A security issue fixed upstream in Tomcat has been announced today (May 22):
The issue is fixed upstream in 9.0.74.
Mageia 8 is also affected.
Fixed upstream in 9.0.74Whiteboard:
The updated packages fix a security vulnerability:
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur. (CVE-2023-28709)
Updated packages in core/updates_testing:
Fixed upstream in 9.0.74 =>
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Start tomcat-service OK, but forgot to change the user rights.
The system had in /etc/tomcat the file tomcat-users.xml.rpmsave, so overwrote the new tomcat-users.xml with that one, then
# systemctl restart tomcat.service
# systemctl -l status tomcat.service
● tomcat.service - Apache Tomcat Web Application Container
Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2023-05-26 11:16:21 CEST; 3s ago
Main PID: 17181 (java)
Tasks: 19 (limit: 4364)
└─17181 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSour>
May 26 11:16:21 mach7.hviaene.thuis systemd: Started Apache Tomcat Web Application Container.
May 26 11:16:21 mach7.hviaene.thuis server: Java virtual machine used: /usr/lib/jvm/jre/bin/java
May 26 11:16:21 mach7.hviaene.thuis server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/t>
Then I could access http://localhost:8080/sample and http://localhost:8080 and log into the 'manager app' with the credentials just configured with manager-gui role. That opens OK.
So good to go.
Validating. Advisory in comment 1.
An update for this issue has been pushed to the Mageia Updates repository.