Bug 24799 - tomcat new security issue CVE-2019-0199 and CVE-2019-0221
Summary: tomcat new security issue CVE-2019-0199 and CVE-2019-0221
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-12 02:28 CEST by David Walser
Modified: 2019-07-19 11:43 CEST (History)
2 users (show)

See Also:
Source RPM: tomcat-9.0.13-1.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 9.0.20


Attachments

Description David Walser 2019-05-12 02:28:25 CEST
A security issue in Tomcat has been announced on February 8:
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.16

Not sure how we missed it.  The issue is fixed in 9.0.16; newest is 9.0.19.

Mageia 6 is not affected.
Comment 1 David Walser 2019-05-13 20:26:16 CEST
9.0.20 is now out; no word yet on what it fixes.
David Walser 2019-06-23 19:15:07 CEST

Whiteboard: (none) => MGA7TOO

Comment 2 David Walser 2019-06-23 19:17:21 CEST
9.0.19 fixed another security issue:
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.19

and the fix for CVE-2019-0199 was incomplete, which was fixed in 9.0.20:
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.20

Summary: tomcat new security issue CVE-2019-0199 => tomcat new security issue CVE-2019-0199 and CVE-2019-0221
Status comment: (none) => Fixed upstream in 9.0.20

Comment 3 David Walser 2019-07-05 17:12:24 CEST
tomcat-9.0.21-1.mga8 uploaded for Cauldron by David.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
CC: (none) => geiger.david68210

Comment 4 David GEIGER 2019-07-06 07:51:00 CEST
Done also for mga7 updating tomcat and tomcat-native!
Comment 5 David Walser 2019-07-06 21:56:07 CEST
Thanks.  You might want to update tomcat-native again, as the fixes in 1.2.22 look desirable.

Advisory:
========================

Updated tomcat packages fix security vulnerabilities:

The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS
frames and also permitted clients to keep streams open without reading/writing
request/response data. By keeping streams open for requests that utilised the
Servlet API's blocking I/O, clients were able to cause server-side threads to
block eventually leading to thread exhaustion and a DoS (CVE-2019-0199).

The SSI printenv command echoes user provided data without escaping and is,
therefore, vulnerable to XSS. SSI is disabled by default. The printenv command
is intended for debugging and is unlikely to be present in a production website
(CVE-2019-0221).

The tomcat package has been updated to version 9.0.21 to fix these issues.
The tomcat-native package has also been updated to version 1.2.21.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0199
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.16
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.19
http://tomcat.apache.org/native-doc/miscellaneous/changelog.html
========================

Updated packages in core/updates_testing:
========================
tomcat-9.0.21-1.mga7
tomcat-admin-webapps-9.0.21-1.mga7
tomcat-docs-webapp-9.0.21-1.mga7
tomcat-jsvc-9.0.21-1.mga7
tomcat-jsp-2.3-api-9.0.21-1.mga7
tomcat-lib-9.0.21-1.mga7
tomcat-servlet-4.0-api-9.0.21-1.mga7
tomcat-el-3.0-api-9.0.21-1.mga7
tomcat-webapps-9.0.21-1.mga7
tomcat-native-1.2.21-1.mga7

from SRPMS:
tomcat-9.0.21-1.mga7.src.rpm
tomcat-native-1.2.21-1.mga7.src.rpm
Comment 6 David GEIGER 2019-07-08 16:35:09 CEST
Done for latest tomcat-native 1.2.23!
Comment 7 David Walser 2019-07-08 16:53:35 CEST
Advisory:
========================

Updated tomcat packages fix security vulnerabilities:

The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS
frames and also permitted clients to keep streams open without reading/writing
request/response data. By keeping streams open for requests that utilised the
Servlet API's blocking I/O, clients were able to cause server-side threads to
block eventually leading to thread exhaustion and a DoS (CVE-2019-0199).

The SSI printenv command echoes user provided data without escaping and is,
therefore, vulnerable to XSS. SSI is disabled by default. The printenv command
is intended for debugging and is unlikely to be present in a production website
(CVE-2019-0221).

The tomcat package has been updated to version 9.0.21 to fix these issues.
The tomcat-native package has also been updated to version 1.2.23.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0199
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.16
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.19
http://tomcat.apache.org/native-doc/miscellaneous/changelog.html
========================

Updated packages in core/updates_testing:
========================
tomcat-9.0.21-1.mga7
tomcat-admin-webapps-9.0.21-1.mga7
tomcat-docs-webapp-9.0.21-1.mga7
tomcat-jsvc-9.0.21-1.mga7
tomcat-jsp-2.3-api-9.0.21-1.mga7
tomcat-lib-9.0.21-1.mga7
tomcat-servlet-4.0-api-9.0.21-1.mga7
tomcat-el-3.0-api-9.0.21-1.mga7
tomcat-webapps-9.0.21-1.mga7
tomcat-native-1.2.23-1.mga7

from SRPMS:
tomcat-9.0.21-1.mga7.src.rpm
tomcat-native-1.2.23-1.mga7.src.rpm

Assignee: java => qa-bugs

Comment 8 Herman Viaene 2019-07-19 11:36:29 CEST
MGA7-64 Plasma on LenovoB50
No installation issues.
Ref to bug 23045 Comment 8 for tests.
Tested all samples and some of the examples, all work OK.
But I keep getting authorization problems rying to get into the manager app.
I made changes to the /etc/tomcat/tomcat-users.xml, eaach time restarted the httpd and tomcat services, but I don't get it.
Attaching the file,must be a stupid error.

CC: (none) => herman.viaene

Comment 9 Herman Viaene 2019-07-19 11:43:37 CEST
@@@@@####" I cann't attach  the file, when I submit , I get : Software error:

Malformed multipart POST: data truncated

Note You need to log in before you can comment on or make changes to this bug.