Debian has issued an advisory today (August 10): https://www.debian.org/security/2021/dsa-4952 The issues are fixed upstream in 9.0.48: http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.48 Mageia 8 is also affected.
CC: (none) => geiger.david68210Status comment: (none) => Fixed upstream in 9.0.48Whiteboard: (none) => MGA8TOO
There was also an issue fixed upstream in 9.0.44: http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.44 which was announced on September 15: https://www.openwall.com/lists/oss-security/2021/09/15/6 Only Mageia 8 is affected by this issue.
Severity: major => criticalSummary: tomcat new security issues CVE-2021-30640 and CVE-2021-33037 => tomcat new security issues CVE-2021-30640, CVE-2021-33037, CVE-2021-41079
There was also an issue fixed upstream in 9.0.54: http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.54 which was announced on October 14: https://www.openwall.com/lists/oss-security/2021/10/14/1
Status comment: Fixed upstream in 9.0.48 => Fixed upstream in 9.0.54CC: (none) => nicolas.salgueroSummary: tomcat new security issues CVE-2021-30640, CVE-2021-33037, CVE-2021-41079 => tomcat new security issues CVE-2021-30640, CVE-2021-33037, CVE-2021-41079, CVE-2021-42340
Debian has issued an advisory for two of these issues on October 14: https://www.debian.org/security/2021/dsa-4986
CC: (none) => mageiaVersion: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. (CVE-2021-30640) Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. (CVE-2021-33037) Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service. (CVE-2021-41079) The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. (CVE-2021-42340) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30640 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33037 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41079 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42340 https://www.debian.org/security/2021/dsa-4952 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.48 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.44 https://www.openwall.com/lists/oss-security/2021/09/15/6 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.54 https://www.openwall.com/lists/oss-security/2021/10/14/1 https://www.debian.org/security/2021/dsa-4986 ======================== Updated packages in core/updates_testing: ======================== tomcat-servlet-4.0-api-9.0.54-1.mga8 tomcat-webapps-9.0.54-1.mga8 tomcat-9.0.54-1.mga8 tomcat-admin-webapps-9.0.54-1.mga8 tomcat-el-3.0-api-9.0.54-1.mga8 tomcat-jsvc-9.0.54-1.mga8 tomcat-jsp-2.3-api-9.0.54-1.mga8 tomcat-lib-9.0.54-1.mga8 tomcat-docs-webapp-9.0.54-1.mga8 from SRPM: tomcat-9.0.54-1.mga8.src.rpm
Assignee: java => qa-bugsSource RPM: tomcat-9.0.45-1.mga9.src.rpm => tomcat-9.0.41-1.2.mga8.src.rpmStatus: NEW => ASSIGNEDStatus comment: Fixed upstream in 9.0.54 => (none)CVE: (none) => CVE-2021-30640, CVE-2021-33037, CVE-2021-41079, CVE-2021-42340
MGA8-64, Gnome (doesn't matter) # uname -a Linux localhost 5.10.70-desktop-1.mga8 #1 SMP Thu Sep 30 09:41:26 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux - apache-commons-daemon-1.2.2-3.mga8.x86_64 - ecj-4.17-1.mga8.noarch - lib64apr-devel-1.7.0-3.2.mga8.x86_64 - lib64apr1_0-1.7.0-3.2.mga8.x86_64 - lib64openssl-devel-1.1.1l-1.mga8.x86_64 - lib64zlib-devel-1.2.11-9.mga8.x86_64 - libtool-2.4.6-13.mga8.x86_64 - libtool-base-2.4.6-13.mga8.x86_64 - multiarch-utils-1.0.14-3.mga8.noarch - tomcat-9.0.54-1.mga8.noarch - tomcat-admin-webapps-9.0.54-1.mga8.noarch - tomcat-el-3.0-api-9.0.54-1.mga8.noarch - tomcat-jsp-2.3-api-9.0.54-1.mga8.noarch - tomcat-lib-9.0.54-1.mga8.noarch - tomcat-native-1.2.26-1.mga8.x86_64 - tomcat-servlet-4.0-api-9.0.54-1.mga8.noarch --- edit the /etc/tomcat/tomcat-users.xml and enabled manager user account. I was able to get to the Tomcat Web Application Manager page. system appears to be working
Whiteboard: (none) => MGA8-64-OKCC: (none) => brtians1
validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0485.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED