A security issue fixed in tomcat 7.0.55 was made public on February 9: http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.55 Fedora has not yet updated to 7.0.55. Mageia 4 is also affected. Reproducible: Steps to Reproduce:
CC: (none) => pterjanBlocks: (none) => 14674Whiteboard: (none) => MGA4TOO
Updated packages uploaded for Mageia 4 and Cauldron. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17 Advisory: ======================== Updated tomcat packages fix security vulnerability: In Apache Tomcat 7.x before 7.0.55, it was possible to craft a malformed chunk as part of a chunked request that caused Tomcat to read part of the request body as a new request (CVE-2014-0227). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0227 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.55 ======================== Updated packages in core/updates_testing: ======================== tomcat-7.0.59-1.mga4 tomcat-admin-webapps-7.0.59-1.mga4 tomcat-docs-webapp-7.0.59-1.mga4 tomcat-javadoc-7.0.59-1.mga4 tomcat-jsvc-7.0.59-1.mga4 tomcat-jsp-2.2-api-7.0.59-1.mga4 tomcat-lib-7.0.59-1.mga4 tomcat-servlet-3.0-api-7.0.59-1.mga4 tomcat-el-2.2-api-7.0.59-1.mga4 tomcat-webapps-7.0.59-1.mga4 from tomcat-7.0.59-1.mga4.src.rpm
Version: Cauldron => 4Blocks: 14674 => (none)Assignee: dmorganec => qa-bugsWhiteboard: MGA4TOO => has_procedure
I found also tomcat-log4j with this version number, so I installed that one as well.
CC: (none) => herman.viaene
MGA4-64 on HP Probook 6555b KDE. No installation issues. Followed procedure as desribed in bug8307 (Comment 1 above). All works OK.
Whiteboard: has_procedure => has_procedure MGA4-64-OK
MGA4-32 on Acer D620 Xfce No installation issues. Followed procedure as desribed in bug8307 (Comment 1 above). All works OK.
Whiteboard: has_procedure MGA4-64-OK => advisory has_procedure MGA4-64-OK MGA4-32-OK
Validating. Please push to 4 updates Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0081.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/634232/
This also fixed (also fixed in 7.0.55) CVE-2014-0230: http://lwn.net/Vulnerabilities/644268/
This also fixed CVE-2014-7810: http://lwn.net/Vulnerabilities/646558/