openSUSE has issued an advisory on September 6: http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html This is another "httpoxy" issue. It may be fixed in our package already; I'm not sure. I also don't know if tomcat7 (Mageia 5) is affected.
Assigning to maintainer
CC: (none) => marja11Assignee: bugsquad => mageia
David found the fix. Cauldron updated. Mageia 5 patched. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17 Advisory: ======================== Updated tomcat packages fix security vulnerability: Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue (CVE-2016-5388). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5388 http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html ======================== Updated packages in core/updates_testing: ======================== tomcat-7.0.68-1.2.mga5 tomcat-admin-webapps-7.0.68-1.2.mga5 tomcat-docs-webapp-7.0.68-1.2.mga5 tomcat-javadoc-7.0.68-1.2.mga5 tomcat-jsvc-7.0.68-1.2.mga5 tomcat-jsp-2.2-api-7.0.68-1.2.mga5 tomcat-lib-7.0.68-1.2.mga5 tomcat-servlet-3.0-api-7.0.68-1.2.mga5 tomcat-el-2.2-api-7.0.68-1.2.mga5 tomcat-webapps-7.0.68-1.2.mga5 from tomcat-7.0.68-1.2.mga5.src.rpm
Version: Cauldron => 5Assignee: mageia => qa-bugsSummary: tomcat new security issue CVE-2016-5388 => tomcat (tomcat7) new security issue CVE-2016-5388Source RPM: tomcat-8.0.36-1.mga6.src.rpm => tomcat-7.0.68-1.1.mga5.src.rpmWhiteboard: (none) => has_procedure
Installed and configured, and confirmed tomcat working as per bug 8307. Installed the updates, and restarted tomcat. After that http://localhost:8080/sample/hello works, but http://localhost:8080/examples returns a 404, as does http://localhost:8080
CC: (none) => davidwhodginsWhiteboard: has_procedure => has_procedure feedback
David, do you have any idea? This 404 error doesn't look like it should be happening because of the patch.
CC: (none) => geiger.david68210
Found it. Had to add the closing --> to line 357 of /etc/tomcat/web.xml, the last line added in the changes to the file.
Wow!! my bad :( A typo when I had rebased the upstream patch. Thanks Dave to pointing that out, so should be fixed now for mga5.
Updated packages in core/updates_testing: ======================== tomcat-7.0.68-1.3.mga5 tomcat-admin-webapps-7.0.68-1.3.mga5 tomcat-docs-webapp-7.0.68-1.3.mga5 tomcat-javadoc-7.0.68-1.3.mga5 tomcat-jsvc-7.0.68-1.3.mga5 tomcat-jsp-2.2-api-7.0.68-1.3.mga5 tomcat-lib-7.0.68-1.3.mga5 tomcat-servlet-3.0-api-7.0.68-1.3.mga5 tomcat-el-2.2-api-7.0.68-1.3.mga5 tomcat-webapps-7.0.68-1.3.mga5 from tomcat-7.0.68-1.3.mga5.src.rpm
Whiteboard: has_procedure feedback => has_procedure
Fixed now. Validating. Thanks.
Keywords: (none) => validated_updateWhiteboard: has_procedure => has_procedure MGA5-32-OK advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0312.html
Status: NEW => RESOLVEDResolution: (none) => FIXED