Bug 27396 - tomcat new security issue CVE-2020-13943
Summary: tomcat new security issue CVE-2020-13943
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-13 01:10 CEST by David Walser
Modified: 2020-10-13 14:47 CEST (History)
1 user (show)

See Also:
Source RPM: tomcat-9.0.37-3.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-10-13 01:10:25 CEST
Apache has issued an advisory today (October 12):
https://www.openwall.com/lists/oss-security/2020/10/12/1

The issue is fixed upstream in 9.0.38.

Mageia 7 is also affected.
David Walser 2020-10-13 01:10:35 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David GEIGER 2020-10-13 12:25:47 CEST
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2020-10-13 14:47:20 CEST
Advisory:
========================

Updated tomcat packages fix security vulnerability:

If an HTTP/2 client exceeded the agreed maximum number of concurrent streams
for a connection (in violation of the HTTP/2 protocol), it was possible that a
subsequent request made on that connection could contain HTTP headers -
including HTTP/2 pseudo headers - from a previous request rather than the
intended headers. This could lead to users seeing responses for unexpected
resources (CVE-2020-13943).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13943
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.38
========================

Updated packages in core/updates_testing:
========================
tomcat-9.0.38-1.mga7
tomcat-admin-webapps-9.0.38-1.mga7
tomcat-docs-webapp-9.0.38-1.mga7
tomcat-jsvc-9.0.38-1.mga7
tomcat-jsp-2.3-api-9.0.38-1.mga7
tomcat-lib-9.0.38-1.mga7
tomcat-servlet-4.0-api-9.0.38-1.mga7
tomcat-el-3.0-api-9.0.38-1.mga7
tomcat-webapps-9.0.38-1.mga7

from tomcat-9.0.38-1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Assignee: java => qa-bugs


Note You need to log in before you can comment on or make changes to this bug.