SUSE has issued an advisory on April 9: http://lists.suse.com/pipermail/sle-security-updates/2019-April/005314.html The issues are fixed upstream in 1.2.18.
I didn't know this is a java stack package, but in the changelog I see * Wed Feb 24 2016 neoclust <neoclust> 1.2.4-3.mga6 + Revision: 978208 - First rebuild of the java stack so assigning to the java stack maintainers.
CC: (none) => marja11Assignee: bugsquad => java
Fixed for mga6!
CC: (none) => geiger.david68210
Advisory: ======================== Updated tomcat-native package fixes security vulnerabilities: When using an OCSP responder did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS (CVE-2018-8019). Did not properly check OCSP pre-produced responses. Revoked client certificates may have not been properly identified, allowing for users to authenticate with revoked certificates to connections that require mutual TLS (CVE-2018-8020). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8020 http://lists.suse.com/pipermail/sle-security-updates/2019-April/005314.html ======================== Updated packages in core/updates_testing: ======================== tomcat-native-1.2.18-1.mga6 from tomcat-native-1.2.18-1.mga6.src.rpm
Assignee: java => qa-bugs
QARepo (for i586) says "tomcat-native not found in the remote repository".
CC: (none) => herman.viaene
(In reply to Herman Viaene from comment #4) > QARepo (for i586) says "tomcat-native not found in the remote repository". Something is wrong on your end, because it's there. http://mirrors.kernel.org/mageia/distrib/6/i586/media/core/updates_testing/tomcat-native-1.2.18-1.mga6.i586.rpm for example.
Now it works. Usually the Belgian mirror is 1 day behind, but up to now never that much.
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Installed complete tomcat as per bug 23045 and checked correct working. Is OK. Ref bug 22568 in this way a clean install is enough for tomcat-native.
Whiteboard: (none) => MGA6-32-OK
David Geiger, just an FYI that 1.2.21 is out, fixing memory leaks: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html
Advisory committed to svn. Validating the update.
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0184.html
Status: NEW => RESOLVEDResolution: (none) => FIXED