Debian has issued an advisory for this on January 8:
https://www.debian.org/security/2017/dsa-3754

URL: (none) => https://lwn.net/Vulnerabilities/711048/

Done for mga5 updating to latest 7.0.75 release and also freeze push asked for Cauldron!

Thanks David!

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=8307#c17

Advisory:
========================

Updated tomcat packages fix security vulnerability:

It was discovered that incorrect error handling in the NIO HTTP connector of
the Tomcat servlet and JSP engine could result in information disclosure
(CVE-2016-8745).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8745
https://www.debian.org/security/2017/dsa-3754
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.75
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.75-1.mga5
tomcat-admin-webapps-7.0.75-1.mga5
tomcat-docs-webapp-7.0.75-1.mga5
tomcat-javadoc-7.0.75-1.mga5
tomcat-jsvc-7.0.75-1.mga5
tomcat-jsp-2.2-api-7.0.75-1.mga5
tomcat-lib-7.0.75-1.mga5
tomcat-servlet-3.0-api-7.0.75-1.mga5
tomcat-el-2.2-api-7.0.75-1.mga5
tomcat-webapps-7.0.75-1.mga5

tomcat-7.0.75-1.mga5.src.rpm

Version: Cauldron => 5
Assignee: mageia => qa-bugs
Whiteboard: MGA5TOO => (none)

The following 22 packages are going to be installed:

- apache-commons-collections-3.2.2-1.mga5.noarch
- apache-commons-daemon-1.0.15-5.mga5.x86_64
- apache-commons-daemon-jsvc-1.0.15-5.mga5.x86_64
- apache-commons-dbcp-1.4-19.mga5.noarch
- apache-commons-pool-1.6-10.mga5.noarch
- ecj-4.4.0-1.mga5.noarch
- geronimo-jta-1.1.1-14.mga5.noarch
- jakarta-taglibs-standard-1.1.2-15.mga5.noarch
- tomcat-7.0.75-1.mga5.noarch
- tomcat-admin-webapps-7.0.75-1.mga5.noarch
- tomcat-docs-webapp-7.0.75-1.mga5.noarch
- tomcat-el-2.2-api-7.0.75-1.mga5.noarch
- tomcat-javadoc-7.0.75-1.mga5.noarch
- tomcat-jsp-2.2-api-7.0.75-1.mga5.noarch
- tomcat-jsvc-7.0.75-1.mga5.noarch
- tomcat-lib-7.0.75-1.mga5.noarch
- tomcat-servlet-3.0-api-7.0.75-1.mga5.noarch
- tomcat-webapps-7.0.75-1.mga5.noarch
- xalan-j2-2.7.1-10.mga5.noarch
- xerces-j2-2.11.0-14.1.mga5.noarch
- xml-commons-apis-1.4.01-18.mga5.noarch
- xml-commons-resolver-1.2-16.mga5.noarch

69MB of additional disk space will be used.

13MB of packages will be retrieved.

Is it ok to continue?



# systemctl start tomcat.service

# ps -ef | grep tom
tomcat    6727     1 40 07:55 ?        00:00:10 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start


I followed Claire's instructions on setting up admin and used gui-manager.

Seems to work as designed.

CC: (none) => brtians1
Whiteboard: (none) => mga5-64-ok

David, are we affected by this?
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851304
https://www.debian.org/security/2017/dsa-3787
https://www.debian.org/security/2017/dsa-3788

Nop we are not affected as this issue was fixed in 7.0.75 and 8.0.41 releases.

$ uname -a
Linux localhost 4.4.39-desktop-1.mga5 #1 SMP Fri Dec 16 18:52:20 UTC 2016 i686 i686 i686 GNU/Linux

The following 12 packages are going to be installed:

- apache-commons-collections-3.2.2-1.mga5.noarch
- apache-commons-daemon-1.0.15-5.mga5.i586
- apache-commons-dbcp-1.4-19.mga5.noarch
- apache-commons-pool-1.6-10.mga5.noarch
- ecj-4.4.0-1.mga5.noarch
- geronimo-jta-1.1.1-14.mga5.noarch
- tomcat-7.0.75-1.mga5.noarch
- tomcat-admin-webapps-7.0.75-1.mga5.noarch
- tomcat-el-2.2-api-7.0.75-1.mga5.noarch
- tomcat-jsp-2.2-api-7.0.75-1.mga5.noarch
- tomcat-lib-7.0.75-1.mga5.noarch
- tomcat-servlet-3.0-api-7.0.75-1.mga5.noarch

7.9MB of additional disk space will be used.

6.9MB of packages will be retrieved.

Is it ok to continue?


Edited  /etc/tomcat/tomcat-users.xml and uncomment the users, adding manager-gui role to one of them.

Started the service and confirmed running.

# ps -ef | grep tom
tomcat    6136     1 14 09:47 ?        00:00:05 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start


followed the links and went into the admin site

Browse http://localhost:8080/sample and http://localhost:8080/examples and click the links.

Also browse http://localhost:8080 and log into the 'manager app' with the credentials just configured with manager-gui role.

Keywords: (none) => validated_update
Whiteboard: mga5-64-ok advisory => mga5-64-ok mga5-32-ok advisory
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0050.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED