Upstream has issued an advisory on January 5: http://openwall.com/lists/oss-security/2017/01/05/3 The issue will be fixed in 7.0.74 and 8.0.40. Mageia 5 (tomcat 7) is also affected.
CC: (none) => geiger.david68210Whiteboard: (none) => MGA5TOO
Debian has issued an advisory for this on January 8: https://www.debian.org/security/2017/dsa-3754
URL: (none) => https://lwn.net/Vulnerabilities/711048/
Done for mga5 updating to latest 7.0.75 release and also freeze push asked for Cauldron!
Thanks David! Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17 Advisory: ======================== Updated tomcat packages fix security vulnerability: It was discovered that incorrect error handling in the NIO HTTP connector of the Tomcat servlet and JSP engine could result in information disclosure (CVE-2016-8745). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8745 https://www.debian.org/security/2017/dsa-3754 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.75 ======================== Updated packages in core/updates_testing: ======================== tomcat-7.0.75-1.mga5 tomcat-admin-webapps-7.0.75-1.mga5 tomcat-docs-webapp-7.0.75-1.mga5 tomcat-javadoc-7.0.75-1.mga5 tomcat-jsvc-7.0.75-1.mga5 tomcat-jsp-2.2-api-7.0.75-1.mga5 tomcat-lib-7.0.75-1.mga5 tomcat-servlet-3.0-api-7.0.75-1.mga5 tomcat-el-2.2-api-7.0.75-1.mga5 tomcat-webapps-7.0.75-1.mga5 tomcat-7.0.75-1.mga5.src.rpm
Version: Cauldron => 5Assignee: mageia => qa-bugsWhiteboard: MGA5TOO => (none)
The following 22 packages are going to be installed: - apache-commons-collections-3.2.2-1.mga5.noarch - apache-commons-daemon-1.0.15-5.mga5.x86_64 - apache-commons-daemon-jsvc-1.0.15-5.mga5.x86_64 - apache-commons-dbcp-1.4-19.mga5.noarch - apache-commons-pool-1.6-10.mga5.noarch - ecj-4.4.0-1.mga5.noarch - geronimo-jta-1.1.1-14.mga5.noarch - jakarta-taglibs-standard-1.1.2-15.mga5.noarch - tomcat-7.0.75-1.mga5.noarch - tomcat-admin-webapps-7.0.75-1.mga5.noarch - tomcat-docs-webapp-7.0.75-1.mga5.noarch - tomcat-el-2.2-api-7.0.75-1.mga5.noarch - tomcat-javadoc-7.0.75-1.mga5.noarch - tomcat-jsp-2.2-api-7.0.75-1.mga5.noarch - tomcat-jsvc-7.0.75-1.mga5.noarch - tomcat-lib-7.0.75-1.mga5.noarch - tomcat-servlet-3.0-api-7.0.75-1.mga5.noarch - tomcat-webapps-7.0.75-1.mga5.noarch - xalan-j2-2.7.1-10.mga5.noarch - xerces-j2-2.11.0-14.1.mga5.noarch - xml-commons-apis-1.4.01-18.mga5.noarch - xml-commons-resolver-1.2-16.mga5.noarch 69MB of additional disk space will be used. 13MB of packages will be retrieved. Is it ok to continue? # systemctl start tomcat.service # ps -ef | grep tom tomcat 6727 1 40 07:55 ? 00:00:10 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start I followed Claire's instructions on setting up admin and used gui-manager. Seems to work as designed.
CC: (none) => brtians1Whiteboard: (none) => mga5-64-ok
CC: (none) => lewyssmithWhiteboard: mga5-64-ok => mga5-64-ok advisory
David, are we affected by this? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851304 https://www.debian.org/security/2017/dsa-3787 https://www.debian.org/security/2017/dsa-3788
Nop we are not affected as this issue was fixed in 7.0.75 and 8.0.41 releases.
$ uname -a Linux localhost 4.4.39-desktop-1.mga5 #1 SMP Fri Dec 16 18:52:20 UTC 2016 i686 i686 i686 GNU/Linux The following 12 packages are going to be installed: - apache-commons-collections-3.2.2-1.mga5.noarch - apache-commons-daemon-1.0.15-5.mga5.i586 - apache-commons-dbcp-1.4-19.mga5.noarch - apache-commons-pool-1.6-10.mga5.noarch - ecj-4.4.0-1.mga5.noarch - geronimo-jta-1.1.1-14.mga5.noarch - tomcat-7.0.75-1.mga5.noarch - tomcat-admin-webapps-7.0.75-1.mga5.noarch - tomcat-el-2.2-api-7.0.75-1.mga5.noarch - tomcat-jsp-2.2-api-7.0.75-1.mga5.noarch - tomcat-lib-7.0.75-1.mga5.noarch - tomcat-servlet-3.0-api-7.0.75-1.mga5.noarch 7.9MB of additional disk space will be used. 6.9MB of packages will be retrieved. Is it ok to continue? Edited /etc/tomcat/tomcat-users.xml and uncomment the users, adding manager-gui role to one of them. Started the service and confirmed running. # ps -ef | grep tom tomcat 6136 1 14 09:47 ? 00:00:05 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start followed the links and went into the admin site Browse http://localhost:8080/sample and http://localhost:8080/examples and click the links. Also browse http://localhost:8080 and log into the 'manager app' with the credentials just configured with manager-gui role.
Keywords: (none) => validated_updateWhiteboard: mga5-64-ok advisory => mga5-64-ok mga5-32-ok advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0050.html
Status: NEW => RESOLVEDResolution: (none) => FIXED