Aniket Nandkishor Kulkarni discovered that in tomcat7, a servlet and JSP engine, static error pages used the original request's HTTP method to serve content, instead of systematically using the GET method. This could under certain conditions result in undesirable results, including the replacement or removal of the custom error page.
CVE: (none) => CVE-2017-5664URL: (none) => http://www.linuxsecurity.com/content/view/171881/
We have tomcat-8.0.43-1.mga6 in cauldron, does that have this vulnerability, too? Mageia 5 has tomcat version 7.0.77
CC: (none) => geiger.david68210, marja11Whiteboard: (none) => MGA5TOOAssignee: bugsquad => mageia
It appears so tomcat7 needs to be updated to 7.0.78 tomcat8 needs to be updated to 8.5.14 http://www.linuxsecurity.com/content/view/171880/170/ http://www.linuxsecurity.com/content/view/171902/170/
Actual source of this is Debian advisories from June 22: https://www.debian.org/security/2017/dsa-3891 https://www.debian.org/security/2017/dsa-3892
CC: (none) => luigiwalserSummary: tomcat security vulnerability CVE-2017-5664 => tomcat new security issue CVE-2017-5664URL: http://www.linuxsecurity.com/content/view/171881/ => (none)Source RPM: tomcat => tomcat-8.0.43-1.mga6.src.rpm
Fixed for Cauldron updating tomcat to 8.0.44 release and also for mga5 updating tomcat to 7.0.78 release!
Thanks David! Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17 Advisory: ======================== Updated tomcat packages fix security vulnerability: Aniket Nandkishor Kulkarni discovered that in tomcat7, static error pages used the original request's HTTP method to serve content, instead of systematically using the GET method. This could under certain conditions result in undesirable results, including the replacement or removal of the custom error page (CVE-2017-5664). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.78 https://www.debian.org/security/2017/dsa-3892 ======================== Updated packages in core/updates_testing: ======================== tomcat-7.0.78-1.mga5 tomcat-admin-webapps-7.0.78-1.mga5 tomcat-docs-webapp-7.0.78-1.mga5 tomcat-javadoc-7.0.78-1.mga5 tomcat-jsvc-7.0.78-1.mga5 tomcat-jsp-2.2-api-7.0.78-1.mga5 tomcat-lib-7.0.78-1.mga5 tomcat-servlet-3.0-api-7.0.78-1.mga5 tomcat-el-2.2-api-7.0.78-1.mga5 tomcat-webapps-7.0.78-1.mga5 from tomcat-7.0.78-1.mga5.src.rpm
Assignee: mageia => qa-bugsCC: (none) => mageiaWhiteboard: MGA5TOO => has_procedureVersion: Cauldron => 5
MGA5-32 on Asus A6000VM No installation issues The samples and example work OK as per bug 8307, but trying to log in to the manager app results in Exception report message java.lang.ClassNotFoundException: org.apache.jsp.index_jsp Googling on the error leads me to suspect a problem with jsp version" Quote "At the end it appeared, that I got newer tomcat which has different version of jsp-api provided (in tomcat 7.0.60 and above it will be jsp-api 2.2)." That's where I throw in my hat.
CC: (none) => herman.viaene
Testing Mageia 5 64-bit using https://bugs.mageia.org/show_bug.cgi?id=19828#c5 BEFORE the update: tomcat-admin-webapps-7.0.77-1.mga5 tomcat-7.0.77-1.mga5 tomcat-jsp-2.2-api-7.0.77-1.mga5 tomcat-el-2.2-api-7.0.77-1.mga5 tomcat-servlet-3.0-api-7.0.77-1.mga5 tomcat-webapps-7.0.77-1.mga5 tomcat-lib-7.0.77-1.mga5 File /etc/tomcat/tomcat-users.xml was already correctly configured: ... <role rolename="tomcat"/> <role rolename="role1"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="role1" password="tomcat" roles="role1"/> ... <role rolename="manager-gui"/> <user username="***" password="***" roles="manager-gui"/> ... AFTER the uneventful update: tomcat-jsp-2.2-api-7.0.78-1.mga5 tomcat-servlet-3.0-api-7.0.78-1.mga5 tomcat-lib-7.0.78-1.mga5 tomcat-el-2.2-api-7.0.78-1.mga5 tomcat-7.0.78-1.mga5 tomcat-admin-webapps-7.0.78-1.mga5 tomcat-webapps-7.0.78-1.mga5 # systemctl restart tomcat.service http://localhost:8080/ correctly shows: "Apache Tomcat/7.0.78" http://localhost:8080/manager/status [server status link on home page] asks for the 'manager-gui' username/password, then shows a valid "Server Status" page; the 4 'Manager' links work. http://localhost:8080/manager/html [Manager App link on home page] shows the "Tomcat Web Application Manager" page, including the test links: http://localhost:8080/sample/ [both worked] http://localhost:8080/examples/ Tried many of these, all worked. The only thing I could not pass was the 'Host manager' link on the home page: http://localhost:8080/host-manager/html which gave "403 Access Denied" because <role rolename="admin-gui"/> was not defined; fair enough. Did not have Herman's problem re the Manager App link, which wanted the 'manager-gui' user/PW. OKing this update.
Whiteboard: has_procedure => has_procedure MGA5-64-OKCC: (none) => lewyssmith
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => wilcal.int, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0196.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED