+++ This bug was initially created as a clone of Bug #12653 +++ Details on an issue in apache-commons-fileupload were released on February 6: http://seclists.org/fulldisclosure/2014/Feb/41 As tomcat (tomcat7) bundles it, it is also affected. It will be fixed in version 7.0.51, when released. There is also a link to the upstream revision that fixes the issue on the tomcat7 security page: http://tomcat.apache.org/security-7.html This CVE might be split, as was requested here: http://openwall.com/lists/oss-security/2014/02/07/3 Reproducible: Steps to Reproduce:
The issue is fixed upstream in Tomcat 7.0.52, which doesn't build. I tried building tomcat 7.0.52 locally in Mageia 4 and got: BUILD FAILED /home/david/tomcat/BUILD/apache-tomcat-7.0.52-src/build.xml:1784 The java.7.home property must be set for javadoc build I found the upstream commit in tomcat to fix this: http://svn.apache.org/viewvc?view=revision&revision=1565169 The tomcat commit applies cleanly to tomcat 7.0.47 in Mageia 4 and Cauldron, and only needed one "public" removed to apply to 7.0.41 in Mageia 3. I added it in SVN and built it. The QA team has determined that tomcat in Mageia 4 is not working: https://bugs.mageia.org/show_bug.cgi?id=12653#c17 Just for the sake of posterity, the Mageia 3 tomcat update might also fix CVE-2013-1976, as I indicated here: https://bugs.mageia.org/show_bug.cgi?id=10201#c23 I'm not *sure* whether it was affected, so I didn't mention it in the advisory. Here is the basis of the advisory we can use once this is fixed. Advisory: ======================== Updated tomcat packages fix security vulnerability: It was discovered that the Apache Commons FileUpload package for Java could enter an infinite loop while processing a multipart request with a crafted Content-Type, resulting in a denial-of-service condition (CVE-2014-0050). Tomcat 7 includes an embedded copy of the Apache Commons FileUpload package, and was affected as well. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050 http://seclists.org/fulldisclosure/2014/Feb/41 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.52 ======================== Updated packages in core/updates_testing: ======================== tomcat-7.0.41-5.mga3 tomcat-admin-webapps-7.0.41-5.mga3 tomcat-docs-webapp-7.0.41-5.mga3 tomcat-javadoc-7.0.41-5.mga3 tomcat-jsvc-7.0.41-5.mga3 tomcat-jsp-2.2-api-7.0.41-5.mga3 tomcat-lib-7.0.41-5.mga3 tomcat-servlet-3.0-api-7.0.41-5.mga3 tomcat-el-2.2-api-7.0.41-5.mga3 tomcat-webapps-7.0.41-5.mga3 tomcat-7.0.47-1.1.mga4 tomcat-admin-webapps-7.0.47-1.1.mga4 tomcat-docs-webapp-7.0.47-1.1.mga4 tomcat-javadoc-7.0.47-1.1.mga4 tomcat-jsvc-7.0.47-1.1.mga4 tomcat-jsp-2.2-api-7.0.47-1.1.mga4 tomcat-lib-7.0.47-1.1.mga4 tomcat-servlet-3.0-api-7.0.47-1.1.mga4 tomcat-el-2.2-api-7.0.47-1.1.mga4 tomcat-webapps-7.0.47-1.1.mga4 from SRPMS: tomcat-7.0.41-5.mga3.src.rpm tomcat-7.0.47-1.1.mga4.src.rpm
Assignee: bugsquad => dmorganecSource RPM: apache-commons-fileupload-1.2.2-10.mga3.src.rpm, tomcat-7.0.41-4.mga3.src.rpm => tomcat-7.0.41-4.mga3.src.rpmWhiteboard: (none) => MGA3TOO
Depends on: 12653 => (none)
CC: (none) => qa-bugs
tomcat in mga4 fixed: tomcat-7.0.47-1.2.mga4.noarch.rpm tomcat-admin-webapps-7.0.47-1.2.mga4.noarch.rpm tomcat-docs-webapp-7.0.47-1.2.mga4.noarch.rpm tomcat-el-2.2-api-7.0.47-1.2.mga4.noarch.rpm tomcat-javadoc-7.0.47-1.2.mga4.noarch.rpm tomcat-jsp-2.2-api-7.0.47-1.2.mga4.noarch.rpm tomcat-jsvc-7.0.47-1.2.mga4.noarch.rpm tomcat-lib-7.0.47-1.2.mga4.noarch.rpm tomcat-servlet-3.0-api-7.0.47-1.2.mga4.noarch.rpm tomcat-webapps-7.0.47-1.2.mga4.noarch.rpm
CC: (none) => tmbAssignee: dmorganec => qa-bugsSource RPM: tomcat-7.0.41-4.mga3.src.rpm => tomcat-7.0.41-4.2.mga3.src.rpm
works on mga3 x86_64 and mga4 x86_64 tested by installing the tomcat-webapps and confirming the examples work
Whiteboard: MGA3TOO => MGA3TOO mga3-64-ok mga4-64-ok
Procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17
Whiteboard: MGA3TOO mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok
Testing complete mga3 32
Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok
Testing complete mga4 32
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Advisory uploaded. Validating (really) Could sysadmin please push to 3 & 4 updates Thanks
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Update pushed: http://advisories.mageia.org/MGASA-2014-0110.html
Status: NEW => RESOLVEDResolution: (none) => FIXED