Bug 24755 - tomcat-native new security issue CVE-2018-8019 and CVE-2018-8020
Summary: tomcat-native new security issue CVE-2018-8019 and CVE-2018-8020
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-05-03 20:45 CEST by David Walser
Modified: 2019-05-19 13:28 CEST (History)
5 users (show)

See Also:
Source RPM: tomcat-native-1.2.16-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-05-03 20:45:05 CEST 
SUSE has issued an advisory on April 9:
http://lists.suse.com/pipermail/sle-security-updates/2019-April/005314.html

The issues are fixed upstream in 1.2.18.
Comment 1 Marja Van Waes 2019-05-03 21:20:49 CEST 
I didn't know this is a java stack package, but in the changelog I see

* Wed Feb 24 2016 neoclust <neoclust> 1.2.4-3.mga6
+ Revision: 978208
- First rebuild of the java stack

so assigning to the java stack maintainers.

CC: (none) => marja11
Assignee: bugsquad => java

Comment 2 David GEIGER 2019-05-04 05:14:16 CEST 
Fixed for mga6!

CC: (none) => geiger.david68210

Comment 3 David Walser 2019-05-04 23:16:21 CEST 
Advisory:
========================

Updated tomcat-native package fixes security vulnerabilities:

When using an OCSP responder did not correctly handle invalid responses. This
allowed for revoked client certificates to be incorrectly identified. It was
therefore possible for users to authenticate with revoked certificates when
using mutual TLS (CVE-2018-8019).

Did not properly check OCSP pre-produced responses. Revoked client certificates
may have not been properly identified, allowing for users to authenticate with
revoked certificates to connections that require mutual TLS (CVE-2018-8020).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8019
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8020
http://lists.suse.com/pipermail/sle-security-updates/2019-April/005314.html
========================

Updated packages in core/updates_testing:
========================
tomcat-native-1.2.18-1.mga6

from tomcat-native-1.2.18-1.mga6.src.rpm

Assignee: java => qa-bugs

Comment 4 Herman Viaene 2019-05-08 14:41:14 CEST 
QARepo (for i586) says "tomcat-native not found in the remote repository".

CC: (none) => herman.viaene

Comment 5 David Walser 2019-05-08 17:24:11 CEST 
(In reply to Herman Viaene from comment #4)
> QARepo (for i586) says "tomcat-native not found in the remote repository".

Something is wrong on your end, because it's there.

http://mirrors.kernel.org/mageia/distrib/6/i586/media/core/updates_testing/tomcat-native-1.2.18-1.mga6.i586.rpm

for example.
Comment 6 Herman Viaene 2019-05-08 17:31:04 CEST 
Now it works. Usually the Belgian mirror is 1 day behind, but up to now never that much.
Comment 7 Herman Viaene 2019-05-10 16:18:23 CEST 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Installed complete tomcat as per bug 23045 and checked correct  working. Is OK.
Ref bug 22568 in this way a clean install is enough for tomcat-native.

Whiteboard: (none) => MGA6-32-OK

Comment 8 David Walser 2019-05-12 02:26:24 CEST 
David Geiger, just an FYI that 1.2.21 is out, fixing memory leaks:
http://tomcat.apache.org/native-doc/miscellaneous/changelog.html
Comment 9 Dave Hodgins 2019-05-19 09:28:39 CEST 
Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 10 Mageia Robot 2019-05-19 13:28:52 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0184.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.