Bug 27396 - tomcat new security issue CVE-2020-13943
Summary: tomcat new security issue CVE-2020-13943
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-10-13 01:10 CEST by David Walser
Modified: 2020-10-29 23:26 CET (History)
4 users (show)

See Also:
Source RPM: tomcat-9.0.37-3.mga8.src.rpm
CVE: CVE-2020-13943
Status comment:


Attachments

Description David Walser 2020-10-13 01:10:25 CEST
Apache has issued an advisory today (October 12):
https://www.openwall.com/lists/oss-security/2020/10/12/1

The issue is fixed upstream in 9.0.38.

Mageia 7 is also affected.
David Walser 2020-10-13 01:10:35 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David GEIGER 2020-10-13 12:25:47 CEST
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2020-10-13 14:47:20 CEST
Advisory:
========================

Updated tomcat packages fix security vulnerability:

If an HTTP/2 client exceeded the agreed maximum number of concurrent streams
for a connection (in violation of the HTTP/2 protocol), it was possible that a
subsequent request made on that connection could contain HTTP headers -
including HTTP/2 pseudo headers - from a previous request rather than the
intended headers. This could lead to users seeing responses for unexpected
resources (CVE-2020-13943).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13943
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.38
========================

Updated packages in core/updates_testing:
========================
tomcat-9.0.38-1.mga7
tomcat-admin-webapps-9.0.38-1.mga7
tomcat-docs-webapp-9.0.38-1.mga7
tomcat-jsvc-9.0.38-1.mga7
tomcat-jsp-2.3-api-9.0.38-1.mga7
tomcat-lib-9.0.38-1.mga7
tomcat-servlet-4.0-api-9.0.38-1.mga7
tomcat-el-3.0-api-9.0.38-1.mga7
tomcat-webapps-9.0.38-1.mga7

from tomcat-9.0.38-1.mga7.src.rpm

Assignee: java => qa-bugs
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 3 Brian Rockwell 2020-10-29 15:02:30 CET
# uname -a
Linux linux.local 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux


The following 23 packages are going to be installed:

- apache-commons-daemon-1.0.15-16.mga7.x86_64
- ecj-4.10-1.mga7.noarch
- glibc-devel-2.29-20.mga7.x86_64
- kernel-userspace-headers-5.7.19-3.mga7.x86_64
- lib64apr-devel-1.7.0-1.mga7.x86_64
- lib64apr1_0-1.7.0-1.mga7.x86_64
- lib64openssl-devel-1.1.0l-1.1.mga7.x86_64
- lib64uuid-devel-2.33.2-1.mga7.x86_64
- lib64xcrypt-devel-4.4.6-1.mga7.x86_64
- lib64zlib-devel-1.2.11-7.mga7.x86_64
- libtool-2.4.6-9.mga7.x86_64
- libtool-base-2.4.6-9.mga7.x86_64
- multiarch-utils-1.0.14-2.mga7.noarch
- tomcat-9.0.38-1.mga7.noarch
- tomcat-admin-webapps-9.0.38-1.mga7.noarch
- tomcat-docs-webapp-9.0.38-1.mga7.noarch
- tomcat-el-3.0-api-9.0.38-1.mga7.noarch
- tomcat-jsp-2.3-api-9.0.38-1.mga7.noarch
- tomcat-lib-9.0.38-1.mga7.noarch
- tomcat-native-1.2.23-1.mga7.x86_64
- tomcat-servlet-4.0-api-9.0.38-1.mga7.noarch
- tomcat-taglibs-standard-1.2.5-4.mga7.noarch
- tomcat-webapps-9.0.38-1.mga7.noarch

53MB of additional disk space will be used.

16MB of packages will be retrieved.

Is it ok to continue?


----

after install I went into services and set tomcat to start on boot and started the service

- went to 127.0.0.1:8080 and confirmed 9.0.38 is showing.
- through terminal went to /etc/tomcat and edited the tomcat-users.xml as root
- set up the following

<role rolename="admin-gui"/>
<role rolename="manager-gui"/>
<user name="brian" password="both" roles="tomcat,manager-gui"/>
</tomcat-users>

restarted services and confirmed I could get into the admin pages.

works for me.

CC: (none) => brtians1

Comment 4 Aurelien Oudelet 2020-10-29 20:57:36 CET
Thanks testing this.
Validating this.
Advisory pushed to SVN.

CC: (none) => ouaurelien

Aurelien Oudelet 2020-10-29 21:01:23 CET

Whiteboard: (none) => MGA7-64-OK
CVE: (none) => CVE-2020-13943
Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2020-10-29 23:26:27 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0397.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.