Hi, Those CVEs were announced here: https://www.openwall.com/lists/oss-security/2024/03/13/3 https://www.openwall.com/lists/oss-security/2024/03/13/4 They are fixed in version 9.0.86. Mageia 9 is also affected. Best regards, Nico.
CVE: (none) => CVE-2024-23672, CVE-2024-24549Source RPM: (none) => tomcat-9.0.82-1.mga9.src.rpmWhiteboard: (none) => MGA9TOO
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption. (CVE-2024-23672) Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed. (CVE-2024-24549) References: https://www.openwall.com/lists/oss-security/2024/03/13/3 https://www.openwall.com/lists/oss-security/2024/03/13/4 ======================== Updated packages in core/updates_testing: ======================== tomcat-9.0.87-1.mga9 tomcat-admin-webapps-9.0.87-1.mga9 tomcat-docs-webapp-9.0.87-1.mga9 tomcat-el-3.0-api-9.0.87-1.mga9 tomcat-jsp-2.3-api-9.0.87-1.mga9 tomcat-lib-9.0.87-1.mga9 tomcat-servlet-4.0-api-9.0.87-1.mga9 tomcat-webapps-9.0.87-1.mga9 from SRPM: tomcat-9.0.87-1.mga9.src.rpm
Assignee: bugsquad => qa-bugsStatus: NEW => ASSIGNEDWhiteboard: MGA9TOO => (none)Version: Cauldron => 9
Keywords: (none) => advisory
MGA9-64 Plasma Wayland on HP-Pavillion No installation issues. Added lines to /etc/tomcat/tomcat-users.xml as in bug 5261, then # systemctl restart tomcat.service # systemctl status tomcat.service ● tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; preset: disabled) Active: active (running) since Tue 2024-03-26 11:42:06 CET; 26s ago Main PID: 78548 (java) Tasks: 39 (limit: 4495) Memory: 167.8M CPU: 17.415s CGroup: /system.slice/tomcat.service └─78548 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath > Mar 26 11:42:17 mach4.hviaene.thuis server[78548]: 26-Mar-2024 11:42:17.664 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At> Mar 26 11:42:17 mach4.hviaene.thuis server[78548]: 26-Mar-2024 11:42:17.671 INFO [main] org.apache.catalina.startup.HostConfig.deployDir> Mar 26 11:42:17 mach4.hviaene.thuis server[78548]: 26-Mar-2024 11:42:17.672 INFO [main] org.apache.catalina.startup.HostConfig.deployDir> Mar 26 11:42:18 mach4.hviaene.thuis server[78548]: 26-Mar-2024 11:42:18.160 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At> Mar 26 11:42:18 mach4.hviaene.thuis server[78548]: 26-Mar-2024 11:42:18.182 INFO [main] org.apache.catalina.startup.HostConfig.deployDir> Mar 26 11:42:18 mach4.hviaene.thuis server[78548]: 26-Mar-2024 11:42:18.183 INFO [main] org.apache.catalina.startup.HostConfig.deployDir> Mar 26 11:42:18 mach4.hviaene.thuis server[78548]: 26-Mar-2024 11:42:18.694 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At> Mar 26 11:42:18 mach4.hviaene.thuis server[78548]: 26-Mar-2024 11:42:18.702 INFO [main] org.apache.catalina.startup.HostConfig.deployDir> Mar 26 11:42:18 mach4.hviaene.thuis server[78548]: 26-Mar-2024 11:42:18.716 INFO [main] org.apache.coyote.AbstractProtocol.start Startin> Mar 26 11:42:18 mach4.hviaene.thuis server[78548]: 26-Mar-2024 11:42:18.855 INFO [main] org.apache.catalina.startup.Catalina.start Serve> # systemctl restart httpd Added sample.war file to /usr/share/tomcat/webapps as in bug 8307 Comment 13 and then was able to connect to http://localhost:8080 to exercise the the manager app and http://localhost:8080/sample to display the samples. OK for me
CC: (none) => herman.viaeneWhiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0090.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
Blocks: (none) => 33087
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=33087
Blocks: 33087 => (none)