15270 – tomcat new security issue CVE-2014-0227

Bug 15270 - tomcat new security issue CVE-2014-0227

Summary: tomcat new security issue CVE-2014-0227

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/634232/
Whiteboard:	advisory has_procedure MGA4-64-OK MGA...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-02-11 23:06 CET by David Walser
Modified:	2015-05-29 16:57 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	tomcat-7.0.54-5.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-02-11 23:06:17 CET

A security issue fixed in tomcat 7.0.55 was made public on February 9:
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.55

Fedora has not yet updated to 7.0.55.

Mageia 4 is also affected.

Reproducible: 

Steps to Reproduce:

David Walser 2015-02-11 23:06:41 CET

CC: (none) => pterjan
Blocks: (none) => 14674
Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2015-02-16 13:52:42 CET

Updated packages uploaded for Mageia 4 and Cauldron.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=8307#c17

Advisory:
========================

Updated tomcat packages fix security vulnerability:

In Apache Tomcat 7.x before 7.0.55, it was possible to craft a malformed chunk
as part of a chunked request that caused Tomcat to read part of the request
body as a new request (CVE-2014-0227).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0227
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.55
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.59-1.mga4
tomcat-admin-webapps-7.0.59-1.mga4
tomcat-docs-webapp-7.0.59-1.mga4
tomcat-javadoc-7.0.59-1.mga4
tomcat-jsvc-7.0.59-1.mga4
tomcat-jsp-2.2-api-7.0.59-1.mga4
tomcat-lib-7.0.59-1.mga4
tomcat-servlet-3.0-api-7.0.59-1.mga4
tomcat-el-2.2-api-7.0.59-1.mga4
tomcat-webapps-7.0.59-1.mga4

from tomcat-7.0.59-1.mga4.src.rpm

Version: Cauldron => 4
Blocks: 14674 => (none)
Assignee: dmorganec => qa-bugs
Whiteboard: MGA4TOO => has_procedure

Comment 2 Herman Viaene 2015-02-18 11:42:10 CET

I found also tomcat-log4j with this version number, so I installed that one as well.

CC: (none) => herman.viaene

Comment 3 Herman Viaene 2015-02-18 14:04:35 CET

MGA4-64 on HP Probook 6555b KDE.
No installation issues.
Followed procedure as desribed in bug8307 (Comment 1 above). All works OK.

Whiteboard: has_procedure => has_procedure MGA4-64-OK

Comment 4 Herman Viaene 2015-02-18 17:21:10 CET

MGA4-32 on Acer D620 Xfce
No installation issues.
Followed procedure as desribed in bug8307 (Comment 1 above). All works OK.

Whiteboard: has_procedure MGA4-64-OK => advisory has_procedure MGA4-64-OK MGA4-32-OK

Comment 5 claire robinson 2015-02-19 13:46:30 CET

Validating.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-02-19 17:38:20 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0081.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-02-20 21:26:15 CET

URL: (none) => http://lwn.net/Vulnerabilities/634232/

Comment 7 David Walser 2015-05-13 20:10:11 CEST

This also fixed (also fixed in 7.0.55) CVE-2014-0230:
http://lwn.net/Vulnerabilities/644268/

Comment 8 David Walser 2015-05-29 16:57:49 CEST

This also fixed CVE-2014-7810:
http://lwn.net/Vulnerabilities/646558/

Note You need to log in before you can comment on or make changes to this bug.