SUSE has issued an advisory today (March 3): https://lists.suse.com/pipermail/sle-security-updates/2022-March/010339.html The issue is fixed upstream in 9.0.58: https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.58 Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 9.0.58
SUSE has issued an advisory on April 14: https://lists.suse.com/pipermail/sle-security-updates/2022-April/010734.html It implements a security hardening from Tomcat 9.0.62: https://bugzilla.suse.com/show_bug.cgi?id=1198136
Status comment: Fixed upstream in 9.0.58 => Fixed upstream in 9.0.62
Another security issue fixed upstream in Tomcat has been announced today (June 23), and another one was announced on May 16: https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.65 The issues are fixed upstream in 9.0.65.
Summary: tomcat new security issue CVE-2022-23181 => tomcat new security issues CVE-2022-23181, CVE-2022-29885, CVE-2022-34305Status comment: Fixed upstream in 9.0.62 => Fixed upstream in 9.0.65
Another security issue fixed upstream in Tomcat has been announced today (September 28): https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.62 The issue is fixed upstream in 9.0.62.
Summary: tomcat new security issues CVE-2022-23181, CVE-2022-29885, CVE-2022-34305 => tomcat new security issues CVE-2021-43980, CVE-2022-23181, CVE-2022-29885, CVE-2022-34305
Debian-LTS has issued an advisory for the first three CVEs on October 26: https://www.debian.org/lts/security/2022/dla-3160
(In reply to David Walser from comment #4) > Debian-LTS has issued an advisory for the first three CVEs on October 26: > https://www.debian.org/lts/security/2022/dla-3160 as has Debian on October 29: https://www.debian.org/security/2022/dsa-5265
Another security issue fixed upstream in Tomcat has been announced on October 31: https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.68 The issue is fixed upstream in 9.0.68.
Status comment: Fixed upstream in 9.0.65 => Fixed upstream in 9.0.68Summary: tomcat new security issues CVE-2021-43980, CVE-2022-23181, CVE-2022-29885, CVE-2022-34305 => tomcat new security issues CVE-2021-43980, CVE-2022-23181, CVE-2022-29885, CVE-2022-34305, CVE-2022-42252
tomcat-9.0.68-1.mga9 uploaded for Cauldron by David Geiger.
Version: Cauldron => 8CC: (none) => geiger.david68210Whiteboard: MGA8TOO => (none)
Another security issue fixed upstream has been announced on January 3: https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.69 The issue is fixed upstream in 9.0.69.
Status comment: Fixed upstream in 9.0.68 => Fixed upstream in 9.0.69Summary: tomcat new security issues CVE-2021-43980, CVE-2022-23181, CVE-2022-29885, CVE-2022-34305, CVE-2022-42252 => tomcat new security issues CVE-2021-43980, CVE-2022-23181, CVE-2022-29885, CVE-2022-34305, CVE-2022-42252, CVE-2022-45143Whiteboard: (none) => MGA8TOOVersion: 8 => Cauldron
Another security issue fixed upstream has been announced on January 13: https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.71 The issue is fixed upstream in 9.0.71.
Summary: tomcat new security issues CVE-2021-43980, CVE-2022-23181, CVE-2022-29885, CVE-2022-34305, CVE-2022-42252, CVE-2022-45143 => tomcat new security issues CVE-2021-43980, CVE-2022-23181, CVE-2022-29885, CVE-2022-34305, CVE-2022-42252, CVE-2022-45143, CVE-2023-24998Status comment: Fixed upstream in 9.0.69 => Fixed upstream in 9.0.71
(In reply to David Walser from comment #9) > Another security issue fixed upstream has been announced on January 13: > https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.71 > > The issue is fixed upstream in 9.0.71. SUSE has issued an advisory for this on March 10: https://lists.suse.com/pipermail/sle-security-updates/2023-March/014018.html
Another security issue fixed upstream has been announced on March 23: https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.72 The issue is fixed upstream in 9.0.72.
Summary: tomcat new security issues CVE-2021-43980, CVE-2022-23181, CVE-2022-29885, CVE-2022-34305, CVE-2022-42252, CVE-2022-45143, CVE-2023-24998 => tomcat new security issues CVE-2021-43980, CVE-2022-23181, CVE-2022-29885, CVE-2022-34305, CVE-2022-42252, CVE-2022-45143, CVE-2023-24998, CVE-2023-28708Status comment: Fixed upstream in 9.0.71 => Fixed upstream in 9.0.72
Done for both Cauldron and mga8 updating to latest 9.0.73 release!
tomcat-9.0.73-1.mga9 uploaded for Cauldron by David. Still awaiting freeze move. Mageia 8 update: tomcat-9.0.73-1.mga8 tomcat-servlet-4.0-api-9.0.73-1.mga8 tomcat-admin-webapps-9.0.73-1.mga8 tomcat-el-3.0-api-9.0.73-1.mga8 tomcat-webapps-9.0.73-1.mga8 tomcat-jsp-2.3-api-9.0.73-1.mga8 tomcat-lib-9.0.73-1.mga8 tomcat-docs-webapp-9.0.73-1.mga8 from tomcat-9.0.73-1.mga8.src.rpm
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
Whiteboard: (none) => MGA8TOOVersion: 8 => CauldronAssignee: java => sysadmin-bugs
(In reply to David Walser from comment #13) > tomcat-9.0.73-1.mga9 uploaded for Cauldron by David. Still awaiting freeze > move. > > Mageia 8 update: > tomcat-9.0.73-1.mga8 > tomcat-servlet-4.0-api-9.0.73-1.mga8 > tomcat-admin-webapps-9.0.73-1.mga8 > tomcat-el-3.0-api-9.0.73-1.mga8 > tomcat-webapps-9.0.73-1.mga8 > tomcat-jsp-2.3-api-9.0.73-1.mga8 > tomcat-lib-9.0.73-1.mga8 > tomcat-docs-webapp-9.0.73-1.mga8 > > from tomcat-9.0.73-1.mga8.src.rpm Cauldron freeze move done.
Assignee: sysadmin-bugs => qa-bugsVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)Status comment: Fixed upstream in 9.0.72 => (none)
Strange, previous updates had also a tomcat-jsvc ?
CC: (none) => herman.viaene
MGA8-64 MATE on Acer Aspire 5253 No installation issues Ref bug 28501 and bug 23045 for testing. # systemctl start tomcat.service [root@mach7 ~]# systemctl -l status tomcat.service ● tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2023-04-04 15:37:10 CEST; 16s ago Main PID: 5360 (java) Tasks: 20 (limit: 4364) Memory: 117.0M CPU: 21.557s CGroup: /system.slice/tomcat.service └─5360 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceF> Apr 04 15:37:23 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:23.876 INFO [main] org.apache.catalina.core.Stand> Apr 04 15:37:23 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:23.878 INFO [main] org.apache.catalina.core.Stand> Apr 04 15:37:23 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:23.973 INFO [main] org.apache.catalina.startup.Ho> Apr 04 15:37:28 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:28.315 INFO [main] org.apache.jasper.servlet.TldS> Apr 04 15:37:28 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:28.677 WARNING [main] org.apache.catalina.util.Se> Apr 04 15:37:28 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:28.838 INFO [main] org.apache.catalina.startup.Ho> Apr 04 15:37:28 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:28.841 INFO [main] org.apache.catalina.startup.Ho> Apr 04 15:37:30 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:30.099 INFO [main] org.apache.jasper.servlet.TldS> Apr 04 15:37:30 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:30.118 INFO [main] org.apache.catalina.startup.Ho> Apr 04 15:37:30 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:30.121 INFO [main] org.apache.catalina.startup.Ho> Apr 04 15:37:31 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:31.107 INFO [main] org.apache.jasper.servlet.TldS> Apr 04 15:37:31 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:31.122 INFO [main] org.apache.catalina.startup.Ho> Apr 04 15:37:31 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:31.125 INFO [main] org.apache.catalina.startup.Ho> Editing tomcat users and # systemctl restart tomcat.service # systemctl -l status tomcat.service ● tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2023-04-04 15:57:41 CEST; 5s ago Main PID: 6650 (java) Tasks: 20 (limit: 4364) Memory: 45.2M CPU: 9.371s CGroup: /system.slice/tomcat.service └─6650 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceF> Apr 04 15:57:45 mach7.hviaene.thuis server[6650]: 04-Apr-2023 15:57:45.327 INFO [main] org.apache.catalina.startup.Ve> Apr 04 15:57:45 mach7.hviaene.thuis server[6650]: 04-Apr-2023 15:57:45.328 INFO [main] org.apache.catalina.startup.Ve> Apr 04 15:57:45 mach7.hviaene.thuis server[6650]: 04-Apr-2023 15:57:45.329 INFO [main] org.apache.catalina.startup.Ve> Apr 04 15:57:45 mach7.hviaene.thuis server[6650]: 04-Apr-2023 15:57:45.341 INFO [main] org.apache.catalina.startup.Ve> Apr 04 15:57:45 mach7.hviaene.thuis server[6650]: 04-Apr-2023 15:57:45.361 INFO [main] org.apache.catalina.startup.Ve> Apr 04 15:57:45 mach7.hviaene.thuis server[6650]: 04-Apr-2023 15:57:45.380 INFO [main] org.apache.catalina.core.AprLi> Apr 04 15:57:45 mach7.hviaene.thuis server[6650]: 04-Apr-2023 15:57:45.382 INFO [main] org.apache.catalina.core.AprLi> Apr 04 15:57:45 mach7.hviaene.thuis server[6650]: 04-Apr-2023 15:57:45.384 INFO [main] org.apache.catalina.core.AprLi> Apr 04 15:57:45 mach7.hviaene.thuis server[6650]: 04-Apr-2023 15:57:45.386 INFO [main] org.apache.catalina.core.AprLi> Apr 04 15:57:45 mach7.hviaene.thuis server[6650]: 04-Apr-2023 15:57:45.406 INFO [main] org.apache.catalina.core.AprLi> Then browse http://localhost:8080/sample and I get Error 404 But on the " browse http://localhost:8080 and log into the 'manager app' with the credentials just configured with manager-gui role." And that opens OK. Is missing tomcat-jsvc playing here ???
Indeed, I see the package has been removed, but none of the other tomcat packages obsoleted it, so that would be an error: http://svnweb.mageia.org/packages/updates/8/tomcat/current/SPECS/tomcat.spec?r1=1950376&r2=1950375&pathrev=1950376
Keywords: (none) => feedback
Obsoletes/Provides properly added for Cauldron and mga8!
tomcat-9.0.73-1.1.mga8 tomcat-servlet-4.0-api-9.0.73-1.1.mga8 tomcat-admin-webapps-9.0.73-1.1.mga8 tomcat-el-3.0-api-9.0.73-1.1.mga8 tomcat-webapps-9.0.73-1.1.mga8 tomcat-jsp-2.3-api-9.0.73-1.1.mga8 tomcat-lib-9.0.73-1.1.mga8 tomcat-docs-webapp-9.0.73-1.1.mga8 from tomcat-9.0.73-1.1.mga8.src.rpm
Keywords: feedback => (none)
Retested and access to manager app works OK. Went hunting for the "sample" and found where and how in bug 8307 Comment 13. So all is OK now.
Whiteboard: (none) => MGA8-64-OK
Nice work, Herman! Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0138.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED