Fedora has issued an advisory on February 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J3AMZRPNW5L27APAWB4IW3SRJQR6HL4G/ The issue is fixed upstream in 1.2.16. Mageia 5 is also affected (but doesn't need to be updated).
Status comment: (none) => Fixed upstream in 1.2.16
Done for mga6!
Thanks David! Advisory: ======================== Updated tomcat-native package fixes security vulnerability: When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability (CVE-2017-15698). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15698 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J3AMZRPNW5L27APAWB4IW3SRJQR6HL4G/ ======================== Updated packages in core/updates_testing: ======================== tomcat-native-1.2.16-1.mga6 from tomcat-native-1.2.16-1.mga6.src.rpm
CC: (none) => geiger.david68210Assignee: geiger.david68210 => qa-bugs
MGA6-32 on Dell Latitude D600 Mate No installation issues # urmpq --whatrequires tomcat-native guacamole hadoop-pfs tomcat-native Had a look what guacamole is, looks interesting, but too heavy on this laptop. If I get rid of the possible updates on this 32 machine, I'd like to give it a go on MGA6-64.
CC: (none) => herman.viaene
MGA6-64 on Lenovo B50 Plasma Installed guacamole. Expected this to draw in tomcat-native as the reverse is indicated (see Comment 3 above), but that didn't happen. Installed tomcat-native afterwarts. All well til then. Tried to run tomcat (is required by guacamole), is OK. Starting guacd brings me into configuration problems and guacamole documentation did not offer much help, neither googling on the errors. Spent some hours on this and gave up. If the higher powers decide a clean install and no obvious adverse effects, is good enough, I agree to OK this update.
Poking M6 x64 No previous package-equivalent updates. BEFORE the update: tomcat-native-1.2.12-1.mga6 against which I had used Tomcat - if that is relevant. AFTER the update: tomcat-native-1.2.16-1.mga6 Tomcat itself still works normally. For the rest, I agree with Herman that 'guacamole' is too heavy to play with to test-drive 'tomcat-native'. On the basis of a clean update, & Herman's clean install, update OK.
Whiteboard: (none) => MGA6-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0150.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED