Apache has issued an advisory today (October 12): https://www.openwall.com/lists/oss-security/2020/10/12/1 The issue is fixed upstream in 9.0.38. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Done for both Cauldron and mga7!
CC: (none) => geiger.david68210
Advisory: ======================== Updated tomcat packages fix security vulnerability: If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources (CVE-2020-13943). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13943 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.38 ======================== Updated packages in core/updates_testing: ======================== tomcat-9.0.38-1.mga7 tomcat-admin-webapps-9.0.38-1.mga7 tomcat-docs-webapp-9.0.38-1.mga7 tomcat-jsvc-9.0.38-1.mga7 tomcat-jsp-2.3-api-9.0.38-1.mga7 tomcat-lib-9.0.38-1.mga7 tomcat-servlet-4.0-api-9.0.38-1.mga7 tomcat-el-3.0-api-9.0.38-1.mga7 tomcat-webapps-9.0.38-1.mga7 from tomcat-9.0.38-1.mga7.src.rpm
Assignee: java => qa-bugsVersion: Cauldron => 7Whiteboard: MGA7TOO => (none)
# uname -a Linux linux.local 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux The following 23 packages are going to be installed: - apache-commons-daemon-1.0.15-16.mga7.x86_64 - ecj-4.10-1.mga7.noarch - glibc-devel-2.29-20.mga7.x86_64 - kernel-userspace-headers-5.7.19-3.mga7.x86_64 - lib64apr-devel-1.7.0-1.mga7.x86_64 - lib64apr1_0-1.7.0-1.mga7.x86_64 - lib64openssl-devel-1.1.0l-1.1.mga7.x86_64 - lib64uuid-devel-2.33.2-1.mga7.x86_64 - lib64xcrypt-devel-4.4.6-1.mga7.x86_64 - lib64zlib-devel-1.2.11-7.mga7.x86_64 - libtool-2.4.6-9.mga7.x86_64 - libtool-base-2.4.6-9.mga7.x86_64 - multiarch-utils-1.0.14-2.mga7.noarch - tomcat-9.0.38-1.mga7.noarch - tomcat-admin-webapps-9.0.38-1.mga7.noarch - tomcat-docs-webapp-9.0.38-1.mga7.noarch - tomcat-el-3.0-api-9.0.38-1.mga7.noarch - tomcat-jsp-2.3-api-9.0.38-1.mga7.noarch - tomcat-lib-9.0.38-1.mga7.noarch - tomcat-native-1.2.23-1.mga7.x86_64 - tomcat-servlet-4.0-api-9.0.38-1.mga7.noarch - tomcat-taglibs-standard-1.2.5-4.mga7.noarch - tomcat-webapps-9.0.38-1.mga7.noarch 53MB of additional disk space will be used. 16MB of packages will be retrieved. Is it ok to continue? ---- after install I went into services and set tomcat to start on boot and started the service - went to 127.0.0.1:8080 and confirmed 9.0.38 is showing. - through terminal went to /etc/tomcat and edited the tomcat-users.xml as root - set up the following <role rolename="admin-gui"/> <role rolename="manager-gui"/> <user name="brian" password="both" roles="tomcat,manager-gui"/> </tomcat-users> restarted services and confirmed I could get into the admin pages. works for me.
CC: (none) => brtians1
Thanks testing this. Validating this. Advisory pushed to SVN.
CC: (none) => ouaurelien
Whiteboard: (none) => MGA7-64-OKCVE: (none) => CVE-2020-13943Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0397.html
Status: NEW => RESOLVEDResolution: (none) => FIXED