Details on an issue in apache-commons-fileupload were released on February 6: http://seclists.org/fulldisclosure/2014/Feb/41 As tomcat (tomcat7) bundles it, it is also affected. It will be fixed in version 7.0.51, when released. There is also a link to the upstream revision that fixes the issue on the tomcat7 security page: http://tomcat.apache.org/security-7.html This CVE might be split, as was requested here: http://openwall.com/lists/oss-security/2014/02/07/3 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Debian has issued an advisory for this on February 7: http://www.debian.org/security/2014/dsa-2856
URL: (none) => http://lwn.net/Vulnerabilities/585187/
Fedora has issued an advisory for this on February 8: https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128499.html It is fixed upstream in 1.3.1, and the backported patch for 1.3 was added here: http://pkgs.fedoraproject.org/cgit/apache-commons-fileupload.git/commit/?h=f20&id=7f0626d251aebf3ff97856a0f83da36095ec092b
According to DistroWatch, Tomcat 7.0.52 is out. Details should appear here shortly (but haven't yet): http://tomcat.apache.org/ http://tomcat.apache.org/tomcat-7.0-doc/changelog.html
The Tomcat 7.0.52 release announcement and change details have been posted.
I've checked the apache-commons-fileupload patch into Mageia 4 SVN and updated it to 1.3.1 in Cauldron SVN. Mageia 3 has an older version, so I don't have a patch for that. I tried building tomcat 7.0.52 locally in Mageia 4 and got: BUILD FAILED /home/david/tomcat/BUILD/apache-tomcat-7.0.52-src/build.xml:1784 The java.7.home property must be set for javadoc build
I found the upstream commits in apache-commons-fileupload and tomcat: http://svn.apache.org/viewvc?view=revision&revision=r1565143 http://svn.apache.org/viewvc?view=revision&revision=1565169 I re-diffed the apache-commons-fileupload commit against the version in Mageia 3 and added it in SVN. The tomcat commit applies cleanly to tomcat 7.0.47 in Mageia 4 and Cauldron, and only needed one "public" removed to apply to 7.0.41 in Mageia 3. I added it in SVN.
For the Mageia 3 apache-commons-fileupload update, I had to remove the test case added by the patch, as it's *supposed* to fail with an IllegalArgumentException, but there's no apparent way to indicate that. The newer version uses annotations for that. All of the packages are built and uploaded now.
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Assigning to QA. Note to QA: these packages contain build-time test suites that were able to verify that the issue is fixed correctly. Advisory: ======================== Updated apache-commons-fileupload and tomcat packages fix security vulnerabilities: It was discovered that the Apache Commons FileUpload package for Java could enter an infinite loop while processing a multipart request with a crafted Content-Type, resulting in a denial-of-service condition (CVE-2014-0050). Tomcat 7 includes an embedded copy of the Apache Commons FileUpload package, and was affected as well. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050 http://seclists.org/fulldisclosure/2014/Feb/41 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.52 http://www.debian.org/security/2014/dsa-2856 https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128499.html ======================== Updated packages in core/updates_testing: ======================== apache-commons-fileupload-1.2.2-10.1.mga3 apache-commons-fileupload-javadoc-1.2.2-10.1.mga3 tomcat-7.0.41-5.mga3 tomcat-admin-webapps-7.0.41-5.mga3 tomcat-docs-webapp-7.0.41-5.mga3 tomcat-javadoc-7.0.41-5.mga3 tomcat-jsvc-7.0.41-5.mga3 tomcat-jsp-2.2-api-7.0.41-5.mga3 tomcat-lib-7.0.41-5.mga3 tomcat-servlet-3.0-api-7.0.41-5.mga3 tomcat-el-2.2-api-7.0.41-5.mga3 tomcat-webapps-7.0.41-5.mga3 apache-commons-fileupload-1.3-5.1.mga4 apache-commons-fileupload-javadoc-1.3-5.1.mga4 tomcat-7.0.47-1.1.mga4 tomcat-admin-webapps-7.0.47-1.1.mga4 tomcat-docs-webapp-7.0.47-1.1.mga4 tomcat-javadoc-7.0.47-1.1.mga4 tomcat-jsvc-7.0.47-1.1.mga4 tomcat-jsp-2.2-api-7.0.47-1.1.mga4 tomcat-lib-7.0.47-1.1.mga4 tomcat-servlet-3.0-api-7.0.47-1.1.mga4 tomcat-el-2.2-api-7.0.47-1.1.mga4 tomcat-webapps-7.0.47-1.1.mga4 from SRPMS: apache-commons-fileupload-1.2.2-10.1.mga3.src.rpm tomcat-7.0.41-5.mga3.src.rpm apache-commons-fileupload-1.3-5.1.mga4.src.rpm tomcat-7.0.47-1.1.mga4.src.rpm
CC: (none) => dmorganecAssignee: dmorganec => qa-bugsSeverity: normal => major
Just for the sake of posterity, the Mageia 3 tomcat update might also fix CVE-2013-1976, as I indicated here: https://bugs.mageia.org/show_bug.cgi?id=10201#c23 I'm not *sure* whether it was affected, so I didn't mention it in the advisory.
here is a test procedure for apache-commons-fileupload : 1 - create a web form (see form.html) 2 - create a cgi script for upload in /var/www/cgi-bin (see upload.cgi) and chmod 755 on it 3 - create a directory in /var/www/html/upload for example and chown apache on it
CC: (none) => ennael1
Created attachment 5007 [details] form template
Created attachment 5008 [details] CGI script template
Tested on Mageia 4 64 - works perfectly
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
Tested on Mageia 4 32 - works ok
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok
This procedure works without apache-commons-fileupload installed Anne and also misses tomcat. # ls upload/ girl.jpg # rpm -q apache-commons-fileupload package apache-commons-fileupload is not installed We normally end up just testing java stuff updates cleanly so it would be good to have procedures for some of it. I'll leave the whiteboard tags but I'll also test tomcat mga4.
Procedure for tomcat 7: https://bugs.mageia.org/show_bug.cgi?id=8307#c17
Testing mga4 64 Before ------ A packaging issue.. Preparing... ########## 9/13: tomcat-lib ########## 10/13: tomcat ########## [tomcat.conf:2] Syntax error. [tomcat.conf:6] Unknown modifier '/usr/lib/rpm/find-debuginfo.sh' [tomcat.conf:11] Unknown file type '['. [tomcat.conf:12] Unknown file type '['. [tomcat.conf:13] Unknown file type '['. [tomcat.conf:14] Unknown file type '['. [tomcat.conf:15] Unknown file type '['. [tomcat.conf:16] Unknown file type '['. [tomcat.conf:17] Unknown file type '['. [tomcat.conf:18] Unknown file type '['. [tomcat.conf:19] Unknown file type '['. [tomcat.conf:20] Unknown file type '['. [tomcat.conf:21] Unknown file type '['. [tomcat.conf:22] Unknown file type '['. [tomcat.conf:25] Syntax error. [tomcat.conf:26] Unknown file type '['. [tomcat.conf:27] Syntax error. After ----- Same issue.. Preparing... ########## 1/7: tomcat-servlet-3.0-api ########## 2/7: tomcat-jsp-2.2-api ########## 3/7: tomcat-el-2.2-api ########## 4/7: tomcat-lib ########## 5/7: tomcat ########## [tomcat.conf:2] Syntax error. [tomcat.conf:6] Unknown modifier '/usr/lib/rpm/find-debuginfo.sh' [tomcat.conf:11] Unknown file type '['. [tomcat.conf:12] Unknown file type '['. [tomcat.conf:13] Unknown file type '['. [tomcat.conf:14] Unknown file type '['. [tomcat.conf:15] Unknown file type '['. [tomcat.conf:16] Unknown file type '['. [tomcat.conf:17] Unknown file type '['. [tomcat.conf:18] Unknown file type '['. [tomcat.conf:19] Unknown file type '['. [tomcat.conf:20] Unknown file type '['. [tomcat.conf:21] Unknown file type '['. [tomcat.conf:22] Unknown file type '['. [tomcat.conf:25] Syntax error. [tomcat.conf:26] Unknown file type '['. [tomcat.conf:27] Syntax error.
Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok => MGA3TOO has_procedure feedback
/etc/tomcat/tomcat.conf looks normal so not sure where this comes from.
Blocks: (none) => 12899
OK, I'm confident in the apache-commons-fileupload update, and we can test that by ensuring it installs cleanly as usual. I've split the tomcat update off to Bug 12899. Nobody else has issued updates for tomcat for this one yet, so no big deal I guess. Advisory: ======================== Updated apache-commons-fileupload packages fix security vulnerability: It was discovered that the Apache Commons FileUpload package for Java could enter an infinite loop while processing a multipart request with a crafted Content-Type, resulting in a denial-of-service condition (CVE-2014-0050). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050 http://seclists.org/fulldisclosure/2014/Feb/41 http://www.debian.org/security/2014/dsa-2856 https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128499.html ======================== Updated packages in core/updates_testing: ======================== apache-commons-fileupload-1.2.2-10.1.mga3 apache-commons-fileupload-javadoc-1.2.2-10.1.mga3 apache-commons-fileupload-1.3-5.1.mga4 apache-commons-fileupload-javadoc-1.3-5.1.mga4 from SRPMS: apache-commons-fileupload-1.2.2-10.1.mga3.src.rpm apache-commons-fileupload-1.3-5.1.mga4.src.rpm
Blocks: 12899 => (none)Summary: apache-commons-fileupload and tomcat new security issue CVE-2014-0050 => apache-commons-fileupload new security issue CVE-2014-0050Source RPM: apache-commons-fileupload-1.2.2-10.mga3.src.rpm, tomcat-7.0.41-4.mga3.src.rpm => apache-commons-fileupload-1.2.2-10.mga3.src.rpmWhiteboard: MGA3TOO has_procedure feedback => MGA3TOO has_procedure
Adding mga4 OK's again from Annes tests
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-32-ok mga4-64-ok
In VirtualBox, M3, KDE, 32-bit Package(s) under test: apache-commons-fileupload Apache ( httpd ) works on test install. default install of apache-commons-fileupload ( 346 packages ) Restart httpd, httpd works as expected. [root@localhost wilcal]# urpmi apache-commons-fileupload Package apache-commons-fileupload-1.2.2-10.mga3.noarch is already installed install apache-commons-fileupload from updates_testing [root@localhost wilcal]# urpmi apache-commons-fileupload Package apache-commons-fileupload-1.2.2-10.1.mga3.noarch is already installed Restart httpd, httpd works as expected. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
CC: (none) => wilcal.intWhiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure MGA3-32-OK mga4-32-ok mga4-64-ok
In VirtualBox, M3, KDE, 64-bit Package(s) under test: apache-commons-fileupload Apache ( httpd ) works on test install. default install of apache-commons-fileupload ( 346 packages ) Restart httpd, httpd works as expected. [root@localhost wilcal]# urpmi apache-commons-fileupload Package apache-commons-fileupload-1.2.2-10.mga3.noarch is already installed install apache-commons-fileupload from updates_testing [root@localhost wilcal]# urpmi apache-commons-fileupload Package apache-commons-fileupload-1.2.2-10.1.mga3.noarch is already installed Restart httpd, httpd works as expected. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
For me the update does not disrupt the operation of httpd. I'd say go ahead and push it.
Whiteboard: MGA3TOO has_procedure MGA3-32-OK mga4-32-ok mga4-64-ok => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK mga4-32-ok mga4-64-ok
Thanks. Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory MGA3-32-OK MGA3-64-OK mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0109.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED