Bug 34332 - tomcat new security issue CVE-2025-46701
Summary: tomcat new security issue CVE-2025-46701
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-06-02 10:23 CEST by Nicolas Salguero
Modified: 2025-06-08 08:23 CEST (History)
3 users (show)

See Also:
Source RPM: tomcat-9.0.104-1.mga9.src.rpm
CVE: CVE-2025-46701
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-06-02 10:23:59 CEST 
CVE-2025-46701 was announced here:
https://openwall.com/lists/oss-security/2025/05/29/4
Nicolas Salguero 2025-06-02 10:24:34 CEST

Source RPM: (none) => tomcat-9.0.104-1.mga10.src.rpm, tomcat-9.0.104-1.mga9.src.rpm
Status comment: (none) => Fixed upstream in 9.0.105
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2025-46701

Comment 1 Nicolas Salguero 2025-06-03 14:49:02 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Security constraint bypass for CGI scripts. (CVE-2025-46701)

References:
https://openwall.com/lists/oss-security/2025/05/29/4
========================

Updated packages in core/updates_testing:
========================
tomcat-9.0.105-1.mga9
tomcat-admin-webapps-9.0.105-1.mga9
tomcat-docs-webapp-9.0.105-1.mga9
tomcat-el-3.0-api-9.0.105-1.mga9
tomcat-jsp-2.3-api-9.0.105-1.mga9
tomcat-lib-9.0.105-1.mga9
tomcat-servlet-4.0-api-9.0.105-1.mga9
tomcat-webapps-9.0.105-1.mga9

from SRPM:
tomcat-9.0.105-1.mga9.src.rpm

Assignee: bugsquad => qa-bugs
Source RPM: tomcat-9.0.104-1.mga10.src.rpm, tomcat-9.0.104-1.mga9.src.rpm => tomcat-9.0.104-1.mga9.src.rpm
Status: NEW => ASSIGNED
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Status comment: Fixed upstream in 9.0.105 => (none)

katnatek 2025-06-04 01:07:24 CEST

Keywords: (none) => advisory

Comment 2 Herman Viaene 2025-06-05 11:37:48 CEST 
MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues overwriting current version.
Ref bug 34231 for testing
# systemctl start httpd
# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled)
     Active: active (running) since Thu 2025-06-05 11:28:46 CEST; 12s ago
   Main PID: 28831 (/usr/sbin/httpd)
     Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
      Tasks: 6 (limit: 8806)
     Memory: 29.1M
        CPU: 780ms
     CGroup: /system.slice/httpd.service
             ├─28831 /usr/sbin/httpd -DFOREGROUND
             ├─28834 /usr/sbin/httpd -DFOREGROUND
             ├─28835 /usr/sbin/httpd -DFOREGROUND
             ├─28836 /usr/sbin/httpd -DFOREGROUND
             ├─28837 /usr/sbin/httpd -DFOREGROUND
             └─28838 /usr/sbin/httpd -DFOREGROUND

Jun 05 11:28:46 mach3.hviaene.thuis systemd[1]: Starting httpd.service...
Jun 05 11:28:46 mach3.hviaene.thuis systemd[1]: Started httpd.service.

# systemctl restart tomcat.service
# systemctl -l status tomcat.service
● tomcat.service - Apache Tomcat Web Application Container
     Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; preset: disabled)
     Active: active (running) since Thu 2025-06-05 11:29:20 CEST; 16s ago
   Main PID: 28918 (java)
      Tasks: 23 (limit: 8806)
     Memory: 130.2M
        CPU: 20.437s
     CGroup: /system.slice/tomcat.service
             └─28918 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath /usr/share/tomcat/bi>

Jun 05 11:29:27 mach3.hviaene.thuis server[28918]: 05-Jun-2025 11:29:27.299 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line a>
Jun 05 11:29:27 mach3.hviaene.thuis server[28918]: 05-Jun-2025 11:29:27.335 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded >
Jun 05 11:29:27 mach3.hviaene.thuis server[28918]: 05-Jun-2025 11:29:27.339 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR cap>
Jun 05 11:29:27 mach3.hviaene.thuis server[28918]: 05-Jun-2025 11:29:27.341 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/Ope>
Jun 05 11:29:27 mach3.hviaene.thuis server[28918]: 05-Jun-2025 11:29:27.376 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL >
Jun 05 11:29:31 mach3.hviaene.thuis server[28918]: 05-Jun-2025 11:29:31.533 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler>
Jun 05 11:29:32 mach3.hviaene.thuis server[28918]: 05-Jun-2025 11:29:32.068 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [>
Jun 05 11:29:32 mach3.hviaene.thuis server[28918]: 05-Jun-2025 11:29:32.850 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting serv>
Jun 05 11:29:32 mach3.hviaene.thuis server[28918]: 05-Jun-2025 11:29:32.865 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servl>
Jun 05 11:29:33 mach3.hviaene.thuis server[28918]: 05-Jun-2025 11:29:33.015 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deploying web appli>


Then I could connect to http://localhost:8080 to exercise the the manager app and http://localhost:8080/sample to display the  samples.
OK for me.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 3 Thomas Andrews 2025-06-07 02:04:20 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 4 Mageia Robot 2025-06-08 08:23:21 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0177.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.