Advisory:

This update fixes CVE-2020-9484
Apache Tomcat Remote Code Execution via session persistence

It updates tomcat to version 9.0.35
References:
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35

rpms:
tomcat-servlet-4.0-api-9.0.35-1.mga7
tomcat-9.0.35-1.mga7
tomcat-el-3.0-api-9.0.35-1.mga7
tomcat-webapps-9.0.35-1.mga7
tomcat-jsp-2.3-api-9.0.35-1.mga7
tomcat-jsvc-9.0.35-1.mga7
tomcat-lib-9.0.35-1.mga7
tomcat-docs-webapp-9.0.35-1.mga7


from:
tomcat-9.0.35-1.mga7

Status comment: Fixed upstream in 9.0.35 => (none)
Assignee: java => qa-bugs
Whiteboard: MGA7TOO => (none)
CC: (none) => mageia

Advisory:
========================

Updated tomcat packages fix security vulnerability:

When using Apache Tomcat versions 9.0.0.M1 to 9.0.34, if a) an attacker is able
to control the contents and name of a file on the server; and b) the server is
configured to use the PersistenceManager with a FileStore; and c) the
PersistenceManager is configured with
sessionAttributeValueClassNameFilter="null" (the default unless a
SecurityManager is used) or a sufficiently lax filter to allow the attacker
provided object to be deserialized; and d) the attacker knows the relative file
path from the storage location used by FileStore to the file the attacker has
control over; then, using a specifically crafted request, the attacker will be
able to trigger remote code execution via deserialization of the file under
their control. Note that all of conditions a) to d) must be true for the attack
to succeed (CVE-2020-9484).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35

MGA7-64 Plasma on Lenovo B50
No installation issues.
I still had /etc/tomcat/tomcat-users.xml from previous tests, so that one was saved during installation. I re-used it, ref bug 23045.
I used browsing http://localhost:8080/sample and http://localhost:8080/examples and click the links.
All worked exceept one which throws a 404 error.
The page http://localhost:8080 also comes up OK, but trying the manager app also results in:
HTTP Status 404 – Not Found

Type Status Report

Message The requested resource [/manager/html] is not available

Description The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.

I guess the package tomcat-admin-webapps is missing.

CC: (none) => herman.viaene

The package tomcat-admin-webapps-9.0.35-1.mga7 is missing from the list in Comment 1, but I did find it in the testing repo.

CC: (none) => andrewsfarm

Added thetomcat-admin-webapps-9.0.35-1.mga7 package, that gets me rid of the 404 error.
But I cann't get past the authentication.
My tomcat-users.xml reads at  the end:
<role rolename="tomcat"/>
<role rolename="admin"/>
<role rolename="admin-gui"/> 
<role rolename="admin-script"/>
<role rolename="manager"/> 
<role rolename="manager-gui"/>
<role rolename="manager-script"/> 
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<user name="admin" password="tester" roles="tomcat,admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status"/>
I don't see the problem here.

RedHat has issued an advisory for this today (June 11):
https://access.redhat.com/errata/RHSA-2020:2530

Used qarepo to get the following packages
tomcat-9.0.35-1.mga7.noarch.rpm
tomcat-admin-webapps-9.0.35-1.mga7.noarch.rpm
tomcat-docs-webapp-9.0.35-1.mga7.noarch.rpm
tomcat-el-3.0-api-9.0.35-1.mga7.noarch.rpm
tomcat-jsp-2.3-api-9.0.35-1.mga7.noarch.rpm
tomcat-jsvc-9.0.35-1.mga7.noarch.rpm
tomcat-lib-9.0.35-1.mga7.noarch.rpm
tomcat-servlet-4.0-api-9.0.35-1.mga7.noarch.rpm
tomcat-webapps-9.0.35-1.mga7.noarch.rpm

To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  apache-commons-daemon          1.0.15       16.mga7       i586    
  apache-commons-daemon-jsvc     1.0.15       16.mga7       i586    
  ecj                            4.10         1.mga7        noarch  
  libapr-devel                   1.7.0        1.mga7        i586    (recommended)
  libtool                        2.4.6        9.mga7        i586    (recommended)
  libtool-base                   2.4.6        9.mga7        i586    (recommended)
  libuuid-devel                  2.33.2       1.mga7        i586    (recommended)
  libxcrypt-devel                4.4.6        1.mga7        i586    (recommended)
  libzlib-devel                  1.2.11       7.mga7        i586    (recommended)
  tomcat-javadoc                 9.0.13       1.mga7        noarch  
  tomcat-taglibs-standard        1.2.5        4.mga7        noarch  
(medium "Core Updates (distrib3)")
  glibc-devel                    2.29         20.mga7       i586    (recommended)
  kernel-userspace-headers       5.6.14       2.mga7        i586    (recommended)
  libopenssl-devel               1.1.0l       1.1.mga7      i586    (recommended)
  tomcat                         9.0.31       1.mga7        noarch  
  tomcat-admin-webapps           9.0.31       1.mga7        noarch  
  tomcat-docs-webapp             9.0.31       1.mga7        noarch  
  tomcat-el-3.0-api              9.0.31       1.mga7        noarch  
  tomcat-jsp-2.3-api             9.0.31       1.mga7        noarch  
  tomcat-jsvc                    9.0.31       1.mga7        noarch  
  tomcat-lib                     9.0.31       1.mga7        noarch  
  tomcat-native                  1.2.23       1.mga7        i586    (recommended)
  tomcat-servlet-4.0-api         9.0.31       1.mga7        noarch  
  tomcat-webapps                 9.0.31       1.mga7        noarch

Edited /etc/tomcat/tomcat-users.xml to uncomment the users and set a password
<role rolename="admin"/>
<role rolename="admin-gui"/>
<role rolename="admin-script"/>
<role rolename="manager"/>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<user name="admin" password="qatester" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" />

Started tomcat-jsvc.service and tomcat.service
Logged in to http://localhost:8080/manager/html
Tested various applications such as echo under the samples.

Validating the update.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Oops. Retested after installing
-rw-r--r-- 1 dave dave   89188 Jun 25 21:54 tomcat-9.0.35-1.mga7.noarch.rpm
-rw-r--r-- 1 dave dave   28380 Jun 25 21:54 tomcat-admin-webapps-9.0.35-1.mga7.noarch.rpm
-rw-r--r-- 1 dave dave  720640 Jun 25 21:54 tomcat-docs-webapp-9.0.35-1.mga7.noarch.rpm
-rw-r--r-- 1 dave dave  105716 Jun 25 21:54 tomcat-el-3.0-api-9.0.35-1.mga7.noarch.rpm
-rw-r--r-- 1 dave dave   63768 Jun 25 21:54 tomcat-jsp-2.3-api-9.0.35-1.mga7.noarch.rpm
-rw-r--r-- 1 dave dave    8716 Jun 25 21:54 tomcat-jsvc-9.0.35-1.mga7.noarch.rpm
-rw-r--r-- 1 dave dave 5610132 Jun 25 21:54 tomcat-lib-9.0.35-1.mga7.noarch.rpm
-rw-r--r-- 1 dave dave  286904 Jun 25 21:54 tomcat-servlet-4.0-api-9.0.35-1.mga7.noarch.rpm
-rw-r--r-- 1 dave dave  316948 Jun 25 21:54 tomcat-webapps-9.0.35-1.mga7.noarch.rpm

Still ok.

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0277.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED