Three security issues previously fixed upstream in tomcat were made public on February 25: http://tomcat.apache.org/security-7.html Ubuntu has issued an advisory including the first two today: http://www.ubuntu.com/usn/usn-2130-1/ Since CVE-2013-4286 was fixed in 7.0.47, Mageia 4 and Cauldron are not affected. CVE-2013-4322 and CVE-2013-4590 were fixed in 7.0.50, so Mageia 3, Mageia 4, and Cauldron are all affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. The changes in the Mageia 3 package are fairly significant, since I synced it with Cauldron. I did verify that all of the subpackages install cleanly, the tomcat service starts, and connecting to it on port 8080 does produce a web page. Advisory (Mageia 3): ======================== Updated tomcat packages fix security vulnerabilities: Apache Tomcat 7.x before 7.0.47, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header (CVE-2013-4286). Apache Tomcat 7.x before 7.0.50 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data (CVE-2013-4322). Apache Tomcat 7.x before 7.0.50 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue (CVE-2013-4590). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590 http://tomcat.apache.org/security-7.html ======================== Updated packages in core/updates_testing: ======================== tomcat-7.0.52-1.mga3 tomcat-admin-webapps-7.0.52-1.mga3 tomcat-docs-webapp-7.0.52-1.mga3 tomcat-javadoc-7.0.52-1.mga3 tomcat-jsvc-7.0.52-1.mga3 tomcat-jsp-2.2-api-7.0.52-1.mga3 tomcat-lib-7.0.52-1.mga3 tomcat-servlet-3.0-api-7.0.52-1.mga3 tomcat-el-2.2-api-7.0.52-1.mga3 tomcat-webapps-7.0.52-1.mga3 from tomcat-7.0.52-1.mga3.src.rpm Advisory (Mageia 4): ======================== Updated tomcat packages fix security vulnerabilities: Apache Tomcat 7.x before 7.0.50 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data (CVE-2013-4322). Apache Tomcat 7.x before 7.0.50 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue (CVE-2013-4590). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590 http://tomcat.apache.org/security-7.html ======================== Updated packages in core/updates_testing: ======================== tomcat-7.0.52-1.mga4 tomcat-admin-webapps-7.0.52-1.mga4 tomcat-docs-webapp-7.0.52-1.mga4 tomcat-javadoc-7.0.52-1.mga4 tomcat-jsvc-7.0.52-1.mga4 tomcat-jsp-2.2-api-7.0.52-1.mga4 tomcat-lib-7.0.52-1.mga4 tomcat-servlet-3.0-api-7.0.52-1.mga4 tomcat-el-2.2-api-7.0.52-1.mga4 tomcat-webapps-7.0.52-1.mga4 from tomcat-7.0.52-1.mga4.src.rpm
CC: (none) => dmorganec, tmbVersion: Cauldron => 4Assignee: dmorganec => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Advisories 12955.mga3.adv and 12955.mga4.adv committed to svn.
CC: (none) => davidwhodginsWhiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure advisory
Testing complete mga3 32 & 64 and mga4 32 & 64 Validating Could sysadmin please push to 3 & 4 updates. Note, there are separate advisories for this one 12955.mga3.adv and 12955.mga4.adv Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure advisory => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0148.html http://advisories.mageia.org/MGASA-2014-0149.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED
LWN reference for CVE-2013-4590: http://lwn.net/Vulnerabilities/592962/