A security issue fixed upstream in Tomcat has been announced on June 25: http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.36 The issue is fixed upstream in 9.0.36. Mageia 7 is also affected.
Status comment: (none) => Fixed upstream in 9.0.36Whiteboard: (none) => MGA7TOO
I see a _tmpfilescreate call in %post, which looks like it doesn't belong there, as I don't see a tmpfiles.d file in %files. Please make sure that's the case, otherwise we probably have this issue: https://lists.opensuse.org/opensuse-updates/2020-06/msg00160.html
SUSE has issued an advisory for this on July 3: https://lists.suse.com/pipermail/sle-security-updates/2020-July/007071.html
Done for both Cauldron and mga7!
CC: (none) => geiger.david68210
Advisory: ======================== Updated tomcat packages fix security vulnerability: A specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive (CVE-2020-11996). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11996 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.36 ======================== Updated packages in core/updates_testing: ======================== tomcat-9.0.36-1.mga7 tomcat-admin-webapps-9.0.36-1.mga7 tomcat-docs-webapp-9.0.36-1.mga7 tomcat-jsvc-9.0.36-1.mga7 tomcat-jsp-2.3-api-9.0.36-1.mga7 tomcat-lib-9.0.36-1.mga7 tomcat-servlet-4.0-api-9.0.36-1.mga7 tomcat-el-3.0-api-9.0.36-1.mga7 tomcat-webapps-9.0.36-1.mga7 from tomcat-9.0.36-1.mga7.src.rpm
Status comment: Fixed upstream in 9.0.36 => (none)Version: Cauldron => 7Assignee: java => qa-bugsWhiteboard: MGA7TOO => (none)
(In reply to David Walser from comment #1) > I see a _tmpfilescreate call in %post, which looks like it doesn't belong > there, as I don't see a tmpfiles.d file in %files. Please make sure that's > the case, otherwise we probably have this issue: > https://lists.opensuse.org/opensuse-updates/2020-06/msg00160.html David, please remove this from the SPEC if it's not needed.
The following 19 packages are going to be installed: - apache-commons-daemon-1.0.15-16.mga7.x86_64 - ecj-4.10-1.mga7.noarch - glibc-devel-2.29-20.mga7.x86_64 - kernel-userspace-headers-5.6.14-2.mga7.x86_64 - lib64apr-devel-1.7.0-1.mga7.x86_64 - lib64apr1_0-1.7.0-1.mga7.x86_64 - lib64openssl-devel-1.1.0l-1.1.mga7.x86_64 - lib64uuid-devel-2.33.2-1.mga7.x86_64 - lib64xcrypt-devel-4.4.6-1.mga7.x86_64 - lib64zlib-devel-1.2.11-7.mga7.x86_64 - libtool-2.4.6-9.mga7.x86_64 - libtool-base-2.4.6-9.mga7.x86_64 - multiarch-utils-1.0.14-2.mga7.noarch - tomcat-9.0.36-1.mga7.noarch - tomcat-el-3.0-api-9.0.36-1.mga7.noarch - tomcat-jsp-2.3-api-9.0.36-1.mga7.noarch - tomcat-lib-9.0.36-1.mga7.noarch - tomcat-native-1.2.23-1.mga7.x86_64 - tomcat-servlet-4.0-api-9.0.36-1.mga7.noarch 49MB of additional disk space will be used. -- able to start tomcat Added the following The following 9 packages are going to be installed: - apache-2.4.43-1.mga7.x86_64 - apache-commons-daemon-jsvc-1.0.15-16.mga7.x86_64 - lib64apr-util1_0-1.6.1-3.mga7.x86_64 - tomcat-admin-webapps-9.0.36-1.mga7.noarch - tomcat-docs-webapp-9.0.36-1.mga7.noarch - tomcat-jsvc-9.0.36-1.mga7.noarch - tomcat-taglibs-standard-1.2.5-4.mga7.noarch - tomcat-webapps-9.0.36-1.mga7.noarch - webserver-base-2.0-12.mga7.noarch 9.2MB of additional disk space will be used. after they installed I went in and started services for httpd, tomcat-svc ----- I edited the /etc/tomcat/tomcat-users.xml file and enabled the admin ID. --- Restarted the tomcat services --- I was able to get into the administration module and navigate around looking at settings. Works for me.
CC: (none) => brtians1Whiteboard: (none) => MGA7-64-OK
Has the issue from Comment 1 and Comment 5 been addressed? If so, I'll be fine with validating based on Brian's test.
CC: (none) => andrewsfarm
David just addressed it. A clean install/upgrade test should be good for this. tomcat-9.0.36-1.1.mga7 tomcat-admin-webapps-9.0.36-1.1.mga7 tomcat-docs-webapp-9.0.36-1.1.mga7 tomcat-jsvc-9.0.36-1.1.mga7 tomcat-jsp-2.3-api-9.0.36-1.1.mga7 tomcat-lib-9.0.36-1.1.mga7 tomcat-servlet-4.0-api-9.0.36-1.1.mga7 tomcat-el-3.0-api-9.0.36-1.1.mga7 tomcat-webapps-9.0.36-1.1.mga7 from tomcat-9.0.36-1.1.mga7.src.rpm
Or not :o( Two issues fixed upstream in 9.0.37 have been announced today (July 14): http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37 Pausing this so we can update it again.
Keywords: (none) => feedbackSummary: tomcat new security issue CVE-2020-11996 => tomcat new security issues CVE-2020-11996 and CVE-2020-1393[45]Whiteboard: MGA7-64-OK => (none)
No problem. I'll watch for the update.
(In reply to David Walser from comment #9) > Or not :o( > > Two issues fixed upstream in 9.0.37 have been announced today (July 14): > http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37 > > Pausing this so we can update it again. Done for both Cauldron and mga7!
Advisory: ======================== Updated tomcat packages fix security vulnerabilities: A specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive (CVE-2020-11996). An h2c direct connection did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service (CVE-2020-13934). The payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service (CVE-2020-13935). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11996 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13934 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13935 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.36 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37 ======================== Updated packages in core/updates_testing: ======================== tomcat-9.0.37-1.1.mga7 tomcat-admin-webapps-9.0.37-1.1.mga7 tomcat-docs-webapp-9.0.37-1.1.mga7 tomcat-jsvc-9.0.37-1.1.mga7 tomcat-jsp-2.3-api-9.0.37-1.1.mga7 tomcat-lib-9.0.37-1.1.mga7 tomcat-servlet-4.0-api-9.0.37-1.1.mga7 tomcat-el-3.0-api-9.0.37-1.1.mga7 tomcat-webapps-9.0.37-1.1.mga7 from tomcat-9.0.37-1.1.mga7.src.rpm
Keywords: feedback => (none)
installed the following: - apache-2.4.43-1.mga7.x86_64 - apache-commons-daemon-1.0.15-16.mga7.x86_64 - ecj-4.10-1.mga7.noarch - glibc-devel-2.29-20.mga7.x86_64 - kernel-userspace-headers-5.6.14-2.mga7.x86_64 - lib64apr-devel-1.7.0-1.mga7.x86_64 - lib64apr-util1_0-1.6.1-3.mga7.x86_64 - lib64apr1_0-1.7.0-1.mga7.x86_64 - lib64openssl-devel-1.1.0l-1.1.mga7.x86_64 - lib64uuid-devel-2.33.2-1.mga7.x86_64 - lib64xcrypt-devel-4.4.6-1.mga7.x86_64 - lib64zlib-devel-1.2.11-7.mga7.x86_64 - libtool-2.4.6-9.mga7.x86_64 - libtool-base-2.4.6-9.mga7.x86_64 - multiarch-utils-1.0.14-2.mga7.noarch - tomcat-9.0.37-1.1.mga7.noarch - tomcat-admin-webapps-9.0.37-1.1.mga7.noarch - tomcat-docs-webapp-9.0.37-1.1.mga7.noarch - tomcat-el-3.0-api-9.0.37-1.1.mga7.noarch - tomcat-jsp-2.3-api-9.0.37-1.1.mga7.noarch - tomcat-lib-9.0.37-1.1.mga7.noarch - tomcat-native-1.2.23-1.mga7.x86_64 - tomcat-servlet-4.0-api-9.0.37-1.1.mga7.noarch - tomcat-taglibs-standard-1.2.5-4.mga7.noarch - tomcat-webapps-9.0.37-1.1.mga7.noarch - webserver-base-2.0-12.mga7.noarch 58MB of additional disk space will be used. -- enabled services -- configured user-id and rebootted ------------- Not working confirmed services are working, but I see the following: Jul 15 16:19:31 linux.local server[863]: 15-Jul-2020 16:19:30.999 SEVERE [main] org.apache.tomcat.util.modeler.Registry.registerComponent Error registering MBean Jul 15 16:19:31 linux.local server[863]: java.lang.ClassNotFoundException: org.apache.tomcat.util.modeler.modules.MbeansDescriptorsIntrospectionSource Jul 15 16:19:31 linux.local server[863]: at org.apache.tomcat.util.modeler.Registry.getModelerSource(Registry.java:737) Jul 15 16:19:31 linux.local server[863]: at org.apache.tomcat.util.modeler.Registry.load(Registry.java:611) Jul 15 16:19:31 linux.local server[863]: at org.apache.tomcat.util.modeler.Registry.findManagedBean(Registry.java:518) Jul 15 16:19:31 linux.local server[863]: at org.apache.tomcat.util.modeler.Registry.registerComponent(Registry.java:641) Jul 15 16:19:31 linux.local server[863]: at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) Jul 15 16:19:31 linux.local server[863]: at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) Jul 15 16:19:31 linux.local server[863]: 15-Jul-2020 16:19:31.001 SEVERE [main] org.apache.catalina.startup.HostConfig.deployDirectory Error deploying web application directory [/var/lib/tomcat/webapps/examples] Jul 15 16:19:31 linux.local server[863]: at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) Jul 15 16:19:31 linux.local server[863]: at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) Jul 15 16:19:31 linux.local server[863]: Caused by: java.lang.ClassNotFoundException: org.apache.tomcat.util.modeler.modules.MbeansDescriptorsIntrospectionSource Jul 15 16:19:31 linux.local server[863]: at org.apache.tomcat.util.modeler.Registry.getModelerSource(Registry.java:737) Jul 15 16:19:31 linux.local server[863]: at org.apache.tomcat.util.modeler.Registry.load(Registry.java:611) Jul 15 16:19:31 linux.local server[863]: at org.apache.tomcat.util.modeler.Registry.findManagedBean(Registry.java:518) Jul 15 16:19:31 linux.local server[863]: at org.apache.tomcat.util.modeler.Registry.registerComponent(Registry.java:641) Jul 15 16:19:31 linux.local server[863]: 15-Jul-2020 16:19:31.004 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/var/lib/tomcat/webapps/examples] has finished in [221] ms Jul 15 16:19:31 linux.local server[863]: 15-Jul-2020 16:19:31.015 SEVERE [main] org.apache.tomcat.util.modeler.Registry.registerComponent Error registering MBean Jul 15 16:19:31 linux.local server[863]: java.lang.ClassNotFoundException: org.apache.tomcat.util.modeler.modules.MbeansDescriptorsIntrospectionSource Jul 15 16:19:31 linux.local server[863]: at org.apache.tomcat.util.modeler.Registry.getModelerSource(Registry.java:737) Jul 15 16:19:31 linux.local server[863]: at org.apache.tomcat.util.modeler.Registry.load(Registry.java:611) Jul 15 16:19:31 linux.local server[863]: at org.apache.tomcat.util.modeler.Registry.findManagedBean(Registry.java:518) Jul 15 16:19:31 linux.local server[863]: at org.apache.tomcat.util.modeler.Registry.registerComponent(Registry.java:641) Jul 15 16:19:31 linux.local server[863]: java.lang.ClassNotFoundException: org.apache.tomcat.util.modeler.modules.MbeansDescriptorsIntrospectionSource Jul 15 16:19:31 linux.local server[863]: at org.apache.tomcat.util.modeler.Registry.getModelerSource(Registry.java:737) Jul 15 16:19:31 linux.local server[863]: at org.apache.tomcat.util.modeler.Registry.load(Registry.java:611) Jul 15 16:19:31 linux.local server[863]: at org.apache.tomcat.util.modeler.Registry.findManagedBean(Registry.java:518) Jul 15 16:19:31 linux.local server[863]: at org.apache.tomcat.util.modeler.Registry.registerComponent(Registry.java:641) I can connect to apache http. Tomcat shows running, but cannot get to the first hello page or the administration module. What'd I do wrong?
