A security issue in Tomcat has been announced on May 16:
The issue will be fixed when 7.0.89 and 8.0.53 are released.
Mageia 5 and Mageia 6 are also affected (but we don't need to update 5).
This is a minor issue, so we don't need to update it right away.
Fixed upstream in 8.0.53Whiteboard:
Ubuntu has issued an advisory on July 25:
It lists two more security issues fixed in 8.0.52 and 8.0.53.
They are listed on upstream's security page now too.
tomcat new security issue CVE-2018-8014 =>
tomcat new security issues CVE-2018-1336, CVE-2018-8014, CVE-2018-8034
RedHat has issued an advisory for CVE-2018-1336 on October 16:
Upstream says that CVE-2018-11784 only affects 7.0.x and 8.5.x, but Ubuntu and openSUSE have issued advisories for it for 8.0.x:
Fixed for mga6! and I think too for Cauldron with tomcat 9.0.10!
I see you patched CVE-2018-11784, but we still need to update to 8.0.53 to fix the other issues.
So updated to 8.0.53 for mga6
Updated tomcat packages fix security vulnerabilities:
An improper handing of overflow in the UTF-8 decoder with supplementary
characters can lead to an infinite loop in the decoder causing a Denial of
The defaults settings for the CORS filter are insecure and enable
supportsCredentials for all origins. It is expected that users of the CORS
filter will have configured it appropriately for their environment rather than
using it in the default configuration. Therefore, it is expected that most
users will not be impacted by this issue (CVE-2018-8014).
The host name verification when using TLS with the WebSocket client was missing.
It is now enabled by default (CVE-2018-8034).
When the default servlet returned a redirect to a directory (e.g. redirecting
to /foo/ when the user requested /foo) a specially crafted URL could be used
to cause the redirect to be generated to any URI of the attackers choice
Updated packages in core/updates_testing:
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
After editing /etc/tomcat/tomcat-users.xml and uncomment the users, adding manager-gui role to the user tomcat. Then at CLI:
# systemctl start tomcat.service
# systemctl -l status tomcat.service
● tomcat.service - Apache Tomcat Web Application Container
Loaded: loaded (/usr/lib/systemd/system/tomcat.service; enabled; vendor preset: enabled)
Active: active (running) since za 2018-12-08 11:34:11 CET; 19s ago
Main PID: 23386 (java)
└─23386 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.B
Then browse http://localhost:8080/sample and http://localhost:8080/examples and click the links.
Also browse http://localhost:8080 and log into the 'manager app' with the credentials just configured with manager-gui role.
All seems ok.
Thanks Herman. Validating, advisory from comment 7.
An update for this issue has been pushed to the Mageia Updates repository.