Bug 20655 - tomcat new security issues CVE-2017-5647 and CVE-2017-5648
Summary: tomcat new security issues CVE-2017-5647 and CVE-2017-5648
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-04-11 00:41 CEST by David Walser
Modified: 2017-04-28 00:22 CEST (History)
4 users (show)

See Also:
Source RPM: tomcat-8.0.41-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-04-11 00:41:09 CEST
Apache has issued advisories today (April 10):
http://openwall.com/lists/oss-security/2017/04/10/24
http://openwall.com/lists/oss-security/2017/04/10/23

Mageia 5 is also affected.

The issues are fixed upstream in 7.0.77 and 8.0.43.
Comment 1 Nicolas Lécureuil 2017-04-21 11:07:27 CEST
pushed in updates_testing:

srpms: tomcat-7.0.77-1.mga5
Comment 2 David Walser 2017-04-21 12:16:56 CEST
Thanks Nicolas!

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=8307#c17

Advisory:
========================

Updated tomcat packages fix security vulnerabilities:

A bug in the handling of the pipelined requests when send file was used
resulted in the pipelined request being lost when send file processing of the
previous request completed. This could result in responses appearing to be
sent for the wrong request. For example, a user agent that sent requests A, B
and C could see the correct response for request A, the response for request
C for request B and no response for request C (CVE-2017-5647).

While investigating bug 60718, it was noticed that some calls to application
listeners did not use the appropriate facade object. When running an
untrusted application under a SecurityManager, it was therefore possible for
that untrusted application to retain a reference to the request or response
object and thereby access and/or modify information associated with another
web application (CVE-2017-5648).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5647
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5648
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.77
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.77-1.mga5
tomcat-admin-webapps-7.0.77-1.mga5
tomcat-docs-webapp-7.0.77-1.mga5
tomcat-javadoc-7.0.77-1.mga5
tomcat-jsvc-7.0.77-1.mga5
tomcat-jsp-2.2-api-7.0.77-1.mga5
tomcat-lib-7.0.77-1.mga5
tomcat-servlet-3.0-api-7.0.77-1.mga5
tomcat-el-2.2-api-7.0.77-1.mga5
tomcat-webapps-7.0.77-1.mga5

from tomcat-7.0.77-1.mga5.src.rpm
Comment 3 Herman Viaene 2017-04-21 15:40:32 CEST
MGA-32 on Asus A6000VM Xfce
No installtion issues.
Followed procedure as per Comment 2, all works OK.
Comment 4 Herman Viaene 2017-04-25 19:52:47 CEST
MGA5-64 on Lenovo B50KDE
No installation issues.
Followed procedure as per Comment 2, all works OK.
Comment 5 Dave Hodgins 2017-04-27 20:36:40 CEST
Validating the update. Thanks for the testing Herman.
Comment 6 Mageia Robot 2017-04-28 00:22:03 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0117.html

Note You need to log in before you can comment on or make changes to this bug.