Upstream announced a security fix in Tomcat 8.0.48 on January 31: http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.48 Cauldron was just updated to 8.0.49 by David today.
CC: (none) => geiger.david68210
Done also for mga6.
Thanks David! Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17 Advisory: ======================== Updated tomcat packages fix security vulnerability: In Tomcat 8.0.45, the description of the search algorithm used by the CGI Servlet to identify which script to execute was updated. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected (CVE-2017-15706). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15706 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.48 ======================== Updated packages in core/updates_testing: ======================== tomcat-8.0.49-1.mga6 tomcat-admin-webapps-8.0.49-1.mga6 tomcat-docs-webapp-8.0.49-1.mga6 tomcat-javadoc-8.0.49-1.mga6 tomcat-jsvc-8.0.49-1.mga6 tomcat-jsp-2.3-api-8.0.49-1.mga6 tomcat-lib-8.0.49-1.mga6 tomcat-servlet-3.1-api-8.0.49-1.mga6 tomcat-el-3.0-api-8.0.49-1.mga6 tomcat-webapps-8.0.49-1.mga6 from tomcat-8.0.49-1.mga6.src.rpm
Assignee: java => qa-bugsKeywords: (none) => has_procedure
MGA6-64 on Lenovo B50 Plasma No installation issues Examples work perfectly, and access to tomcat homepage on localhost is OK, but I cann't get the tomcat users configuration right to get into the manager app. The relevant section of tomcat-users.xml reads: <role rolename="tomcat"/> <role rolename="role1"/> <user username="tomcat" password="tomcat" roles="tomcat,manager-gui,admin-gui"/> <user username="both" password="<must-be-changed>" roles="tomcat,role1"/> <user username="role1" password="tomcat" roles="role1"/> <role rolename="admin"/> <role rolename="admin-gui"/> <role rolename="admin-script"/> <role rolename="manager"/> <role rolename="manager-gui"/> <role rolename="manager-script"/> <role rolename="manager-jmx"/> <role rolename="manager-status"/> <user name="admin" password="tomcat" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" /> and I fail to see the obvious(?) mistake.
CC: (none) => herman.viaene
More security bugs fixed in 8.0.50. Advisory: ======================== Updated tomcat packages fix security vulnerability: In Tomcat 8.0.45, the description of the search algorithm used by the CGI Servlet to identify which script to execute was updated. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behavior of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behavior that was wrong and has been corrected (CVE-2017-15706). The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorized users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected (CVE-2018-1304). Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorized to access them (CVE-2018-1305). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15706 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1304 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1305 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.48 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.50 ======================== Updated packages in core/updates_testing: ======================== tomcat-8.0.50-1.mga6 tomcat-admin-webapps-8.0.50-1.mga6 tomcat-docs-webapp-8.0.50-1.mga6 tomcat-javadoc-8.0.50-1.mga6 tomcat-jsvc-8.0.50-1.mga6 tomcat-jsp-2.3-api-8.0.50-1.mga6 tomcat-lib-8.0.50-1.mga6 tomcat-servlet-3.1-api-8.0.50-1.mga6 tomcat-el-3.0-api-8.0.50-1.mga6 tomcat-webapps-8.0.50-1.mga6 from tomcat-8.0.50-1.mga6.src.rpm
Blocks: (none) => 22644
Severity: normal => critical
Testing M6/64 Tomcat was already installed, so just updated it to: - tomcat-8.0.50-1.mga6.noarch - tomcat-admin-webapps-8.0.50-1.mga6.noarch - tomcat-el-3.0-api-8.0.50-1.mga6.noarch - tomcat-jsp-2.3-api-8.0.50-1.mga6.noarch - tomcat-jsvc-8.0.50-1.mga6.noarch - tomcat-lib-8.0.50-1.mga6.noarch - tomcat-servlet-3.1-api-8.0.50-1.mga6.noarch - tomcat-webapps-8.0.50-1.mga6.noarch and used https://bugs.mageia.org/show_bug.cgi?id=21933#c4 as a test reference; except that did not mention the need to have 'icedtea-web' installed for some of the tests. Ensured /etc/tomcat/tomcat-users.xml had the following lines: <role rolename="admin-gui"/> <role rolename="manager-gui"/> <user username="..." password="..." roles="manager-gui,admin-gui"/> # systemctl restart tomcat http://localhost:8080/ showed the main page "Apache Tomcat/8.0.50". 'server status' button 1st use asked for user/password. Result sensible. 'manager app' button showed correct screen. 'host manager' button 1st use asked for user/password. Result sensible. The equivalent direct links: http://localhost:8080/manager/status http://localhost:8080/manager/html http://localhost:8080/host-manager/html also worked as per the buttons on the home page. /sample both worked. /examples many tried, most worked, a few giving: "HTTP Status 500 - The absolute uri: http://java.sun.com/jsp/jstl/core cannot be resolved in either web.xml or the jar files deployed with this application" which has become normal." OKing the update, validating, advisory to do from comment 4.
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA6-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0149.html
Status: NEW => RESOLVEDResolution: (none) => FIXED