A security issue fixed upstream in Tomcat has been announced today (May 22): https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.74 The issue is fixed upstream in 9.0.74. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 9.0.74Whiteboard: (none) => MGA8TOO
Suggested advisory: ======================== The updated packages fix a security vulnerability: The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur. (CVE-2023-28709) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28709 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.74 ======================== Updated packages in core/updates_testing: ======================== tomcat-9.0.74-1.mga8 tomcat-admin-webapps-9.0.74-1.mga8 tomcat-docs-webapp-9.0.74-1.mga8 tomcat-el-3.0-api-9.0.74-1.mga8 tomcat-jsp-2.3-api-9.0.74-1.mga8 tomcat-lib-9.0.74-1.mga8 tomcat-servlet-4.0-api-9.0.74-1.mga8 tomcat-webapps-9.0.74-1.mga8 from SRPM: tomcat-9.0.74-1.mga8.src.rpm
Version: Cauldron => 8Status comment: Fixed upstream in 9.0.74 => (none)CC: (none) => nicolas.salgueroCVE: (none) => CVE-2023-28709Whiteboard: MGA8TOO => (none)Assignee: java => qa-bugsStatus: NEW => ASSIGNEDSource RPM: tomcat-9.0.73-2.mga9.src.rpm => tomcat-9.0.73-1.1.mga8.src.rpm
MGA8-64 MATE on Acer Aspire 5253 No installation issues Start tomcat-service OK, but forgot to change the user rights. The system had in /etc/tomcat the file tomcat-users.xml.rpmsave, so overwrote the new tomcat-users.xml with that one, then # systemctl restart tomcat.service # systemctl -l status tomcat.service ● tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2023-05-26 11:16:21 CEST; 3s ago Main PID: 17181 (java) Tasks: 19 (limit: 4364) Memory: 37.5M CPU: 4.838s CGroup: /system.slice/tomcat.service └─17181 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSour> May 26 11:16:21 mach7.hviaene.thuis systemd[1]: Started Apache Tomcat Web Application Container. May 26 11:16:21 mach7.hviaene.thuis server[17181]: Java virtual machine used: /usr/lib/jvm/jre/bin/java May 26 11:16:21 mach7.hviaene.thuis server[17181]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/t> Then I could access http://localhost:8080/sample and http://localhost:8080 and log into the 'manager app' with the credentials just configured with manager-gui role. That opens OK. So good to go.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating. Advisory in comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0191.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED