Fedora has issued an advisory on September 14: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CH5PGYTIBGQHGGUEXRIIGNXJSLBNYYUS/ The issue is fixed upstream in 7.0.79 and 8.0.46. David, I see from the commit message in Cauldron that you were already aware of this. You don't have to wait for me to file the bug. Please take care of these when you notice them. Mageia 5 is also affected (tomcat 7).
CC: (none) => mageiaWhiteboard: (none) => MGA5TOO
Thanks David! Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17 Advisory: ======================== Updated tomcat packages fix security vulnerability: The CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances (CVE-2017-7674). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7674 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.79 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.45 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CH5PGYTIBGQHGGUEXRIIGNXJSLBNYYUS/ ======================== Updated packages in core/updates_testing: ======================== tomcat-7.0.81-1.mga5 tomcat-admin-webapps-7.0.81-1.mga5 tomcat-docs-webapp-7.0.81-1.mga5 tomcat-javadoc-7.0.81-1.mga5 tomcat-jsvc-7.0.81-1.mga5 tomcat-jsp-2.2-api-7.0.81-1.mga5 tomcat-lib-7.0.81-1.mga5 tomcat-servlet-3.0-api-7.0.81-1.mga5 tomcat-el-2.2-api-7.0.81-1.mga5 tomcat-webapps-7.0.81-1.mga5 tomcat-8.0.46-1.mga6 tomcat-admin-webapps-8.0.46-1.mga6 tomcat-docs-webapp-8.0.46-1.mga6 tomcat-javadoc-8.0.46-1.mga6 tomcat-jsvc-8.0.46-1.mga6 tomcat-jsp-2.3-api-8.0.46-1.mga6 tomcat-lib-8.0.46-1.mga6 tomcat-servlet-3.1-api-8.0.46-1.mga6 tomcat-el-3.0-api-8.0.46-1.mga6 tomcat-webapps-8.0.46-1.mga6 from SRPMS: tomcat-7.0.81-1.mga5.src.rpm tomcat-8.0.46-1.mga6.src.rpm
CC: (none) => geiger.david68210Assignee: geiger.david68210 => qa-bugsKeywords: (none) => has_procedure
Testing M6/64 Already has Tomcat installed, so updated to: tomcat-webapps-7.0.81-1.mga5 tomcat-lib-7.0.81-1.mga5 tomcat-el-2.2-api-7.0.81-1.mga5 tomcat-7.0.81-1.mga5 tomcat-servlet-3.0-api-7.0.81-1.mga5 tomcat-admin-webapps-7.0.81-1.mga5 tomcat-jsp-2.2-api-7.0.81-1.mga5 This time I ensured that my defined user could do both these roles in /etc/tomcat/tomcat-users.xml <role rolename="admin-gui"/> <role rolename="manager-gui"/> <user username="<usr>" password="<password>" roles="manager-gui,admin-gui"/> Using https://bugs.mageia.org/show_bug.cgi?id=21131#c7 as a reference: # systemctl restart tomcat http://localhost:8080/ showed the "Apache Tomcat/7.0.81" page. http://localhost:8080/manager/status [= server status link on home page] asks for the 'manager-gui' username/password, then shows a valid "Server Status" page. http://localhost:8080/manager/html [= Manager App link on home page] shows the "Tomcat Web Application Manager" page, including the test links: http://localhost:8080/sample/ http://localhost:8080/examples/ Tried many of these, all worked. http://localhost:8080/host-manager/html shows "Tomcat Virtual Host Manager" page. Everything looks OK.
Keywords: (none) => advisoryWhiteboard: MGA5TOO => MGA5TOO MGA5-64-OKCC: (none) => lewyssmith
Testing M6/64 BEFORE update: Installed as issued: tomcat-el-3.0-api-8.0.44-1.mga6 tomcat-8.0.44-1.mga6 tomcat-webapps-8.0.44-1.mga6 tomcat-lib-8.0.44-1.mga6 tomcat-servlet-3.1-api-8.0.44-1.mga6 tomcat-jsvc-8.0.44-1.mga6 tomcat-jsp-2.3-api-8.0.44-1.mga6 tomcat-admin-webapps-8.0.44-1.mga6 The installation of tomcat itself showed: "Failed to open 'tomcat.conf': No such file or directory" which does not matter, but is not encouraging. Edited /etc/tomcat/tomcat-users.xml <role rolename="admin-gui"/> [uncomment] <role rolename="manager-gui"/> [uncomment] <user username="..." password="..." roles="manager-gui,admin-gui"/> # systemctl restart tomcat http://localhost:8080/ -> "Apache Tomcat/8.0.44" page. Tried a couple of the top-right buttons, they asked for the user/password, that worked. ---------------------------------- AFTER update: tomcat-jsvc-8.0.46-1.mga6 tomcat-jsp-2.3-api-8.0.46-1.mga6 tomcat-el-3.0-api-8.0.46-1.mga6 tomcat-admin-webapps-8.0.46-1.mga6 tomcat-lib-8.0.46-1.mga6 tomcat-8.0.46-1.mga6 tomcat-servlet-3.1-api-8.0.46-1.mga6 tomcat-webapps-8.0.46-1.mga6 http://localhost:8080/ -> "Apache Tomcat/8.0.46" home page. - Server Status -> "Server Status" page, looks sensible. - Manager App -> "Tomcat Web Application Manager" page; see below. - Host Manager -> "Tomcat Virtual Host Manager" page, seems OK. I had not re-started the Tomcat server. It is variable whether you get asked for username/password; sometimes it seems to remember it. The direct links: http://localhost:8080/manager/status http://localhost:8080/manager/html http://localhost:8080/host-manager/html also worked as per the buttons on the home page. From the "Tomcat Web Application Manager" page I tried various of the many examples; most of which worked. I few did not, of the form: "HTTP Status 500 - The absolute uri: http://java.sun.com/jsp/jstl/core cannot be resolved in either web.xml or the jar files deployed with this application" but I do not think this invalidates the update. They probably did not work before. OKing & validating.
Keywords: (none) => validated_updateWhiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OKCC: (none) => sysadmin-bugs
Please update the advisory in SVN. 7.0.81 fixes an additional CVE: http://openwall.com/lists/oss-security/2017/09/19/2 Advisory: ======================== Updated tomcat packages fix security vulnerabilities: The CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances (CVE-2017-7674). When using a VirtualDirContext it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request (CVE-2017-12616). Note that CVE-2017-12616 only affected tomcat 7 in Mageia 5. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7674 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12616 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.79 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.45 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CH5PGYTIBGQHGGUEXRIIGNXJSLBNYYUS/
Keywords: advisory => (none)
Done. Added the CVE and 2 extra refs cf comment 1.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0352.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This update also fixed CVE-2017-12615 in tomcat 7 on Mageia 5.
This update also fixed CVE-2017-12616 in tomcat 7: https://usn.ubuntu.com/3665-1/