Those problems were announced here: https://www.openwall.com/lists/oss-security/2024/11/18/2 (CVE-2024-52316) https://www.openwall.com/lists/oss-security/2024/11/18/3 (CVE-2024-52317) https://www.openwall.com/lists/oss-security/2024/11/18/4 (CVE-2024-52318) Mageia 9 is affected by CVE-2024-52316 and CVE-2024-52318.
Whiteboard: (none) => MGA9TOOSource RPM: (none) => tomcat-9.0.94-1.mga10.src.rpm, tomcat-9.0.90-1.mga9.src.rpmStatus comment: (none) => Fixed upstream in 9.0.97CVE: (none) => CVE-2024-52316, CVE-2024-52317, CVE-2024-52318
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Authentication bypass when using Jakarta Authentication API. (CVE-2024-52316) Incorrect JSP tag recycling leads to XSS. (CVE-2024-52318) References: https://www.openwall.com/lists/oss-security/2024/11/18/2 https://www.openwall.com/lists/oss-security/2024/11/18/4 ======================== Updated packages in core/updates_testing: ======================== tomcat-9.0.97-1.mga9 tomcat-admin-webapps-9.0.97-1.mga9 tomcat-docs-webapp-9.0.97-1.mga9 tomcat-el-3.0-api-9.0.97-1.mga9 tomcat-jsp-2.3-api-9.0.97-1.mga9 tomcat-lib-9.0.97-1.mga9 tomcat-servlet-4.0-api-9.0.97-1.mga9 tomcat-webapps-9.0.97-1.mga9 from SRPM: tomcat-9.0.97-1.mga9.src.rpm
Source RPM: tomcat-9.0.94-1.mga10.src.rpm, tomcat-9.0.90-1.mga9.src.rpm => tomcat-9.0.90-1.mga9.src.rpmAssignee: bugsquad => qa-bugsStatus: NEW => ASSIGNEDStatus comment: Fixed upstream in 9.0.97 => (none)Version: Cauldron => 9CVE: CVE-2024-52316, CVE-2024-52317, CVE-2024-52318 => CVE-2024-52316, CVE-2024-52318Whiteboard: MGA9TOO => (none)
Keywords: (none) => advisory
# urpmi tomcat A requested package cannot be installed: tomcat-lib-9.0.97-1.mga9.noarch (due to unsatisfied ecj[>= 1:4.10])
CC: (none) => herman.viaene
(In reply to Herman Viaene from comment #2) > # urpmi tomcat > A requested package cannot be installed: > tomcat-lib-9.0.97-1.mga9.noarch (due to unsatisfied ecj[>= 1:4.10]) Check if you disable by accident Release repository LC_ALL=C urpmi --test tomcat To satisfy dependencies, the following packages are going to be installed: (test only, installation will not be actually done) Package Version Release Arch (medium "QA Testing (64-bit)") tomcat 9.0.97 1.mga9 noarch tomcat-el-3.0-api 9.0.97 1.mga9 noarch tomcat-jsp-2.3-api 9.0.97 1.mga9 noarch tomcat-lib 9.0.97 1.mga9 noarch tomcat-servlet-4.0-api 9.0.97 1.mga9 noarch (medium "Core Release (distrib1)") ecj 4.19 2.mga9 noarch libtool 2.4.7 1.mga9 x86_64 (recommended) tomcat-native 2.0.1 1.mga9 x86_64 (recommended) (medium "Core Updates (distrib3)") lib64apr-devel 1.7.5 1.mga9 x86_64 (recommended) 19MB of additional disk space will be used. 10MB of packages will be retrieved. Proceed with the installation of the 9 packages? (Y/n) y https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/ecj-4.19-2.mga9.noarch.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/tomcat-native-2.0.1-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/libtool-2.4.7-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64apr-devel-1.7.5-1.mga9.x86_64.rpm installing //home/katnatek/qa-testing/x86_64/tomcat-jsp-2.3-api-9.0.97-1.mga9.noarch.rpm //home/katnatek/qa-testing/x86_64/tomcat-9.0.97-1.mga9.noarch.rpm /var/cache/urpmi/rpms/tomcat-native-2.0.1-1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/tomcat-el-3.0-api-9.0.97-1.mga9.noarch.rpm /var/cache/urpmi/rpms/ecj-4.19-2.mga9.noarch.rpm /var/cache/urpmi/rpms/lib64apr-devel-1.7.5-1.mga9.x86_64.rpm /var/cache/urpmi/rpms/libtool-2.4.7-1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/tomcat-servlet-4.0-api-9.0.97-1.mga9.noarch.rpm //home/katnatek/qa-testing/x86_64/tomcat-lib-9.0.97-1.mga9.noarch.rpm Preparing... ################################################################################################## Installation is possible
MGA9-64 Plasma on HP-Elitebook No installation issues Follewed leads fro; bug 33367, not forgetting the updates in /et//tomcat/tomcat-users.xml # systemctl start httpd # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled) Active: active (running) since Mon 2024-11-25 11:00:25 CET; 17s ago Main PID: 36443 (/usr/sbin/httpd) Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec" Tasks: 6 (limit: 18773) Memory: 18.8M CPU: 59ms CGroup: /system.slice/httpd.service ├─36443 /usr/sbin/httpd -DFOREGROUND ├─36445 /usr/sbin/httpd -DFOREGROUND ├─36446 /usr/sbin/httpd -DFOREGROUND ├─36447 /usr/sbin/httpd -DFOREGROUND ├─36448 /usr/sbin/httpd -DFOREGROUND └─36449 /usr/sbin/httpd -DFOREGROUND Nov 25 11:00:25 mach4.hvIaene.thuis systemd[1]: Starting httpd.service... Nov 25 11:00:25 mach4.hvIaene.thuis systemd[1]: Started httpd.service. # systemctl restart tomcat.service # systemctl -l status tomcat.service ● tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; preset: disabled) Active: active (running) since Mon 2024-11-25 11:01:01 CET; 15s ago Main PID: 36495 (java) Tasks: 42 (limit: 18773) Memory: 273.7M CPU: 3.260s CGroup: /system.slice/tomcat.service └─36495 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath /usr/share/tomcat/b> Nov 25 11:01:02 mach4.hvIaene.thuis server[36495]: 25-Nov-2024 11:01:02.236 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was > Nov 25 11:01:02 mach4.hvIaene.thuis server[36495]: 25-Nov-2024 11:01:02.239 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment o> Nov 25 11:01:02 mach4.hvIaene.thuis server[36495]: 25-Nov-2024 11:01:02.240 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying we> Nov 25 11:01:02 mach4.hvIaene.thuis server[36495]: 25-Nov-2024 11:01:02.331 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was > Nov 25 11:01:02 mach4.hvIaene.thuis server[36495]: 25-Nov-2024 11:01:02.333 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment o> Nov 25 11:01:02 mach4.hvIaene.thuis server[36495]: 25-Nov-2024 11:01:02.333 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying we> Nov 25 11:01:02 mach4.hvIaene.thuis server[36495]: 25-Nov-2024 11:01:02.418 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was > Nov 25 11:01:02 mach4.hvIaene.thuis server[36495]: 25-Nov-2024 11:01:02.419 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment o> Nov 25 11:01:02 mach4.hvIaene.thuis server[36495]: 25-Nov-2024 11:01:02.421 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler [> Nov 25 11:01:02 mach4.hvIaene.thuis server[36495]: 25-Nov-2024 11:01:02.436 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [617] > Them I could connect to http://localhost:8080 to exercise the the manager app and http://localhost:8080/sample to display the samples. OK for me
Whiteboard: (none) => MGA9-64-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0379.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED