga3
tomcat6-el-2.1-api-6.0.37-1.1.mga3
tomcat6-webapps-6.0.37-1.1.mga3

from tomcat6-6.0.37-1.1.mga3.src.rpm
Comment 24 Samuel Verschelde 2014-02-10 13:28:17 CET
Testing i586 with procedure from https://bugs.mageia.org/show_bug.cgi?id=8307#c13
Comment 25 Samuel Verschelde 2014-02-10 14:03:04 CET
-------
Summary
-------
* Testing procedure given
* 2 bugs, 0 regression. Packager feedback welcome but not mandatory regarding those.
* I can't connect to http://localhost:8080 what am I missing?

------------------------------------------
Testing procedure, adapted from bug# #8307
------------------------------------------
# urpmi.update "Updates Testing"
# urpmi tomcat6 tomcat6-webapps tomcat6-admin-webapps --search-media "Updates Testing"

Edit /etc/tomcat6/tomcat-users.xml and uncomment the users, adding manager-gui role to one of them.

# systemctl restart tomcat6.service
# systemctl status tomcat6.service

Browse http://localhost:8080/sample and http://localhost:8080/examples and click the links.

Also browse http://localhost:8080 and log into the 'manager app' with the credentials just configured with manager-gui role.


-------
Results
-------
[root@localhost ~]# LC_ALL=C urpmi tomcat6 tomcat6-admin-webapps tomcat6-webapps --search-media "Updates Testing"
In order to satisfy the 'jakarta-commons-logging' dependency, one of the following packages is needed:
 1- jakarta-commons-logging-1.1-5.mga3.noarch: Jakarta Commons Logging Package (to install)
 2- apache-commons-logging-1.1.1-21.mga3.noarch: Apache Commons Logging (to install)
What is your choice? (1-2) 
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release")
  apache-commons-collections     3.2.1        14.mga3       noarch  
  apache-commons-daemon          1.0.10       4.mga3        i586    
  apache-commons-dbcp            1.4          10.mga3       noarch  
  apache-commons-pool            1.6          2.mga3        noarch  
  ecj                            4.2.1        5.mga3        i586    
  jakarta-commons-logging        1.1          5.mga3        noarch  
  jakarta-taglibs-standard       1.1.2        9.mga3        noarch  
  javapackages-tools             0.12.0       2.mga3        noarch  
  jline                          0.9.94       5.mga3        noarch  
  jpackage-utils                 1.7.5        20.mga3       i586    
  rhino                          1.7R3        8.mga3        noarch  
  xalan-j2                       2.7.1        5.mga3        noarch  
  xerces-j2                      2.11.0       8.mga3        noarch  
  xml-commons-apis               1.4.01       8.mga3        noarch  
  xml-commons-resolver           1.2          11.mga3       noarch  
  xsltproc                       1.1.28       2.mga3        i586    
(medium "Core Updates")
  java-1.7.0-openjdk             1.7.0.60     2.4.4.1.mga3  i586    
  java-1.7.0-openjdk-headless    1.7.0.60     2.4.4.1.mga3  i586    
  lcms2                          2.5          1.mga3        i586    
  rootcerts-java                 20131204.00  1.mga3        i586    
  timezone-java                  2013g        2.mga3        i586    
  tomcat-jsp-2.2-api             7.0.41       4.mga3        noarch  
  tomcat-servlet-3.0-api         7.0.41       4.mga3        noarch  
(medium "Core Updates Testing")
  tomcat6                        6.0.37       1.1.mga3      noarch  
  tomcat6-admin-webapps          6.0.37       1.1.mga3      noarch  
  tomcat6-el-2.1-api             6.0.37       1.1.mga3      noarch  
  tomcat6-jsp-2.1-api            6.0.37       1.1.mga3      noarch  
  tomcat6-lib                    6.0.37       1.1.mga3      noarch  
  tomcat6-servlet-2.5-api        6.0.37       1.1.mga3      noarch  
  tomcat6-webapps                6.0.37       1.1.mga3      noarch  
108MB of additional disk space will be used.
34MB of packages will be retrieved.

=> bug 1: it pulls tomcat 7 packages! (Not a regression)

[root@localhost ~]# vim /etc/tomcat6/tomcat-users.xml #note: removed the comments to make it shorter
[root@localhost ~]# cat /etc/tomcat6/tomcat-users.xml
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>
<!-- The host manager webapp is restricted to users with role "admin" -->
<user name="tomcat" password="password" roles="admin" />
<!-- The manager webapp is restricted to users with role "manager" -->
<user name="tomcat" password="password" roles="manager" />
</tomcat-users>
[root@localhost ~]# systemctl restart tomcat6.service
[root@localhost ~]# systemctl status tomcat6.service 
tomcat6.service - Apache Tomcat6 Web Application Container
          Loaded: loaded (/usr/lib/systemd/system/tomcat6.service; enabled)
          Active: inactive (dead) since Mon, 2014-02-10 13:49:20 CET; 6s ago
         Process: 14422 ExecStop=/usr/sbin/tomcat6-sysd stop (code=exited, status=0/SUCCESS)
         Process: 14377 ExecStart=/usr/sbin/tomcat6-sysd start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/tomcat6.service

Feb 10 13:48:47 localhost systemd[1]: Starting Apache Tomcat6 Web Application Container...
Feb 10 13:48:47 localhost su[14386]: (to tomcat) root on none
Feb 10 13:48:47 localhost su[14432]: (to tomcat) root on none
Feb 10 13:49:20 localhost tomcat6-sysd[14422]: /usr/sbin/tomcat6-sysd: ligne102: log_success_msg : commande introuvable
Feb 10 13:49:20 localhost systemd[1]: Started Apache Tomcat6 Web Application Container.

=> bug 2: it doesn't find the log_success_msg function. (Not a regression)


Then browsing to http://localhost:8080 or http://localhost:8080/samples gives a page not found.
Comment 26 Thomas Backlund 2014-02-16 00:35:45 CET
Taking the bug while sorting it out
Comment 27 Thomas Backlund 2014-02-16 19:32:24 CET
Ok,

so tomcat6 failing to work (or actually it starts but dies some ~30 sec later) comes from a crappy systemd implementation, asn running the server with legacy sysv script makes it work properly
Comment 28 Thomas Backlund 2014-02-16 21:13:19 CET
tomcat6 fixed, and tested on mga3 x86_64 
(so technically a: MGA3-64-OK, but I'll let someone else ack too)

testing as in comment 25

I also updated to latest 6.0.39 to squash:
 Low severity: Frame injection in documentation Javadoc CVE-2013-1571 

SRPM:
*****
tomcat6-6.0.39-1.1.mga3.src.rpm

i586:
*****
tomcat6-6.0.39-1.1.mga3.noarch.rpm
tomcat6-admin-webapps-6.0.39-1.1.mga3.noarch.rpm
tomcat6-docs-webapp-6.0.39-1.1.mga3.noarch.rpm
tomcat6-el-2.1-api-6.0.39-1.1.mga3.noarch.rpm
tomcat6-javadoc-6.0.39-1.1.mga3.noarch.rpm
tomcat6-jsp-2.1-api-6.0.39-1.1.mga3.noarch.rpm
tomcat6-lib-6.0.39-1.1.mga3.noarch.rpm
tomcat6-servlet-2.5-api-6.0.39-1.1.mga3.noarch.rpm
tomcat6-systemv-6.0.39-1.1.mga3.noarch.rpm
tomcat6-webapps-6.0.39-1.1.mga3.noarch.rpm

x86_64:
*******
tomcat6-6.0.39-1.1.mga3.noarch.rpm
tomcat6-admin-webapps-6.0.39-1.1.mga3.noarch.rpm
tomcat6-docs-webapp-6.0.39-1.1.mga3.noarch.rpm
tomcat6-el-2.1-api-6.0.39-1.1.mga3.noarch.rpm
tomcat6-javadoc-6.0.39-1.1.mga3.noarch.rpm
tomcat6-jsp-2.1-api-6.0.39-1.1.mga3.noarch.rpm
tomcat6-lib-6.0.39-1.1.mga3.noarch.rpm
tomcat6-servlet-2.5-api-6.0.39-1.1.mga3.noarch.rpm
tomcat6-systemv-6.0.39-1.1.mga3.noarch.rpm
tomcat6-webapps-6.0.39-1.1.mga3.noarch.rpm



Updated advisory:
****************
Updated tomcat6 packages fix security vulnerabilities:

It was discovered that Tomcat incorrectly handled certain requests
submitted using chunked transfer encoding. A remote attacker could use this
flaw to cause the Tomcat server to stop responding, resulting in a denial
of service (CVE-2012-3544).

A frame injection in the Javadoc component in Oracle Java SE 7 Update 21
and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier;
JavaFX 2.2.21 and earlier; and OpenJDK 7 allows remote attackers to affect integrity via unknown vectors related to Javadoc (CVE-2013-1571)

A flaw was found in the way the tomcat6 init script handled the
tomcat6-initd.log log file. A malicious web application deployed on Tomcat
could use this flaw to perform a symbolic link attack to change the
ownership of an arbitrary system file to that of the tomcat user, allowing
them to escalate their privileges to root (CVE-2013-1976).

It was discovered that Tomcat incorrectly handled certain authentication
requests. A remote attacker could possibly use this flaw to inject a
request that would get executed with a victim's credentials (CVE-2013-2067).

Note: With this update, tomcat6-initd.log has been moved from
/var/log/tomcat6/ to the /var/log/ directory.

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3544
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1976
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2067
http://www.ubuntu.com/usn/usn-1841-1/
https://rhn.redhat.com/errata/RHSA-2013-0869.html
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.39
Comment 29 claire robinson 2014-02-17 10:01:53 CET
Testing complete mga3 64, thanks Thomas.

Configured user/pass tomcat/tomcat to use manager-gui at the bottom of /etc/tomcat6/tomcat-user.xml as below, removing the comment arrows from the role section and adding a line..

  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="tomcat" roles="tomcat, manager-gui"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>


<!-- The host manager webapp is restricted to users with role "admin" -->
<!--<user name="tomcat" password="password" roles="admin" />-->
<!-- The manager webapp is restricted to users with role "manager" -->
<!--<user name="tomcat" password="password" roles="manager" />-->
</tomcat-users>


Started tomcat6 service (which took a short while) and browsed to http://localhost:8080 to ensure it was working before installing the update.

Installed the updated packages, restarted the service (systemctl restart tomcat6.service) and logged in at http://localhost:8080 with user/pass tomcat/tomcat. Also checked http://localhost:8080/sample and 'executed' each of the jsp examples at http://localhost:8080/examples looking for obvious errors.

Checked the service could be started and stopped without issue
Comment 30 claire robinson 2014-02-17 10:10:38 CET
Tip: urpmi -ya tomcat6- to install all the packages.
Comment 31 claire robinson 2014-02-17 11:00:42 CET
Testing complete mga3 32

I'll validate in a few mins
Comment 32 claire robinson 2014-02-17 11:34:53 CET
Advisory uploaded. Validating.

Could sysadmin please push to 3 updates

Thanks
Comment 33 Thomas Backlund 2014-02-17 19:20:42 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0082.html
Comment 34 David Walser 2014-03-06 20:39:07 CET
On February 25, a few more CVEs for tomcat6 were announced, which were fixed in 6.0.39, so when Thomas updated it to 6.0.39 at the last minute for this update, we unknowingly solved several more security issues :o)

They are CVE-2013-4286, CVE-2013-4322, CVE-2013-4590, CVE-2014-0033:
http://tomcat.apache.org/security-6.html

Ubuntu listed three of those in an advisory today (March 6):
http://www.ubuntu.com/usn/usn-2130-1/

from http://lwn.net/Vulnerabilities/589752/

CVE-2014-0033 does not affect tomcat 7, but the others do (fixed in 7.0.47 and 7.0.50), so we'll need another tomcat 7 update for those.

Note You need to log in before you can comment on or make changes to this bug.