Hi, Those CVEs were announced here: https://www.openwall.com/lists/oss-security/2023/10/10/9 https://www.openwall.com/lists/oss-security/2023/10/10/10 They are fixed in version 9.0.81. Mageia 8 and 9 are also affected. Best regards, Nico.
CC: (none) => nicolas.salgueroStatus comment: (none) => Fixed upstream in 9.0.81Source RPM: (none) => tomcat-9.0.74-2.mga9.src.rpm
The registered maintainer for tomcat has been superseded by others. Assigning this to DavidG who does most updates for this pkg, the other relevant person NicolaS is already CC'd.
Assignee: bugsquad => geiger.david68210
Version 9.0.82 was released on October 11 and fixes some regressions.
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. (CVE-2023-42795) Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. (CVE-2023-45648) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42795 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45648 https://www.openwall.com/lists/oss-security/2023/10/10/9 https://www.openwall.com/lists/oss-security/2023/10/10/10 ======================== Updated packages in {8|9}/core/updates_testing: ======================== tomcat-9.0.82-1.mga{8|9} tomcat-admin-webapps-9.0.82-1.mga{8|9} tomcat-docs-webapp-9.0.82-1.mga{8|9} tomcat-el-3.0-api-9.0.82-1.mga{8|9} tomcat-jsp-2.3-api-9.0.82-1.mga{8|9} tomcat-lib-9.0.82-1.mga{8|9} tomcat-servlet-4.0-api-9.0.82-1.mga{8|9} tomcat-webapps-9.0.82-1.mga{8|9} from SRPM: tomcat-9.0.82-1.mga{8|9}
Assignee: geiger.david68210 => qa-bugsWhiteboard: (none) => MGA8TOOVersion: Cauldron => 9Status comment: Fixed upstream in 9.0.81 => (none)Status: NEW => ASSIGNED
Advisory from comment 3 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
CC: (none) => marja11Keywords: (none) => advisory
MGA8-64 MATE on Acer Aspire 5253 No installation issues Ref bug 31951 for testing Changed values in /et/tomcat/tomcat-users.xml and then # systemctl start tomcat [root@mach7 ~]# systemctl -l status tomcat ● tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2023-11-04 16:08:24 CET; 10s ago Main PID: 12540 (java) Tasks: 20 (limit: 4364) Memory: 91.0M CPU: 14.007s CGroup: /system.slice/tomcat.service └─12540 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -> Nov 04 16:08:31 mach7.hviaene.thuis server[12540]: 04-Nov-2023 16:08:31.131 INFO [main] org.apache.catalina.startup.VersionLog> Nov 04 16:08:31 mach7.hviaene.thuis server[12540]: 04-Nov-2023 16:08:31.134 INFO [main] org.apache.catalina.startup.VersionLog> Nov 04 16:08:31 mach7.hviaene.thuis server[12540]: 04-Nov-2023 16:08:31.137 INFO [main] org.apache.catalina.startup.VersionLog> Nov 04 16:08:31 mach7.hviaene.thuis server[12540]: 04-Nov-2023 16:08:31.142 INFO [main] org.apache.catalina.startup.VersionLog> Nov 04 16:08:31 mach7.hviaene.thuis server[12540]: 04-Nov-2023 16:08:31.185 INFO [main] org.apache.catalina.core.AprLifecycleL> Nov 04 16:08:31 mach7.hviaene.thuis server[12540]: 04-Nov-2023 16:08:31.193 INFO [main] org.apache.catalina.core.AprLifecycleL> Nov 04 16:08:31 mach7.hviaene.thuis server[12540]: 04-Nov-2023 16:08:31.199 INFO [main] org.apache.catalina.core.AprLifecycleL> Nov 04 16:08:31 mach7.hviaene.thuis server[12540]: 04-Nov-2023 16:08:31.202 INFO [main] org.apache.catalina.core.AprLifecycleL> Nov 04 16:08:31 mach7.hviaene.thuis server[12540]: 04-Nov-2023 16:08:31.224 INFO [main] org.apache.catalina.core.AprLifecycleL> Nov 04 16:08:34 mach7.hviaene.thuis server[12540]: 04-Nov-2023 16:08:34.729 INFO [main] org.apache.coyote.AbstractProtocol.ini> [root@mach7 ~]# I can open http://localhost:8080 but trying to login to the manager app, just does not accept the user/password. I added th efollowing lines to /et/tomcat/tomcat-users.xml role rolename="tomcat" role rolename="admin" role rolename="admin-gui" role rolename="manager" role rolename="manager-status" user name="admin" password="tester" roles="admin,manager,admin-gui,manager-gui,manager-status" user username="tomcat" password="tester" roles="tomcat,manager-gui" And http://localhost:8080/sample gives me error 404
CC: (none) => herman.viaene
CVE: (none) => CVE-2023-42795, CVE-2023-45648CC: (none) => yvesbrungard
Grrrrr..... I forgot the enclosing < and /> characters on the new lines in the /et/tomcat/tomcat-users.xml file. After correcting that I could login in the manager app OK. That's fine. But looking at /var/lib/tomcat/webapps/docs/appsdev/sample/index.html I read:" The example app has been packaged as a war file and can be downloaded here" but tye "here" is a pointer to nowhere and also produces the 404 error. So no wonder I cann't run the sample application. So IMHO a decision has to be made whether we let this go as the test on the manager app works OK, or the packager (or someone else) investigates what happened to this sample.war file. I cann't find such file under /var or /usr.
If I remove tomcat completely and install the version 9.0.41, I notice that this has a package tomcat-jscv which does not exist aanymore in 9.0.82, and - but that I think has nothing to do with this missing package - the http://localhost:8080/sample opens OK, using the same /etc/tomcat/tomcat-users.xml file. So I think this is a regression.
Status: ASSIGNED => NEEDINFO
Hi, The sample webapp has been removed since tomcat-9.0.73-1.1.mga8 (see bug 30113 comment 20 to find a reference to how to get sample webapp). Best regards, Nico.
Status: NEEDINFO => ASSIGNED
MGA9-64 Xfce on Acer Aspire 5253 No installation issues. Copied the /etc/tomcat/tomcat-users.xml file from the M8 installation, downloaded the sample from the location give, in bug 8307 Comment 13. All works OK.
Whiteboard: MGA8TOO => MGA8TOO MGA9-64-OK
MGA8-64 Downloaded the sample.war file and that works OK now. good to go.
Whiteboard: MGA8TOO MGA9-64-OK => MGA8TOO MGA9-64-OK MGA8-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0319.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED