That CVE was announced here: https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.25 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.90 The problem is fixed in versions 10.1.25 and 9.0.90. Mageia 9 is also affected.
Source RPM: (none) => tomcat-10.1.24-1.mga10.src.rpm, tomcat-9.0.87-1.mga9.src.rpmWhiteboard: (none) => MGA9TOOCVE: (none) => CVE-2024-34750Status comment: (none) => Fixed upstream in 10.1.25 and 9.0.90
Uncertain to whom assign this, so assigning it globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. (CVE-2024-34750) References: https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.90 ======================== Updated packages in core/updates_testing: ======================== tomcat-9.0.90-1.mga9 tomcat-admin-webapps-9.0.90-1.mga9 tomcat-docs-webapp-9.0.90-1.mga9 tomcat-el-3.0-api-9.0.90-1.mga9 tomcat-jsp-2.3-api-9.0.90-1.mga9 tomcat-lib-9.0.90-1.mga9 tomcat-servlet-4.0-api-9.0.90-1.mga9 tomcat-webapps-9.0.90-1.mga9 from SRPM: tomcat-9.0.90-1.mga9.src.rpm
Version: Cauldron => 9Whiteboard: MGA9TOO => (none)Source RPM: tomcat-10.1.24-1.mga10.src.rpm, tomcat-9.0.87-1.mga9.src.rpm => tomcat-9.0.87-1.mga9.src.rpmAssignee: pkg-bugs => qa-bugsStatus comment: Fixed upstream in 10.1.25 and 9.0.90 => (none)Status: NEW => ASSIGNED
Keywords: (none) => advisory
CC: (none) => herman.viaene
Herman you have some experience with this creature, can you please do the test?
Coming up today.
MGA9-64 Plasma Wayland on HP-Pavillion. No installation issues. Followed procedure as shown in bug 32980 and bug 5261 Comment 6 and 23 # systemctl start httpd # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled) Active: active (running) since Sun 2024-07-14 10:59:46 CEST; 18s ago Main PID: 23265 (/usr/sbin/httpd) Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec" Tasks: 16 (limit: 4473) Memory: 52.9M CPU: 981ms CGroup: /system.slice/httpd.service ├─23265 /usr/sbin/httpd -DFOREGROUND ├─23269 /usr/sbin/httpd -DFOREGROUND ├─23272 /usr/sbin/httpd -DFOREGROUND ├─23275 /usr/sbin/httpd -DFOREGROUND ├─23278 /usr/sbin/httpd -DFOREGROUND └─23281 /usr/sbin/httpd -DFOREGROUND Jul 14 10:59:45 mach4.hviaene.thuis systemd[1]: Starting httpd.service... Jul 14 10:59:46 mach4.hviaene.thuis systemd[1]: Started httpd.service. # systemctl restart tomcat.service # systemctl -l status tomcat.service ● tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; preset: disabled) Active: active (running) since Sun 2024-07-14 11:00:20 CEST; 29s ago Main PID: 23341 (java) Tasks: 39 (limit: 4473) Memory: 167.4M CPU: 17.893s CGroup: /system.slice/tomcat.service └─23341 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath > Jul 14 11:00:38 mach4.hviaene.thuis server[23341]: 14-Jul-2024 11:00:38.011 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At> Jul 14 11:00:38 mach4.hviaene.thuis server[23341]: 14-Jul-2024 11:00:38.019 INFO [main] org.apache.catalina.startup.HostConfig.deployDir> Jul 14 11:00:38 mach4.hviaene.thuis server[23341]: 14-Jul-2024 11:00:38.020 INFO [main] org.apache.catalina.startup.HostConfig.deployDir> Jul 14 11:00:38 mach4.hviaene.thuis server[23341]: 14-Jul-2024 11:00:38.663 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At> Jul 14 11:00:38 mach4.hviaene.thuis server[23341]: 14-Jul-2024 11:00:38.684 INFO [main] org.apache.catalina.startup.HostConfig.deployDir> Jul 14 11:00:38 mach4.hviaene.thuis server[23341]: 14-Jul-2024 11:00:38.685 INFO [main] org.apache.catalina.startup.HostConfig.deployDir> Jul 14 11:00:39 mach4.hviaene.thuis server[23341]: 14-Jul-2024 11:00:39.213 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At> Jul 14 11:00:39 mach4.hviaene.thuis server[23341]: 14-Jul-2024 11:00:39.221 INFO [main] org.apache.catalina.startup.HostConfig.deployDir> Jul 14 11:00:39 mach4.hviaene.thuis server[23341]: 14-Jul-2024 11:00:39.234 INFO [main] org.apache.coyote.AbstractProtocol.start Startin> Jul 14 11:00:39 mach4.hviaene.thuis server[23341]: 14-Jul-2024 11:00:39.317 INFO [main] org.apache.catalina.startup.Catalina.start Serve> Then I was able to connect to http://localhost:8080 to exercise the the manager app and http://localhost:8080/sample to display the samples. OK for me
Whiteboard: (none) => MGA9-64-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Thank you Herman
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0267.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED