Bug 28093 - tomcat new security issue CVE-2021-24122
Summary: tomcat new security issue CVE-2021-24122
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-01-14 18:43 CET by David Walser
Modified: 2021-02-08 18:59 CET (History)
4 users (show)

See Also:
Source RPM: tomcat-9.0.39-1.mga7.src.rpm
CVE: CVE-2021-24122
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-01-14 18:43:42 CET 
Apache has issued an advisory today (January 14):
https://www.openwall.com/lists/oss-security/2021/01/14/1

The issue is fixed upstream in 9.0.40:
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.40

It only affects serving files from NTFS filesystems, so it's a minor issue.
Comment 1 David GEIGER 2021-01-25 07:44:35 CET 
Done for mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2021-01-25 17:10:24 CET 
Advisory:
========================

Updated tomcat package fixes security vulnerability:

When serving resources from a network location using the NTFS file system it
was possible to bypass security constraints and/or view the source code for
JSPs in some configurations. The root cause was the unexpected behaviour of the
JRE API File.getCanonicalPath() which in turn was caused by the inconsistent
behaviour of the Windows API (FindFirstFileW) in some circumstances
(CVE-2021-24122).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24122
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.40
========================

Updated packages in core/updates_testing:
========================
tomcat-9.0.39-1.1.mga7
tomcat-admin-webapps-9.0.39-1.1.mga7
tomcat-docs-webapp-9.0.39-1.1.mga7
tomcat-jsvc-9.0.39-1.1.mga7
tomcat-jsp-2.3-api-9.0.39-1.1.mga7
tomcat-lib-9.0.39-1.1.mga7
tomcat-servlet-4.0-api-9.0.39-1.1.mga7
tomcat-el-3.0-api-9.0.39-1.1.mga7
tomcat-webapps-9.0.39-1.1.mga7

from tomcat-9.0.39-1.1.mga7.src.rpm

Assignee: java => qa-bugs

Comment 3 Brian Rockwell 2021-02-06 03:33:26 CET 
$ uname -a
Linux linux.local 5.10.12-desktop-1.mga7 #1 SMP Sat Jan 30 14:29:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

The following 8 packages are going to be installed:

- tomcat-9.0.39-1.1.mga7.noarch
- tomcat-admin-webapps-9.0.39-1.1.mga7.noarch
- tomcat-docs-webapp-9.0.39-1.1.mga7.noarch
- tomcat-el-3.0-api-9.0.39-1.1.mga7.noarch
- tomcat-jsp-2.3-api-9.0.39-1.1.mga7.noarch
- tomcat-lib-9.0.39-1.1.mga7.noarch
- tomcat-servlet-4.0-api-9.0.39-1.1.mga7.noarch
- tomcat-webapps-9.0.39-1.1.mga7.noarch


works as designed.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => brtians1

Comment 4 Aurelien Oudelet 2021-02-06 16:54:19 CET 
Validating.
Advisory pushed to SVN.

CVE: (none) => CVE-2021-24122
CC: (none) => ouaurelien, sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 5 Aurelien Oudelet 2021-02-07 18:17:35 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0072.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 6 Mageia Robot 2021-02-08 18:59:26 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0072.html
Note You need to log in before you can comment on or make changes to this bug.