A security issue in Tomcat has been announced on May 16: http://openwall.com/lists/oss-security/2018/05/16/7 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.53 The issue will be fixed when 7.0.89 and 8.0.53 are released. Mageia 5 and Mageia 6 are also affected (but we don't need to update 5). This is a minor issue, so we don't need to update it right away.
Status comment: (none) => Fixed upstream in 8.0.53Whiteboard: (none) => MGA6TOO
Ubuntu has issued an advisory on July 25: https://usn.ubuntu.com/3723-1/ It lists two more security issues fixed in 8.0.52 and 8.0.53. They are listed on upstream's security page now too.
Severity: normal => majorSummary: tomcat new security issue CVE-2018-8014 => tomcat new security issues CVE-2018-1336, CVE-2018-8014, CVE-2018-8034
RedHat has issued an advisory for CVE-2018-1336 on October 16: https://access.redhat.com/errata/RHSA-2018:2921
Severity: major => critical
Upstream says that CVE-2018-11784 only affects 7.0.x and 8.5.x, but Ubuntu and openSUSE have issued advisories for it for 8.0.x: https://usn.ubuntu.com/3787-1/ https://lists.opensuse.org/opensuse-updates/2018-10/msg00186.html
Fixed for mga6! and I think too for Cauldron with tomcat 9.0.10!
CC: (none) => geiger.david68210
I see you patched CVE-2018-11784, but we still need to update to 8.0.53 to fix the other issues.
So updated to 8.0.53 for mga6
Thanks David! Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17 Advisory: ======================== Updated tomcat packages fix security vulnerabilities: An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service (CVE-2018-1336). The defaults settings for the CORS filter are insecure and enable supportsCredentials for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue (CVE-2018-8014). The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default (CVE-2018-8034). When the default servlet returned a redirect to a directory (e.g. redirecting to /foo/ when the user requested /foo) a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice (CVE-2018-11784). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1336 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8034 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11784 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.52 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.53 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.34 ======================== Updated packages in core/updates_testing: ======================== tomcat-8.0.53-1.mga6 tomcat-admin-webapps-8.0.53-1.mga6 tomcat-docs-webapp-8.0.53-1.mga6 tomcat-javadoc-8.0.53-1.mga6 tomcat-jsvc-8.0.53-1.mga6 tomcat-jsp-2.3-api-8.0.53-1.mga6 tomcat-lib-8.0.53-1.mga6 tomcat-servlet-3.1-api-8.0.53-1.mga6 tomcat-el-3.0-api-8.0.53-1.mga6 tomcat-webapps-8.0.53-1.mga6 from tomcat-8.0.53-1.mga6.src.rpm
Version: Cauldron => 6Keywords: (none) => has_procedureAssignee: java => qa-bugsWhiteboard: MGA6TOO => (none)
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. After editing /etc/tomcat/tomcat-users.xml and uncomment the users, adding manager-gui role to the user tomcat. Then at CLI: # systemctl start tomcat.service # systemctl -l status tomcat.service ● tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/usr/lib/systemd/system/tomcat.service; enabled; vendor preset: enabled) Active: active (running) since za 2018-12-08 11:34:11 CET; 19s ago Main PID: 23386 (java) CGroup: /system.slice/tomcat.service └─23386 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.B Then browse http://localhost:8080/sample and http://localhost:8080/examples and click the links. Also browse http://localhost:8080 and log into the 'manager app' with the credentials just configured with manager-gui role. All seems ok.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Thanks Herman. Validating, advisory from comment 7.
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0479.html
Status: NEW => RESOLVEDResolution: (none) => FIXED