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref to my tests in bug 23045, but the situation is as bad as Comment 13. # systemctl start tomcat.service # systemctl -l status tomcat.service ● tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2020-07-25 15:10:44 CEST; 3s ago Main PID: 23292 (java) Tasks: 17 (limit: 4915) Memory: 52.2M CGroup: /system.slice/tomcat.service └─23292 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -c> Jul 25 15:10:44 mach5.hviaene.thuis systemd[1]: Started Apache Tomcat Web Application Container. Jul 25 15:10:44 mach5.hviaene.thuis server[23292]: Java virtual machine used: /usr/lib/jvm/jre/bin/java Jul 25 15:10:44 mach5.hviaene.thuis server[23292]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/> Jul 25 15:10:44 mach5.hviaene.thuis server[23292]: main class used: org.apache.catalina.startup.Bootstrap Jul 25 15:10:44 mach5.hviaene.thuis server[23292]: flags used: -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDa> Jul 25 15:10:44 mach5.hviaene.thuis server[23292]: options used: -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share> Jul 25 15:10:44 mach5.hviaene.thuis server[23292]: arguments used: start # systemctl restart httpd # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2020-07-25 15:10:59 CEST; 10s ago Main PID: 24634 (httpd) Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec" Tasks: 6 (limit: 4915) Memory: 23.4M CGroup: /system.slice/httpd.service ├─24634 /usr/sbin/httpd -DFOREGROUND ├─24637 /usr/sbin/httpd -DFOREGROUND ├─24638 /usr/sbin/httpd -DFOREGROUND ├─24639 /usr/sbin/httpd -DFOREGROUND ├─24640 /usr/sbin/httpd -DFOREGROUND └─24641 /usr/sbin/httpd -DFOREGROUND Jul 25 15:10:58 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server... Jul 25 15:10:59 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server. But when I try to access tomcat from the browser, I get "Unable to connect Firefox can’t establish a connection to the server at localhost:8080." while http://localhost says:it works. No firewall active, but I cann't get into port 8080 (tried telnet)
CC: (none) => herman.viaene
Thanks for confirming Herman.
Used at CLI # netstat -tulpn port 8080 nor tomcat is listed.
Keywords: (none) => feedback
Try with this one: tomcat-9.0.37-1.2.mga7 tomcat-admin-webapps-9.0.37-1.2.mga7 tomcat-docs-webapp-9.0.37-1.2.mga7 tomcat-jsvc-9.0.37-1.2.mga7 tomcat-jsp-2.3-api-9.0.37-1.2.mga7 tomcat-lib-9.0.37-1.2.mga7 tomcat-servlet-4.0-api-9.0.37-1.2.mga7 tomcat-el-3.0-api-9.0.37-1.2.mga7 tomcat-webapps-9.0.37-1.2.mga7 from tomcat-9.0.37-1.2.mga7.src.rpm
uname -a Linux linux.local 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux The following 28 packages are going to be installed: - apache-2.4.46-1.mga7.x86_64 - apache-commons-daemon-1.0.15-16.mga7.x86_64 - apache-mod_http2-2.4.46-1.mga7.x86_64 - ecj-4.10-1.mga7.noarch - glibc-devel-2.29-20.mga7.x86_64 - kernel-userspace-headers-5.7.14-1.mga7.x86_64 - lib64apr-devel-1.7.0-1.mga7.x86_64 - lib64apr-util1_0-1.6.1-3.mga7.x86_64 - lib64apr1_0-1.7.0-1.mga7.x86_64 - lib64jemalloc2-5.2.0-1.mga7.x86_64 - lib64openssl-devel-1.1.0l-1.1.mga7.x86_64 - lib64uuid-devel-2.33.2-1.mga7.x86_64 - lib64xcrypt-devel-4.4.6-1.mga7.x86_64 - lib64zlib-devel-1.2.11-7.mga7.x86_64 - libtool-2.4.6-9.mga7.x86_64 - libtool-base-2.4.6-9.mga7.x86_64 - multiarch-utils-1.0.14-2.mga7.noarch - nghttp2-1.41.0-1.mga7.x86_64 - tomcat-9.0.37-1.2.mga7.noarch - tomcat-admin-webapps-9.0.37-1.2.mga7.noarch - tomcat-el-3.0-api-9.0.37-1.2.mga7.noarch - tomcat-jsp-2.3-api-9.0.37-1.2.mga7.noarch - tomcat-lib-9.0.37-1.2.mga7.noarch - tomcat-native-1.2.23-1.mga7.x86_64 - tomcat-servlet-4.0-api-9.0.37-1.2.mga7.noarch - tomcat-taglibs-standard-1.2.5-4.mga7.noarch - tomcat-webapps-9.0.37-1.2.mga7.noarch - webserver-base-2.0-12.mga7.noarch ----- I edited the /etc/tomcat/tomcat-users.xml file and enabled the admin ID. after they installed I went in and started services for httpd, tomcat #systemctl restart httpd #systemctl restart tomcat --- I was able to get into the administration module and navigate around looking at settings. Works for me.
Whiteboard: (none) => MGA7-64-OK
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
Advisory and package list in Comment 12.
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0331.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED