Bug 12955 - tomcat (tomcat7) new security issues CVE-2013-4286, CVE-2013-4322, CVE-2013-4590
: tomcat (tomcat7) new security issues CVE-2013-4286, CVE-2013-4322, CVE-2013-4590
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/589752/
: MGA3TOO has_procedure advisory mga3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-03-06 20:42 CET by David Walser
Modified: 2014-04-03 16:14 CEST (History)
5 users (show)

See Also:
Source RPM: tomcat-7.0.47-3.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-03-06 20:42:57 CET
Three security issues previously fixed upstream in tomcat were made public on February 25:
http://tomcat.apache.org/security-7.html

Ubuntu has issued an advisory including the first two today:
http://www.ubuntu.com/usn/usn-2130-1/

Since CVE-2013-4286 was fixed in 7.0.47, Mageia 4 and Cauldron are not affected.

CVE-2013-4322 and CVE-2013-4590 were fixed in 7.0.50, so Mageia 3, Mageia 4, and Cauldron are all affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-03-30 17:05:36 CEST
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

The changes in the Mageia 3 package are fairly significant, since I synced it with Cauldron.  I did verify that all of the subpackages install cleanly, the tomcat service starts, and connecting to it on port 8080 does produce a web page.

Advisory (Mageia 3):
========================

Updated tomcat packages fix security vulnerabilities:

Apache Tomcat 7.x before 7.0.47, when an HTTP connector or AJP connector is
used, does not properly handle certain inconsistent HTTP request headers,
which allows remote attackers to trigger incorrect identification of a
request's length and conduct request-smuggling attacks via (1) multiple
Content-Length headers or (2) a Content-Length header and a
"Transfer-Encoding: chunked" header (CVE-2013-4286).

Apache Tomcat 7.x before 7.0.50 processes chunked transfer coding without
properly handling (1) a large total amount of chunked data or (2) whitespace
characters in an HTTP header value within a trailer field, which allows
remote attackers to cause a denial of service by streaming data
(CVE-2013-4322).

Apache Tomcat 7.x before 7.0.50 allows attackers to obtain "Tomcat
internals" information by leveraging the presence of an untrusted web
application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML
document containing an external entity declaration in conjunction with an
entity reference, related to an XML External Entity (XXE) issue
(CVE-2013-4590).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590
http://tomcat.apache.org/security-7.html
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.52-1.mga3
tomcat-admin-webapps-7.0.52-1.mga3
tomcat-docs-webapp-7.0.52-1.mga3
tomcat-javadoc-7.0.52-1.mga3
tomcat-jsvc-7.0.52-1.mga3
tomcat-jsp-2.2-api-7.0.52-1.mga3
tomcat-lib-7.0.52-1.mga3
tomcat-servlet-3.0-api-7.0.52-1.mga3
tomcat-el-2.2-api-7.0.52-1.mga3
tomcat-webapps-7.0.52-1.mga3

from tomcat-7.0.52-1.mga3.src.rpm


Advisory (Mageia 4):
========================

Updated tomcat packages fix security vulnerabilities:

Apache Tomcat 7.x before 7.0.50 processes chunked transfer coding without
properly handling (1) a large total amount of chunked data or (2) whitespace
characters in an HTTP header value within a trailer field, which allows
remote attackers to cause a denial of service by streaming data
(CVE-2013-4322).

Apache Tomcat 7.x before 7.0.50 allows attackers to obtain "Tomcat
internals" information by leveraging the presence of an untrusted web
application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML
document containing an external entity declaration in conjunction with an
entity reference, related to an XML External Entity (XXE) issue
(CVE-2013-4590).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590
http://tomcat.apache.org/security-7.html
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.52-1.mga4
tomcat-admin-webapps-7.0.52-1.mga4
tomcat-docs-webapp-7.0.52-1.mga4
tomcat-javadoc-7.0.52-1.mga4
tomcat-jsvc-7.0.52-1.mga4
tomcat-jsp-2.2-api-7.0.52-1.mga4
tomcat-lib-7.0.52-1.mga4
tomcat-servlet-3.0-api-7.0.52-1.mga4
tomcat-el-2.2-api-7.0.52-1.mga4
tomcat-webapps-7.0.52-1.mga4

from tomcat-7.0.52-1.mga4.src.rpm
Comment 2 claire robinson 2014-03-31 18:35:23 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17
Comment 3 Dave Hodgins 2014-03-31 22:20:04 CEST
Advisories 12955.mga3.adv and 12955.mga4.adv committed to svn.
Comment 4 claire robinson 2014-04-01 15:46:30 CEST
Testing complete mga3 32 & 64 and mga4 32 & 64

Validating

Could sysadmin please push to 3 & 4 updates. Note, there are separate advisories for this one 12955.mga3.adv and 12955.mga4.adv

Thanks
Comment 6 David Walser 2014-04-03 16:14:16 CEST
LWN reference for CVE-2013-4590:
http://lwn.net/Vulnerabilities/592962/

Note You need to log in before you can comment on or make changes to this bug.