Bug 15270 - tomcat new security issue CVE-2014-0227
Summary: tomcat new security issue CVE-2014-0227
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/634232/
Whiteboard: advisory has_procedure MGA4-64-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-02-11 23:06 CET by David Walser
Modified: 2015-05-29 16:57 CEST (History)
3 users (show)

See Also:
Source RPM: tomcat-7.0.54-5.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-02-11 23:06:17 CET
A security issue fixed in tomcat 7.0.55 was made public on February 9:
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.55

Fedora has not yet updated to 7.0.55.

Mageia 4 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-02-11 23:06:41 CET

CC: (none) => pterjan
Blocks: (none) => 14674
Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2015-02-16 13:52:42 CET
Updated packages uploaded for Mageia 4 and Cauldron.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=8307#c17

Advisory:
========================

Updated tomcat packages fix security vulnerability:

In Apache Tomcat 7.x before 7.0.55, it was possible to craft a malformed chunk
as part of a chunked request that caused Tomcat to read part of the request
body as a new request (CVE-2014-0227).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0227
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.55
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.59-1.mga4
tomcat-admin-webapps-7.0.59-1.mga4
tomcat-docs-webapp-7.0.59-1.mga4
tomcat-javadoc-7.0.59-1.mga4
tomcat-jsvc-7.0.59-1.mga4
tomcat-jsp-2.2-api-7.0.59-1.mga4
tomcat-lib-7.0.59-1.mga4
tomcat-servlet-3.0-api-7.0.59-1.mga4
tomcat-el-2.2-api-7.0.59-1.mga4
tomcat-webapps-7.0.59-1.mga4

from tomcat-7.0.59-1.mga4.src.rpm

Version: Cauldron => 4
Blocks: 14674 => (none)
Assignee: dmorganec => qa-bugs
Whiteboard: MGA4TOO => has_procedure

Comment 2 Herman Viaene 2015-02-18 11:42:10 CET
I found also tomcat-log4j with this version number, so I installed that one as well.

CC: (none) => herman.viaene

Comment 3 Herman Viaene 2015-02-18 14:04:35 CET
MGA4-64 on HP Probook 6555b KDE.
No installation issues.
Followed procedure as desribed in bug8307 (Comment 1 above). All works OK.

Whiteboard: has_procedure => has_procedure MGA4-64-OK

Comment 4 Herman Viaene 2015-02-18 17:21:10 CET
MGA4-32 on Acer D620 Xfce
No installation issues.
Followed procedure as desribed in bug8307 (Comment 1 above). All works OK.

Whiteboard: has_procedure MGA4-64-OK => advisory has_procedure MGA4-64-OK MGA4-32-OK

Comment 5 claire robinson 2015-02-19 13:46:30 CET
Validating.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-02-19 17:38:20 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0081.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-02-20 21:26:15 CET

URL: (none) => http://lwn.net/Vulnerabilities/634232/

Comment 7 David Walser 2015-05-13 20:10:11 CEST
This also fixed (also fixed in 7.0.55) CVE-2014-0230:
http://lwn.net/Vulnerabilities/644268/
Comment 8 David Walser 2015-05-29 16:57:49 CEST
This also fixed CVE-2014-7810:
http://lwn.net/Vulnerabilities/646558/

Note You need to log in before you can comment on or make changes to this bug.