Bug 22568 - tomcat-native new security issue CVE-2017-15698
Summary: tomcat-native new security issue CVE-2017-15698
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-02-10 22:33 CET by David Walser
Modified: 2018-02-28 14:56 CET (History)
3 users (show)

See Also:
Source RPM: tomcat-native-1.2.12-1.mga6.src.rpm
CVE:
Status comment: Fixed upstream in 1.2.16

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-02-10 22:33:47 CET 
Fedora has issued an advisory on February 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J3AMZRPNW5L27APAWB4IW3SRJQR6HL4G/

The issue is fixed upstream in 1.2.16.

Mageia 5 is also affected (but doesn't need to be updated).
David Walser 2018-02-10 22:41:51 CET

Status comment: (none) => Fixed upstream in 1.2.16

Comment 1 David GEIGER 2018-02-17 13:11:19 CET 
Done for mga6!
Comment 2 David Walser 2018-02-17 17:06:12 CET 
Thanks David!

Advisory:
========================

Updated tomcat-native package fixes security vulnerability:

When parsing the AIA-Extension field of a client certificate, Apache Tomcat
Native did not correctly handle fields longer than 127 bytes. The result of the
parsing error was to skip the OCSP check. It was therefore possible for client
certificates that should have been rejected (if the OCSP check had been made) to
be accepted. Users not using OCSP checks are not affected by this vulnerability
(CVE-2017-15698).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15698
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J3AMZRPNW5L27APAWB4IW3SRJQR6HL4G/
========================

Updated packages in core/updates_testing:
========================
tomcat-native-1.2.16-1.mga6

from tomcat-native-1.2.16-1.mga6.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 3 Herman Viaene 2018-02-22 14:33:19 CET 
MGA6-32 on Dell Latitude D600 Mate
No installation issues
# urmpq --whatrequires tomcat-native
guacamole
hadoop-pfs
tomcat-native
Had a look what guacamole is, looks interesting, but too heavy on this laptop. If I get rid of the possible updates on this 32 machine, I'd like to give it a go on MGA6-64.

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2018-02-25 10:45:21 CET 
MGA6-64 on Lenovo B50 Plasma
Installed guacamole. Expected this to draw in tomcat-native as the reverse is indicated (see Comment 3 above), but that didn't happen. Installed tomcat-native afterwarts. All well til then.
Tried to run tomcat (is required by guacamole), is OK. Starting guacd brings me into configuration problems and guacamole documentation did not offer much help, neither googling on the errors. Spent some hours on this and gave up.
If the higher powers decide a clean install and no obvious adverse effects, is good enough, I agree to OK this update.
Comment 5 Lewis Smith 2018-02-27 21:51:28 CET 
Poking M6 x64
No previous package-equivalent updates.

BEFORE the update: tomcat-native-1.2.12-1.mga6
against which I had used Tomcat - if that is relevant.

AFTER the update: tomcat-native-1.2.16-1.mga6
Tomcat itself still works normally. For the rest, I agree with Herman that 'guacamole' is too heavy to play with to test-drive 'tomcat-native'.

On the basis of a clean update, & Herman's clean install, update OK.

Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2018-02-28 14:56:21 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0150.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.