Bug 18803 - apache-commons-fileupload, tomcat new security issue CVE-2016-3092
Summary: apache-commons-fileupload, tomcat new security issue CVE-2016-3092
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/692856/
Whiteboard: MGA5-32-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-06-28 00:37 CEST by David Walser
Modified: 2016-07-26 23:17 CEST (History)
4 users (show)

See Also:
Source RPM: tomcat-8.0.32-1.mga6.src.rpm, apache-commons-fileupload-1.3.1-9.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-06-28 00:37:11 CEST
Tomcat has issued advisories on June 13 and 20:
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.3_and_8.0.36
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.70

It is fixed in Tomcat 8.0.36 and 7.0.70.

apache-commons-fileupload itself also needs to be fixed.

Debian-LTS has issued advisories for this on June 26:
http://lwn.net/Alerts/692818/
http://lwn.net/Alerts/692821/

Mageia 5 is also affected.
David Walser 2016-06-28 00:37:21 CEST

CC: (none) => geiger.david68210
Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-06-30 16:51:21 CEST
Debian has issued advisories for this on June 29 and June 30:
https://www.debian.org/security/2016/dsa-3611
https://www.debian.org/security/2016/dsa-3609
Comment 2 David GEIGER 2016-07-02 14:31:07 CEST
Done for apache-commons-fileupload on Cauldron and mga5 too.

Let's see still for tomcat.
Comment 3 David GEIGER 2016-07-02 16:12:56 CEST
And also done for tomcat on Cauldron and mga5 too! :)

Note that it was fixed with an upstream patch.
Comment 4 David GEIGER 2016-07-03 07:56:26 CEST
Packages in 5/core/updates_testing:
========================
apache-commons-fileupload-1.3.1-4.1.mga5.noarch.rpm
apache-commons-fileupload-javadoc-1.3.1-4.1.mga5.noarch.rpm

tomcat-7.0.68-1.1.mga5.noarch.rpm
tomcat-admin-webapps-7.0.68-1.1.mga5.noarch.rpm
tomcat-docs-webapp-7.0.68-1.1.mga5.noarch.rpm
tomcat-javadoc-7.0.68-1.1.mga5.noarch.rpm
tomcat-jsvc-7.0.68-1.1.mga5.noarch.rpm
tomcat-jsp-2.2-api-7.0.68-1.1.mga5.noarch.rpm
tomcat-lib-7.0.68-1.1.mga5.noarch.rpm
tomcat-servlet-3.0-api-7.0.68-1.1.mga5.noarch.rpm
tomcat-el-2.2-api-7.0.68-1.1.mga5.noarch.rpm
tomcat-webapps-7.0.68-1.1.mga5.noarch.rpm


Source RPM: 
========================
apache-commons-fileupload-1.3.1-4.1.mga5.src.rpm
tomcat-7.0.68-1.1.mga5.src.rpm
Comment 5 David Walser 2016-07-05 20:25:53 CEST
Assigning to QA.  Package list in Comment 4.

Advisory:
========================

Updated apache-commons-fileupload and tomcat packages fix security
vulnerability:

The TERASOLUNA Framework Development Team discovered a denial of service
vulnerability in Apache Commons FileUpload. A remote attacker can take advantage
of this flaw by sending file upload requests that cause the HTTP server using
the Apache Commons Fileupload library to become unresponsive, preventing the
server from servicing other requests.

Tomcat contains a bundled copy of this library, so it has also been patched to
fix this issue.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.70
https://www.debian.org/security/2016/dsa-3611
https://www.debian.org/security/2016/dsa-3614

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 6 David Walser 2016-07-06 19:54:59 CEST
Actually assigning to QA.  See Comment 5.

Assignee: mageia => qa-bugs

Comment 7 claire robinson 2016-07-08 17:20:41 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17
Comment 8 Brian Rockwell 2016-07-18 21:47:26 CEST
Installed packages.

Rpmdrake or one of its priority dependencies needs to be updated first. Rpmdrake will then restart.

The following 18 packages are going to be installed:

- apache-commons-collections-3.2.2-1.mga5.noarch
- apache-commons-daemon-1.0.15-5.mga5.x86_64
- apache-commons-daemon-jsvc-1.0.15-5.mga5.x86_64
- apache-commons-dbcp-1.4-19.mga5.noarch
- apache-commons-pool-1.6-10.mga5.noarch
- ecj-4.4.0-1.mga5.noarch
- geronimo-jta-1.1.1-14.mga5.noarch
- meta-task-5-28.1.mga5.noarch
- tomcat-7.0.68-1.1.mga5.noarch
- tomcat-admin-webapps-7.0.68-1.1.mga5.noarch
- tomcat-docs-webapp-7.0.68-1.1.mga5.noarch
- tomcat-el-2.2-api-7.0.68-1.1.mga5.noarch
- tomcat-javadoc-7.0.68-1.1.mga5.noarch
- tomcat-jsp-2.2-api-7.0.68-1.1.mga5.noarch
- tomcat-jsvc-7.0.68-1.1.mga5.noarch
- tomcat-lib-7.0.68-1.1.mga5.noarch
- tomcat-servlet-3.0-api-7.0.68-1.1.mga5.noarch
- urpmi-8.06.1-1.mga5.noarch

64MB of additional disk space will be used.


[root@localhost brian]# ps -ef | grep tom
tomcat    3416     1  0 13:38 ?        00:00:11 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start


Will continue to test.

CC: (none) => brtians1

Comment 9 Brian Rockwell 2016-07-18 22:16:31 CEST
Ran into a conflict and had to reinstall in VM.

This worked in MG5 i586


Apache Tomcat/7.0.68
If you're seeing this, you've successfully installed Tomcat. Congratulations!


Manager gui requests user-id and password, so seems to be working as designed.
Brian Rockwell 2016-07-23 18:26:30 CEST

Whiteboard: (none) => MGA5-32-OK

Dave Hodgins 2016-07-26 22:48:20 CEST

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 10 Mageia Robot 2016-07-26 23:17:02 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0260.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.