Bug 22503 - tomcat new security issue CVE-2017-15706
Summary: tomcat new security issue CVE-2017-15706
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: has_procedure
Depends on:
Blocks:
 
Reported: 2018-02-01 20:59 CET by David Walser
Modified: 2018-02-06 13:22 CET (History)
2 users (show)

See Also:
Source RPM: tomcat-8.0.47-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-02-01 20:59:34 CET
Upstream announced a security fix in Tomcat 8.0.48 on January 31:
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.48

Cauldron was just updated to 8.0.49 by David today.
David Walser 2018-02-01 20:59:43 CET

CC: (none) => geiger.david68210

Comment 1 David GEIGER 2018-02-02 05:10:39 CET
Done also for mga6.
Comment 2 David Walser 2018-02-02 17:13:48 CET
Thanks David!

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=8307#c17

Advisory:
========================

Updated tomcat packages fix security vulnerability:

In Tomcat 8.0.45, the description of the search algorithm used by the CGI
Servlet to identify which script to execute was updated. The update was not
correct. As a result, some scripts may have failed to execute as expected and
other scripts may have been executed unexpectedly. Note that the behaviour of
the CGI servlet has remained unchanged in this regard. It is only the
documentation of the behaviour that was wrong and has been corrected
(CVE-2017-15706).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15706
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.48
========================

Updated packages in core/updates_testing:
========================
tomcat-8.0.49-1.mga6
tomcat-admin-webapps-8.0.49-1.mga6
tomcat-docs-webapp-8.0.49-1.mga6
tomcat-javadoc-8.0.49-1.mga6
tomcat-jsvc-8.0.49-1.mga6
tomcat-jsp-2.3-api-8.0.49-1.mga6
tomcat-lib-8.0.49-1.mga6
tomcat-servlet-3.1-api-8.0.49-1.mga6
tomcat-el-3.0-api-8.0.49-1.mga6
tomcat-webapps-8.0.49-1.mga6

from tomcat-8.0.49-1.mga6.src.rpm

Keywords: (none) => has_procedure
Assignee: java => qa-bugs

Comment 3 Herman Viaene 2018-02-06 13:22:45 CET
MGA6-64 on Lenovo B50 Plasma
No installation issues
Examples work perfectly, and access to tomcat homepage on localhost is OK, but I cann't get the tomcat users configuration right to get into the manager app.
The relevant section of tomcat-users.xml reads:
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="tomcat" roles="tomcat,manager-gui,admin-gui"/>
<user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>


<role rolename="admin"/> 
<role rolename="admin-gui"/>
<role rolename="admin-script"/>
<role rolename="manager"/>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<user name="admin" password="tomcat" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" />
and I fail to see the obvious(?) mistake.

CC: (none) => herman.viaene


Note You need to log in before you can comment on or make changes to this bug.