FEDORA-2018-21ffebf41c

security update in Fedora 27 for tomcat

Status: obsolete

This update includes a rebase from 8.0.51 up to 8.0.53 which resolves two CVEs along with various other bugs/features:

  • #1579612 CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins
  • #1607586 CVE-2018-8034 tomcat: host name verification missing in WebSocket client

Comments 6

This update has been submitted for testing by csutherl.

There were some inconsistencies:

 Problem 1: conflicting requests
  - nothing provides tomcat-lib = 1:8.0.53-1.fc27 needed by tomcat-1:8.0.53-1.fc27.noarch
 Problem 2: package tomcat-webapps-1:8.0.53-1.fc27.noarch requires tomcat = 1:8.0.53-1.fc27, but none of the providers can be installed
  - conflicting requests
  - nothing provides tomcat-lib = 1:8.0.53-1.fc27 needed by tomcat-1:8.0.53-1.fc27.noarch
 Problem 3: package tomcat-jsvc-1:8.0.53-1.fc27.noarch requires tomcat = 1:8.0.53-1.fc27, but none of the providers can be installed
  - conflicting requests
  - nothing provides tomcat-lib = 1:8.0.53-1.fc27 needed by tomcat-1:8.0.53-1.fc27.noarch
 Problem 4: package tomcat-docs-webapp-1:8.0.53-1.fc27.noarch requires tomcat = 1:8.0.53-1.fc27, but none of the providers can be installed
  - conflicting requests
  - nothing provides tomcat-lib = 1:8.0.53-1.fc27 needed by tomcat-1:8.0.53-1.fc27.noarch
 Problem 5: package tomcat-admin-webapps-1:8.0.53-1.fc27.noarch requires tomcat = 1:8.0.53-1.fc27, but none of the providers can be installed
  - conflicting requests
  - nothing provides tomcat-lib = 1:8.0.53-1.fc27 needed by tomcat-1:8.0.53-1.fc27.noarch
karma: -1

This update has been pushed to testing.

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

Are you sure this isn't an environmental issue? The changes committed to rebase were minimal and should not have caused this problem. Additionally, looking at the build information in koji shows that the tomcat-lib package does in fact provide "tomcat-lib = 1:8.0.53-1.fc27". I'll setup a VM to test as soon as I can, but I don't see any cause for this at first glance.

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
obsolete
Test Gating
Submitted by
Update Type
security
Update Severity
unspecified
Karma
-1
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Disabled
Autopush (time)
Disabled
Dates
submitted a year ago
in testing a year ago

Related Bugs 2

00 #1579612 CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins [fedora-all]
00 #1607586 CVE-2018-8034 tomcat: host name verification missing in WebSocket client [fedora-all]

Automated Test Results