Bug 24755 - tomcat-native new security issue CVE-2018-8019 and CVE-2018-8020
Summary: tomcat-native new security issue CVE-2018-8019 and CVE-2018-8020
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2019-05-03 20:45 CEST by David Walser
Modified: 2019-05-19 13:28 CEST (History)
5 users (show)

See Also:
Source RPM: tomcat-native-1.2.16-1.mga6.src.rpm
Status comment:


Description David Walser 2019-05-03 20:45:05 CEST
SUSE has issued an advisory on April 9:

The issues are fixed upstream in 1.2.18.
Comment 1 Marja Van Waes 2019-05-03 21:20:49 CEST
I didn't know this is a java stack package, but in the changelog I see

* Wed Feb 24 2016 neoclust <neoclust> 1.2.4-3.mga6
+ Revision: 978208
- First rebuild of the java stack

so assigning to the java stack maintainers.

CC: (none) => marja11
Assignee: bugsquad => java

Comment 2 David GEIGER 2019-05-04 05:14:16 CEST
Fixed for mga6!

CC: (none) => geiger.david68210

Comment 3 David Walser 2019-05-04 23:16:21 CEST

Updated tomcat-native package fixes security vulnerabilities:

When using an OCSP responder did not correctly handle invalid responses. This
allowed for revoked client certificates to be incorrectly identified. It was
therefore possible for users to authenticate with revoked certificates when
using mutual TLS (CVE-2018-8019).

Did not properly check OCSP pre-produced responses. Revoked client certificates
may have not been properly identified, allowing for users to authenticate with
revoked certificates to connections that require mutual TLS (CVE-2018-8020).


Updated packages in core/updates_testing:

from tomcat-native-1.2.18-1.mga6.src.rpm

Assignee: java => qa-bugs

Comment 4 Herman Viaene 2019-05-08 14:41:14 CEST
QARepo (for i586) says "tomcat-native not found in the remote repository".

CC: (none) => herman.viaene

Comment 5 David Walser 2019-05-08 17:24:11 CEST
(In reply to Herman Viaene from comment #4)
> QARepo (for i586) says "tomcat-native not found in the remote repository".

Something is wrong on your end, because it's there.


for example.
Comment 6 Herman Viaene 2019-05-08 17:31:04 CEST
Now it works. Usually the Belgian mirror is 1 day behind, but up to now never that much.
Comment 7 Herman Viaene 2019-05-10 16:18:23 CEST
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Installed complete tomcat as per bug 23045 and checked correct  working. Is OK.
Ref bug 22568 in this way a clean install is enough for tomcat-native.

Whiteboard: (none) => MGA6-32-OK

Comment 8 David Walser 2019-05-12 02:26:24 CEST
David Geiger, just an FYI that 1.2.21 is out, fixing memory leaks:
Comment 9 Dave Hodgins 2019-05-19 09:28:39 CEST
Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 10 Mageia Robot 2019-05-19 13:28:52 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.