Upstream revealed several new security issues on February 22: http://tomcat.apache.org/security-7.html Updated packages uploaded for Mageia 5. Advisory: ======================== Updated tomcat packages fix security vulnerabilities: Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 7.x before 7.0.65 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory (CVE-2015-5174). The Mapper component in 7.x before 7.0.67 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character (CVE-2015-5345). Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java (CVE-2015-5346). The Manager and Host Manager applications in Apache Tomcat 7.x before 7.0.68 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token (CVE-2015-5351). Apache Tomcat 7.x before 7.0.68 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application (CVE-2016-0706). The session-persistence implementation in Apache Tomcat 7.x before 7.0.68 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session (CVE-2016-0714). The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context (CVE-2016-0763). The tomcat package has been updated to version 7.0.68 to fix these issues. The tomcat-native package has also been updated to version 1.1.34 for compatibility with the updated tomcat. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5174 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5346 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5351 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0706 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0763 http://tomcat.apache.org/security-7.html ======================== Updated packages in core/updates_testing: ======================== tomcat-7.0.68-1.mga5 tomcat-admin-webapps-7.0.68-1.mga5 tomcat-docs-webapp-7.0.68-1.mga5 tomcat-javadoc-7.0.68-1.mga5 tomcat-jsvc-7.0.68-1.mga5 tomcat-jsp-2.2-api-7.0.68-1.mga5 tomcat-lib-7.0.68-1.mga5 tomcat-servlet-3.0-api-7.0.68-1.mga5 tomcat-el-2.2-api-7.0.68-1.mga5 tomcat-webapps-7.0.68-1.mga5 libtcnative1-1.1.34-1.mga5 libtcnative1-devel-1.1.34-1.mga5 from SRPMS: tomcat-7.0.68-1.mga5.src.rpm tomcat-native-1.1.34-1.mga5.src.rpm
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17 Ideas for testing tomcat-native can be found in Bug 16568.
Whiteboard: (none) => has_procedure
Advisory uploaded.
Whiteboard: has_procedure => has_procedure advisory
installed packages on mageia 5_64 Installation went fine. http://127.0.0.1:8080/ Results ---------------------- Apache Tomcat/7.0.68 If you're seeing this, you've successfully installed Tomcat. Congratulations! --------------------------
CC: (none) => brtians1Whiteboard: has_procedure advisory => has_procedure advisory MGA5-64-OK
David - I'm not finding 7.0.68 in MGA5-32 repository to download. Can you re-trigger it and see if my mirror loads? Thanks, brian
No, I'm not rebuilding it when it's already there. Confirmed by checking kernel.org. Try a different mirror.
I don't know how many times I did an update and it didn't take. Finally dropped and re-added the media. That worked. Sorry for the burden David. Mageia 5_32. Installation went fine. Results ----------------- Apache Tomcat/7.0.68 If you're seeing this, you've successfully installed Tomcat. Congratulations! -----------------
Whiteboard: has_procedure advisory MGA5-64-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK
Well done Brian. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0090.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN reference for CVE-2015-5346: http://lwn.net/Vulnerabilities/678633/