Tomcat has issued advisories on June 13 and 20: http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.3_and_8.0.36 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.70 It is fixed in Tomcat 8.0.36 and 7.0.70. apache-commons-fileupload itself also needs to be fixed. Debian-LTS has issued advisories for this on June 26: http://lwn.net/Alerts/692818/ http://lwn.net/Alerts/692821/ Mageia 5 is also affected.
CC: (none) => geiger.david68210Whiteboard: (none) => MGA5TOO
Debian has issued advisories for this on June 29 and June 30: https://www.debian.org/security/2016/dsa-3611 https://www.debian.org/security/2016/dsa-3609
Done for apache-commons-fileupload on Cauldron and mga5 too. Let's see still for tomcat.
And also done for tomcat on Cauldron and mga5 too! :) Note that it was fixed with an upstream patch.
Packages in 5/core/updates_testing: ======================== apache-commons-fileupload-1.3.1-4.1.mga5.noarch.rpm apache-commons-fileupload-javadoc-1.3.1-4.1.mga5.noarch.rpm tomcat-7.0.68-1.1.mga5.noarch.rpm tomcat-admin-webapps-7.0.68-1.1.mga5.noarch.rpm tomcat-docs-webapp-7.0.68-1.1.mga5.noarch.rpm tomcat-javadoc-7.0.68-1.1.mga5.noarch.rpm tomcat-jsvc-7.0.68-1.1.mga5.noarch.rpm tomcat-jsp-2.2-api-7.0.68-1.1.mga5.noarch.rpm tomcat-lib-7.0.68-1.1.mga5.noarch.rpm tomcat-servlet-3.0-api-7.0.68-1.1.mga5.noarch.rpm tomcat-el-2.2-api-7.0.68-1.1.mga5.noarch.rpm tomcat-webapps-7.0.68-1.1.mga5.noarch.rpm Source RPM: ======================== apache-commons-fileupload-1.3.1-4.1.mga5.src.rpm tomcat-7.0.68-1.1.mga5.src.rpm
Assigning to QA. Package list in Comment 4. Advisory: ======================== Updated apache-commons-fileupload and tomcat packages fix security vulnerability: The TERASOLUNA Framework Development Team discovered a denial of service vulnerability in Apache Commons FileUpload. A remote attacker can take advantage of this flaw by sending file upload requests that cause the HTTP server using the Apache Commons Fileupload library to become unresponsive, preventing the server from servicing other requests. Tomcat contains a bundled copy of this library, so it has also been patched to fix this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.70 https://www.debian.org/security/2016/dsa-3611 https://www.debian.org/security/2016/dsa-3614
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Actually assigning to QA. See Comment 5.
Assignee: mageia => qa-bugs
Procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17
Installed packages. Rpmdrake or one of its priority dependencies needs to be updated first. Rpmdrake will then restart. The following 18 packages are going to be installed: - apache-commons-collections-3.2.2-1.mga5.noarch - apache-commons-daemon-1.0.15-5.mga5.x86_64 - apache-commons-daemon-jsvc-1.0.15-5.mga5.x86_64 - apache-commons-dbcp-1.4-19.mga5.noarch - apache-commons-pool-1.6-10.mga5.noarch - ecj-4.4.0-1.mga5.noarch - geronimo-jta-1.1.1-14.mga5.noarch - meta-task-5-28.1.mga5.noarch - tomcat-7.0.68-1.1.mga5.noarch - tomcat-admin-webapps-7.0.68-1.1.mga5.noarch - tomcat-docs-webapp-7.0.68-1.1.mga5.noarch - tomcat-el-2.2-api-7.0.68-1.1.mga5.noarch - tomcat-javadoc-7.0.68-1.1.mga5.noarch - tomcat-jsp-2.2-api-7.0.68-1.1.mga5.noarch - tomcat-jsvc-7.0.68-1.1.mga5.noarch - tomcat-lib-7.0.68-1.1.mga5.noarch - tomcat-servlet-3.0-api-7.0.68-1.1.mga5.noarch - urpmi-8.06.1-1.mga5.noarch 64MB of additional disk space will be used. [root@localhost brian]# ps -ef | grep tom tomcat 3416 1 0 13:38 ? 00:00:11 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start Will continue to test.
CC: (none) => brtians1
Ran into a conflict and had to reinstall in VM. This worked in MG5 i586 Apache Tomcat/7.0.68 If you're seeing this, you've successfully installed Tomcat. Congratulations! Manager gui requests user-id and password, so seems to be working as designed.
Whiteboard: (none) => MGA5-32-OK
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0260.html
Status: NEW => RESOLVEDResolution: (none) => FIXED