A security issue in Tomcat has been announced on February 8: http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.16 Not sure how we missed it. The issue is fixed in 9.0.16; newest is 9.0.19. Mageia 6 is not affected.
9.0.20 is now out; no word yet on what it fixes.
Whiteboard: (none) => MGA7TOO
9.0.19 fixed another security issue: http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.19 and the fix for CVE-2019-0199 was incomplete, which was fixed in 9.0.20: http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.20
Summary: tomcat new security issue CVE-2019-0199 => tomcat new security issue CVE-2019-0199 and CVE-2019-0221Status comment: (none) => Fixed upstream in 9.0.20
tomcat-9.0.21-1.mga8 uploaded for Cauldron by David.
Whiteboard: MGA7TOO => (none)CC: (none) => geiger.david68210Version: Cauldron => 7
Done also for mga7 updating tomcat and tomcat-native!
Thanks. You might want to update tomcat-native again, as the fixes in 1.2.22 look desirable. Advisory: ======================== Updated tomcat packages fix security vulnerabilities: The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS (CVE-2019-0199). The SSI printenv command echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website (CVE-2019-0221). The tomcat package has been updated to version 9.0.21 to fix these issues. The tomcat-native package has also been updated to version 1.2.21. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0199 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.16 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.19 http://tomcat.apache.org/native-doc/miscellaneous/changelog.html ======================== Updated packages in core/updates_testing: ======================== tomcat-9.0.21-1.mga7 tomcat-admin-webapps-9.0.21-1.mga7 tomcat-docs-webapp-9.0.21-1.mga7 tomcat-jsvc-9.0.21-1.mga7 tomcat-jsp-2.3-api-9.0.21-1.mga7 tomcat-lib-9.0.21-1.mga7 tomcat-servlet-4.0-api-9.0.21-1.mga7 tomcat-el-3.0-api-9.0.21-1.mga7 tomcat-webapps-9.0.21-1.mga7 tomcat-native-1.2.21-1.mga7 from SRPMS: tomcat-9.0.21-1.mga7.src.rpm tomcat-native-1.2.21-1.mga7.src.rpm
Done for latest tomcat-native 1.2.23!
Advisory: ======================== Updated tomcat packages fix security vulnerabilities: The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS (CVE-2019-0199). The SSI printenv command echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website (CVE-2019-0221). The tomcat package has been updated to version 9.0.21 to fix these issues. The tomcat-native package has also been updated to version 1.2.23. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0199 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.16 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.19 http://tomcat.apache.org/native-doc/miscellaneous/changelog.html ======================== Updated packages in core/updates_testing: ======================== tomcat-9.0.21-1.mga7 tomcat-admin-webapps-9.0.21-1.mga7 tomcat-docs-webapp-9.0.21-1.mga7 tomcat-jsvc-9.0.21-1.mga7 tomcat-jsp-2.3-api-9.0.21-1.mga7 tomcat-lib-9.0.21-1.mga7 tomcat-servlet-4.0-api-9.0.21-1.mga7 tomcat-el-3.0-api-9.0.21-1.mga7 tomcat-webapps-9.0.21-1.mga7 tomcat-native-1.2.23-1.mga7 from SRPMS: tomcat-9.0.21-1.mga7.src.rpm tomcat-native-1.2.23-1.mga7.src.rpm
Assignee: java => qa-bugs
MGA7-64 Plasma on LenovoB50 No installation issues. Ref to bug 23045 Comment 8 for tests. Tested all samples and some of the examples, all work OK. But I keep getting authorization problems rying to get into the manager app. I made changes to the /etc/tomcat/tomcat-users.xml, eaach time restarted the httpd and tomcat services, but I don't get it. Attaching the file,must be a stupid error.
CC: (none) => herman.viaene
@@@@@####" I cann't attach the file, when I submit , I get : Software error: Malformed multipart POST: data truncated
Created attachment 11224 [details] configuration of tomcat users
Advisory added to svn, updated with the security fix in 9.0.20: The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write. By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS (CVE-2019-10072). https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.20
CC: (none) => tmbKeywords: (none) => advisory
That didn't actually need to be added, since we never released an update with the incomplete fix.
Are we waiting on another fix? It appears so based on the above conversation.
CC: (none) => brtians1
No we're not.
$ uname -a Linux linux.local 5.2.10-desktop-1.mga7 #1 SMP Sun Aug 25 17:14:00 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux - apache-commons-daemon-1.0.15-16.mga7.x86_64 - apache-commons-daemon-jsvc-1.0.15-16.mga7.x86_64 - ecj-4.10-1.mga7.noarch - glibc-devel-2.29-13.mga7.x86_64 - kernel-userspace-headers-5.2.10-1.mga7.x86_64 - lib64apr-devel-1.7.0-1.mga7.x86_64 - lib64apr1_0-1.7.0-1.mga7.x86_64 - lib64openssl-devel-1.1.0j-1.mga7.x86_64 - lib64uuid-devel-2.33.2-1.mga7.x86_64 - lib64xcrypt-devel-4.4.6-1.mga7.x86_64 - lib64zlib-devel-1.2.11-7.mga7.x86_64 - libtool-2.4.6-9.mga7.x86_64 - libtool-base-2.4.6-9.mga7.x86_64 - multiarch-utils-1.0.14-2.mga7.noarch - tomcat-9.0.21-1.mga7.noarch - tomcat-admin-webapps-9.0.21-1.mga7.noarch - tomcat-docs-webapp-9.0.21-1.mga7.noarch - tomcat-el-3.0-api-9.0.21-1.mga7.noarch - tomcat-jsp-2.3-api-9.0.21-1.mga7.noarch - tomcat-jsvc-9.0.21-1.mga7.noarch - tomcat-lib-9.0.21-1.mga7.noarch - tomcat-native-1.2.23-1.mga7.x86_64 - tomcat-servlet-4.0-api-9.0.21-1.mga7.noarch - tomcat-taglibs-standard-1.2.5-4.mga7.noarch - tomcat-webapps-9.0.21-1.mga7.noarch I went to /etc/tomcat and edited the tomcat-users.xml using root password I set up: <role rolename="manager-gui"/> <user username="both" password="brian" roles="tomcat,manager-gui"/> Started the services and was able to navigate the manager services. Works for me.
Whiteboard: (none) => MGA7-64-OK
OK, then. Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0260.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED