34699 – tomcat new security issues CVE-2025-5575[24] and CVE-2025-61795

Bug 34699 - tomcat new security issues CVE-2025-5575[24] and CVE-2025-61795

Summary: tomcat new security issues CVE-2025-5575[24] and CVE-2025-61795

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-10-28 09:08 CET by Nicolas Salguero
Modified:	2025-10-29 05:29 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	tomcat-9.0.108-1.mga9.src.rpm
CVE:	CVE-2025-55752, CVE-2025-55754, CVE-2025-61795
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-10-28 09:08:08 CET

CVE-2025-55752: https://www.openwall.com/lists/oss-security/2025/10/27/4
CVE-2025-55754: https://www.openwall.com/lists/oss-security/2025/10/27/5
CVE-2025-61795: https://www.openwall.com/lists/oss-security/2025/10/27/6

Nicolas Salguero 2025-10-28 09:08:53 CET

Source RPM: (none) => tomcat-9.0.108-1.mga10.src.rpm, tomcat-9.0.108-1.mga9.src.rpm
Status comment: (none) => Fixed upstream in 9.0.111
CVE: (none) => CVE-2025-55752, CVE-2025-55754, CVE-2025-61795
Severity: normal => major
Whiteboard: (none) => MGA9TOO

Comment 1 Nicolas Salguero 2025-10-28 09:44:44 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Directory traversal via rewrite with possible RCE if PUT is enabled. (CVE-2025-55752)

Console manipulation via escape sequences in log messages. (CVE-2025-55754)

Delayed cleaning of multi-part upload temporary files may lead to DoS. (CVE-2025-61795)

References:
https://www.openwall.com/lists/oss-security/2025/10/27/4
https://www.openwall.com/lists/oss-security/2025/10/27/5
https://www.openwall.com/lists/oss-security/2025/10/27/6
========================

Updated packages in core/updates_testing:
========================
tomcat-9.0.111-1.mga9
tomcat-admin-webapps-9.0.111-1.mga9
tomcat-docs-webapp-9.0.111-1.mga9
tomcat-el-3.0-api-9.0.111-1.mga9
tomcat-jsp-2.3-api-9.0.111-1.mga9
tomcat-lib-9.0.111-1.mga9
tomcat-servlet-4.0-api-9.0.111-1.mga9
tomcat-webapps-9.0.111-1.mga9

from SRPM:
tomcat-9.0.111-1.mga9.src.rpm

Assignee: bugsquad => qa-bugs
Status comment: Fixed upstream in 9.0.111 => (none)
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Source RPM: tomcat-9.0.108-1.mga10.src.rpm, tomcat-9.0.108-1.mga9.src.rpm => tomcat-9.0.108-1.mga9.src.rpm
Status: NEW => ASSIGNED

Comment 2 Herman Viaene 2025-10-28 14:30:43 CET

MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 34231 for testing.
Added following lines to /etc/tomcat/tomcat-users.xml before the end line:
<role rolename="manager-gui"/>
<user name="tester9" password="tester" roles="manager-gui" />
I had sample.war from previous updates.
# systemctl start httpd

#  systemctl -l status httpd
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled)
     Active: active (running) since Tue 2025-10-28 14:17:56 CET; 17s ago
   Main PID: 5139 (/usr/sbin/httpd)
     Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
      Tasks: 8 (limit: 8805)
     Memory: 96.5M
        CPU: 1.643s
     CGroup: /system.slice/httpd.service
             ├─5139 /usr/sbin/httpd -DFOREGROUND
             ├─5141 /usr/libexec/nss_pcache 0 off
             ├─5158 /usr/sbin/httpd -DFOREGROUND
             ├─5160 /usr/sbin/httpd -DFOREGROUND
             ├─5161 /usr/sbin/httpd -DFOREGROUND
             ├─5163 /usr/sbin/httpd -DFOREGROUND
             └─5166 /usr/sbin/httpd -DFOREGROUND

Oct 28 14:17:55 mach3.hviaene.thuis systemd[1]: Starting httpd.service...
Oct 28 14:17:56 mach3.hviaene.thuis systemd[1]: Started httpd.service.

# systemctl restart tomcat.service

# systemctl -l status tomcat.service
● tomcat.service - Apache Tomcat Web Application Container
     Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; preset: disabled)
     Active: active (running) since Tue 2025-10-28 14:18:33 CET; 14s ago
   Main PID: 5243 (java)
      Tasks: 23 (limit: 8805)
     Memory: 137.1M
        CPU: 17.359s
     CGroup: /system.slice/tomcat.service
             └─5243 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath /usr/share/to>

Oct 28 14:18:39 mach3.hviaene.thuis server[5243]: 28-Oct-2025 14:18:39.699 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command>
Oct 28 14:18:39 mach3.hviaene.thuis server[5243]: 28-Oct-2025 14:18:39.715 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent >
Oct 28 14:18:39 mach3.hviaene.thuis server[5243]: 28-Oct-2025 14:18:39.715 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent >
Oct 28 14:18:39 mach3.hviaene.thuis server[5243]: 28-Oct-2025 14:18:39.716 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent >
Oct 28 14:18:39 mach3.hviaene.thuis server[5243]: 28-Oct-2025 14:18:39.739 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL O>
Oct 28 14:18:43 mach3.hviaene.thuis server[5243]: 28-Oct-2025 14:18:43.343 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing Protocol>
Oct 28 14:18:43 mach3.hviaene.thuis server[5243]: 28-Oct-2025 14:18:43.793 INFO [main] org.apache.catalina.startup.Catalina.load Server initializati>
Oct 28 14:18:44 mach3.hviaene.thuis server[5243]: 28-Oct-2025 14:18:44.340 INFO [main] org.apache.catalina.core.StandardService.startInternal Starti>
Oct 28 14:18:44 mach3.hviaene.thuis server[5243]: 28-Oct-2025 14:18:44.345 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Startin>
Oct 28 14:18:44 mach3.hviaene.thuis server[5243]: 28-Oct-2025 14:18:44.482 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deploying we>

Then I could connect to http://localhost:8080 to exercise the the manager app, used that to declare the location of the sample.war file.And connect to http://localhost:8080/sample to display the  samples.
OK for me.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

katnatek 2025-10-28 19:33:24 CET

Keywords: (none) => advisory

Comment 3 Thomas Andrews 2025-10-29 02:46:50 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 4 Mageia Robot 2025-10-29 05:29:08 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0250.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.