SUSE has issued an advisory on April 9:
The issues are fixed upstream in 1.2.18.
I didn't know this is a java stack package, but in the changelog I see
* Wed Feb 24 2016 neoclust <neoclust> 1.2.4-3.mga6
+ Revision: 978208
- First rebuild of the java stack
so assigning to the java stack maintainers.
Fixed for mga6!
Updated tomcat-native package fixes security vulnerabilities:
When using an OCSP responder did not correctly handle invalid responses. This
allowed for revoked client certificates to be incorrectly identified. It was
therefore possible for users to authenticate with revoked certificates when
using mutual TLS (CVE-2018-8019).
Did not properly check OCSP pre-produced responses. Revoked client certificates
may have not been properly identified, allowing for users to authenticate with
revoked certificates to connections that require mutual TLS (CVE-2018-8020).
Updated packages in core/updates_testing:
QARepo (for i586) says "tomcat-native not found in the remote repository".
(In reply to Herman Viaene from comment #4)
> QARepo (for i586) says "tomcat-native not found in the remote repository".
Something is wrong on your end, because it's there.
Now it works. Usually the Belgian mirror is 1 day behind, but up to now never that much.
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Installed complete tomcat as per bug 23045 and checked correct working. Is OK.
Ref bug 22568 in this way a clean install is enough for tomcat-native.
David Geiger, just an FYI that 1.2.21 is out, fixing memory leaks:
Advisory committed to svn. Validating the update.
An update for this issue has been pushed to the Mageia Updates repository.