Apache has issued advisories today (March 1): https://www.openwall.com/lists/oss-security/2021/03/01/1 https://www.openwall.com/lists/oss-security/2021/03/01/2 The issues are fixed upstream in 9.0.43: http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.43 Mageia 7 and Mageia 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOOStatus comment: (none) => Fixed upstream in 9.0.43
Fixed in mga7/8: src: - tomcat-9.0.39-1.2.mga7 - tomcat-9.0.41-1.1.mga8 cauldron fix in progress, no need to retain this security update
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOVersion: Cauldron => 8CC: (none) => mageiaAssignee: java => qa-bugsStatus comment: Fixed upstream in 9.0.43 => (none)
Package list: tomcat-9.0.39-1.2.mga7 tomcat-admin-webapps-9.0.39-1.2.mga7 tomcat-docs-webapp-9.0.39-1.2.mga7 tomcat-jsvc-9.0.39-1.2.mga7 tomcat-jsp-2.3-api-9.0.39-1.2.mga7 tomcat-lib-9.0.39-1.2.mga7 tomcat-servlet-4.0-api-9.0.39-1.2.mga7 tomcat-el-3.0-api-9.0.39-1.2.mga7 tomcat-webapps-9.0.39-1.2.mga7 tomcat-9.0.41-1.1.mga8 tomcat-servlet-4.0-api-9.0.41-1.1.mga8 tomcat-webapps-9.0.41-1.1.mga8 tomcat-admin-webapps-9.0.41-1.1.mga8 tomcat-el-3.0-api-9.0.41-1.1.mga8 tomcat-jsp-2.3-api-9.0.41-1.1.mga8 tomcat-jsvc-9.0.41-1.1.mga8 tomcat-lib-9.0.41-1.1.mga8 tomcat-docs-webapp-9.0.41-1.1.mga8
Advisory: ======================== Updated tomcat packages fix security vulnerabilities: When responding to new h2c connection requests, Apache Tomcat versions 9.0.0.M1 to 9.0.41 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request (CVE-2021-25122). The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 9.0.0.M1 to 9.0.41 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494 (CVE-2021-25329). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25122 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25329 https://www.openwall.com/lists/oss-security/2021/03/01/1 https://www.openwall.com/lists/oss-security/2021/03/01/2 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.43
The following 12 packages are going to be installed: - apache-commons-daemon-jsvc-1.0.15-16.mga7.x86_64 - tomcat-9.0.39-1.2.mga7.noarch - tomcat-admin-webapps-9.0.39-1.2.mga7.noarch - tomcat-docs-webapp-9.0.39-1.2.mga7.noarch - tomcat-el-3.0-api-9.0.39-1.2.mga7.noarch - tomcat-jsp-2.3-api-9.0.39-1.2.mga7.noarch - tomcat-jsvc-9.0.39-1.2.mga7.noarch - tomcat-lib-9.0.39-1.2.mga7.noarch - tomcat-native-1.2.23-1.mga7.x86_64 - tomcat-servlet-4.0-api-9.0.39-1.2.mga7.noarch - tomcat-taglibs-standard-1.2.5-4.mga7.noarch - tomcat-webapps-9.0.39-1.2.mga7.noarch I think you have a configuration issue Mar 05 10:36:16 linux.local server[3988]: 05-Mar-2021 10:36:16.324 SEVERE [Catalina-utility-1] org.apache.catalina.users.MemoryUserDatabase.open The specified user database [conf/tomcat-users.xml] could not be found in past this has been sitting in /etc/tomcat/tomcat-users.xml
CC: (none) => brtians1
Keywords: (none) => feedback
is anyone going to look at this?
Debian has issued an advisory for this on April 13: https://www.debian.org/security/2021/dsa-4891
Status comment: (none) => Configuration file possibly missing from packageKeywords: feedback => (none)Assignee: qa-bugs => mageia
openSUSE has issued an advisory for this on April 2: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YM4ON24PW3U3JLLUNZBOOTDHDHK3EYVO/
CC: (none) => geiger.david68210Depends on: (none) => 29044
David, can you have a look at the issue in Comment 4? Just noting that the Mageia 8 update has been rebuilt for Bug 29044, so is now: tomcat-servlet-4.0-api-9.0.41-1.2.mga8 tomcat-webapps-9.0.41-1.2.mga8 tomcat-9.0.41-1.2.mga8 tomcat-admin-webapps-9.0.41-1.2.mga8 tomcat-el-3.0-api-9.0.41-1.2.mga8 tomcat-jsp-2.3-api-9.0.41-1.2.mga8 tomcat-jsvc-9.0.41-1.2.mga8 tomcat-lib-9.0.41-1.2.mga8 tomcat-docs-webapp-9.0.41-1.2.mga8 from tomcat-9.0.41-1.2.mga8.src.rpm
i can see : %attr(0640,root,tomcat) %config(noreplace) %{confdir}/tomcat-users.xml in the spec file for mageia 7
Status comment: Configuration file possibly missing from package => (none)Assignee: mageia => qa-bugs
Mageia 8 X64 KDE Need to install those packages before: ecj apache-commons-daemons (installed from stable repo) No installation issues. $ rpm -q tomcat: tomcat-9.0.41-1.2.mga8 $ sudo /usr/sbin/tomcat version Server version: Apache Tomcat/9.0.41 Server built: Jun 1 2021 05:47:11 UTC Server number: 9.0.41.0 OS Name: Linux OS Version: 5.10.41-desktop-1.mga8 Architecture: amd64 JVM Version: 11.0.10-ea+1-LTS JVM Vendor: Mageia $ urpmq -i --media "Core Updates Testing" tomcat $MIRRORLIST: media/core/updates_testing/media_info/20210609-133429-info.xml.lzma Name : tomcat Epoch : 1 Version : 9.0.41 Release : 1.2.mga8 Group : Development/Java Size : 327937 Architecture: noarch Source RPM : tomcat-9.0.41-1.2.mga8.src.rpm URL : http://tomcat.apache.org/ Summary : Apache Servlet/JSP Engine, RI for Servlet 4.0/JSP 2.3 API Description : Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory environment and released under the Apache Software License version 2.0. Tomcat is intended to be a collaboration of the best-of-breed developers from around the world. http://localhost:8080 État HTTP 404 – Non trouvé Type Rapport d'état description La ressource demandée n'est pas disponible. Apache Tomcat/9.0.41
CC: (none) => hdetavernier
MGA7-64 Plasma on Lenovo B50 No installation issues Ref bug 23045 fr testing, this update overwrites a previous one. # systemctl start tomcat.service # systemctl -l status tomcat.service ● tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2021-06-15 21:03:02 CEST; 16s ago Main PID: 25546 (java) Tasks: 33 (limit: 4915) Memory: 242.7M CGroup: /system.slice/tomcat.service └─25546 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath /usr/share/tomcat/bin/bootstrap.> Jun 15 21:03:08 mach5.hviaene.thuis server[25546]: 15-Jun-2021 21:03:08.487 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for> Jun 15 21:03:08 mach5.hviaene.thuis server[25546]: 15-Jun-2021 21:03:08.489 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web appli> Jun 15 21:03:08 mach5.hviaene.thuis server[25546]: 15-Jun-2021 21:03:08.489 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web applicati> Jun 15 21:03:08 mach5.hviaene.thuis server[25546]: 15-Jun-2021 21:03:08.699 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for> Jun 15 21:03:08 mach5.hviaene.thuis server[25546]: 15-Jun-2021 21:03:08.702 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web appli> Jun 15 21:03:08 mach5.hviaene.thuis server[25546]: 15-Jun-2021 21:03:08.702 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web applicati> Jun 15 21:03:09 mach5.hviaene.thuis server[25546]: 15-Jun-2021 21:03:09.048 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for> Jun 15 21:03:09 mach5.hviaene.thuis server[25546]: 15-Jun-2021 21:03:09.091 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web appli> Jun 15 21:03:09 mach5.hviaene.thuis server[25546]: 15-Jun-2021 21:03:09.097 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8> Jun 15 21:03:09 mach5.hviaene.thuis server[25546]: 15-Jun-2021 21:03:09.121 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [2316] millisecon> [root@mach5 ~]# Then browse http://localhost:8080/sample and http://localhost:8080/examples and click the links. These work OK. But on the " browse http://localhost:8080 and log into the 'manager app' with the credentials just configured with manager-gui role." I keep getting authorization errrors with the sam ref to a non-existing file conf/tomcat-users.xml as in Comment 4
CC: (none) => herman.viaene
Try uninstalling and reinstalling the package.
Uninstalled, with remark that this does not remove the /etc/tomcat folder, so removed it manually. Installed again, made usual changes to /etc/tomcat/tomcat-users.xml, then started the tomcat.service. Note that there is no conf folder. Result is exactly the same as above.
Hmm, what's the ownership and permissions on the file? If tomcat can read it, then maybe it's looking for it in the wrong place.
# ls -als /etc/tomcat/ total 260 4 drwxr-xr-x 4 root tomcat 4096 Jun 16 13:31 ./ 12 drwxr-xr-x 162 root root 12288 Jun 17 13:58 ../ 4 drwxrwxr-x 3 root tomcat 4096 Jun 16 13:26 Catalina/ 16 -rw-r--r-- 1 root tomcat 12873 Mar 2 09:57 catalina.policy 8 -rw-r--r-- 1 root tomcat 7262 Mar 2 09:57 catalina.properties 4 drwxr-xr-x 2 root tomcat 4096 Jun 16 13:26 conf.d/ 4 -rw-r--r-- 1 root tomcat 1400 Mar 2 09:57 context.xml 4 -rw-rw-r-- 1 root tomcat 1149 Mar 2 09:57 jaspic-providers.xml 4 -rw-rw-r-- 1 root tomcat 2313 Mar 2 09:57 jaspic-providers.xsd 8 -rw-r--r-- 1 root tomcat 4144 Mar 2 09:57 logging.properties 8 -rw-r--r-- 1 root tomcat 7588 Mar 2 09:57 server.xml 4 -rw-r--r-- 1 root tomcat 1828 Mar 2 09:57 tomcat.conf 4 -rw-r----- 1 root tomcat 2558 Jun 16 13:31 tomcat-users.xml 4 -rw-rw-r-- 1 root tomcat 2558 Mar 2 09:57 tomcat-users.xsd 172 -rw-r--r-- 1 root tomcat 172359 Mar 2 09:57 web.xml I add the tomcat.conf file as attachment, but I cann't see anything that would make it look in the wrong direction.
Created attachment 12777 [details] tomcat conf file
Assigning back to Java team.
Assignee: qa-bugs => javaStatus comment: (none) => Fails to load tomcat-users.xml
Removing Mageia 7 from whiteboard due to EOL: https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/ Assigning back to QA, as Mageia 8 hasn't been tested yet.
Assignee: java => qa-bugsWhiteboard: MGA7TOO => (none)Status comment: Fails to load tomcat-users.xml => (none)
MGA8 - 64 Xfce The following 21 packages are going to be installed: - apache-commons-daemon-1.2.2-3.mga8.x86_64 - ecj-4.17-1.mga8.noarch - glibc-2.32-17.mga8.x86_64 - glibc-devel-2.32-17.mga8.x86_64 - lib64apr-devel-1.7.0-3.mga8.x86_64 - lib64apr1_0-1.7.0-3.mga8.x86_64 - lib64openssl-devel-1.1.1k-1.mga8.x86_64 - lib64zlib-devel-1.2.11-9.mga8.x86_64 - libtool-2.4.6-13.mga8.x86_64 - libtool-base-2.4.6-13.mga8.x86_64 - multiarch-utils-1.0.14-3.mga8.noarch - tomcat-9.0.41-1.2.mga8.noarch - tomcat-admin-webapps-9.0.41-1.2.mga8.noarch - tomcat-docs-webapp-9.0.41-1.2.mga8.noarch - tomcat-el-3.0-api-9.0.41-1.2.mga8.noarch - tomcat-jsp-2.3-api-9.0.41-1.2.mga8.noarch - tomcat-lib-9.0.41-1.2.mga8.noarch - tomcat-native-1.2.26-1.mga8.x86_64 - tomcat-servlet-4.0-api-9.0.41-1.2.mga8.noarch - tomcat-taglibs-standard-1.2.5-6.mga8.noarch - tomcat-webapps-9.0.41-1.2.mga8.noarch --- rebooted -- restarted services - they came up successfully able to get to pages 127.0.0.1:8080 went back and set up admin user in /etc/tomcat/tomcat-users.xml and restarted tomcat service # systemctl restart tomcat I was able to get to admin page. Things are working this time.
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => advisory, validated_updateCVE: (none) => CVE-2021-25122 and CVE-2021-25329CC: (none) => ouaurelien, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0357.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED