Apache has issued an advisory on December 3: https://www.openwall.com/lists/oss-security/2020/12/03/3 The issue is fixed upstream in 9.0.40. Mageia 7 is also affected.
CC: (none) => geiger.david68210Whiteboard: (none) => MGA7TOO
Fedora has issued an advisory for this today (December 5): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VLNRDHJJDZSUJSOSLSHLENY4YUFCYK46/
Fixed for Cauldron but doesn't build on mga7!
tomcat-9.0.40-1.mga8 uploaded for Cauldron.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
Build error log for mga7: http://pkgsubmit.mageia.org/uploads/failure/7/core/updates_testing/20201206091407.daviddavid.duvel.11996/log/tomcat-9.0.40-1.mga7/build.0.20201206091522.log
I wonder if 9.0.41 fixes it: http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.41_(markt)
Fedora has updated to 9.0.41 today (December 18): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VRAVUNRYP2U5HRU5ERC73MBPM32WA5TF/
Patched package uploaded for Mageia 7 by David. Advisory: ======================== Updated tomcat packages fix security vulnerability: While investigating Apache issue 64830 it was discovered that Apache Tomcat could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests (CVE-2020-17527). The tomcat package has been updated to version 9.0.39, and patched to fix this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17527 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.40 ======================== Updated packages in core/updates_testing: ======================== tomcat-9.0.39-1.mga7 tomcat-admin-webapps-9.0.39-1.mga7 tomcat-docs-webapp-9.0.39-1.mga7 tomcat-jsvc-9.0.39-1.mga7 tomcat-jsp-2.3-api-9.0.39-1.mga7 tomcat-lib-9.0.39-1.mga7 tomcat-servlet-4.0-api-9.0.39-1.mga7 tomcat-el-3.0-api-9.0.39-1.mga7 tomcat-webapps-9.0.39-1.mga7 from tomcat-9.0.39-1.mga7.src.rpm
Assignee: java => qa-bugs
# uname -a Linux linux.local 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux The following 20 packages are going to be installed: - apache-commons-daemon-1.0.15-16.mga7.x86_64 - apache-commons-daemon-jsvc-1.0.15-16.mga7.x86_64 - ecj-4.10-1.mga7.noarch - lib64apr-devel-1.7.0-1.mga7.x86_64 - lib64apr1_0-1.7.0-1.mga7.x86_64 - lib64openssl-devel-1.1.0l-1.2.mga7.x86_64 - lib64uuid-devel-2.33.2-1.mga7.x86_64 - libtool-2.4.6-9.mga7.x86_64 - libtool-base-2.4.6-9.mga7.x86_64 - tomcat-9.0.39-1.mga7.noarch - tomcat-admin-webapps-9.0.39-1.mga7.noarch - tomcat-docs-webapp-9.0.39-1.mga7.noarch - tomcat-el-3.0-api-9.0.39-1.mga7.noarch - tomcat-jsp-2.3-api-9.0.39-1.mga7.noarch - tomcat-jsvc-9.0.39-1.mga7.noarch - tomcat-lib-9.0.39-1.mga7.noarch - tomcat-native-1.2.23-1.mga7.x86_64 - tomcat-servlet-4.0-api-9.0.39-1.mga7.noarch - tomcat-taglibs-standard-1.2.5-4.mga7.noarch - tomcat-webapps-9.0.39-1.mga7.noarch 30MB of additional disk space will be used. 13MB of packages will be retrieved. --- update tomcat-users.xml and restarted the services --- able to work in admin module without issues. works as designed.
Whiteboard: (none) => MGA7-64-OKCC: (none) => brtians1
Validating. Advisory in Comment 7.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Advisory pushed to SVN.
CVE: (none) => CVE-2020-17527CC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0020.html
Status: NEW => RESOLVEDResolution: (none) => FIXED