FEDORA-2018-21ffebf41c created by csutherl 2 years ago for Fedora 27
obsolete

This update includes a rebase from 8.0.51 up to 8.0.53 which resolves two CVEs along with various other bugs/features:

  • #1579612 CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins
  • #1607586 CVE-2018-8034 tomcat: host name verification missing in WebSocket client

This update has been submitted for testing by csutherl.

2 years ago
User Icon lobocode commented & provided feedback 2 years ago
karma

There were some inconsistencies:

 Problem 1: conflicting requests
  - nothing provides tomcat-lib = 1:8.0.53-1.fc27 needed by tomcat-1:8.0.53-1.fc27.noarch
 Problem 2: package tomcat-webapps-1:8.0.53-1.fc27.noarch requires tomcat = 1:8.0.53-1.fc27, but none of the providers can be installed
  - conflicting requests
  - nothing provides tomcat-lib = 1:8.0.53-1.fc27 needed by tomcat-1:8.0.53-1.fc27.noarch
 Problem 3: package tomcat-jsvc-1:8.0.53-1.fc27.noarch requires tomcat = 1:8.0.53-1.fc27, but none of the providers can be installed
  - conflicting requests
  - nothing provides tomcat-lib = 1:8.0.53-1.fc27 needed by tomcat-1:8.0.53-1.fc27.noarch
 Problem 4: package tomcat-docs-webapp-1:8.0.53-1.fc27.noarch requires tomcat = 1:8.0.53-1.fc27, but none of the providers can be installed
  - conflicting requests
  - nothing provides tomcat-lib = 1:8.0.53-1.fc27 needed by tomcat-1:8.0.53-1.fc27.noarch
 Problem 5: package tomcat-admin-webapps-1:8.0.53-1.fc27.noarch requires tomcat = 1:8.0.53-1.fc27, but none of the providers can be installed
  - conflicting requests
  - nothing provides tomcat-lib = 1:8.0.53-1.fc27 needed by tomcat-1:8.0.53-1.fc27.noarch

This update has been pushed to testing.

2 years ago

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

2 years ago

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

2 years ago
User Icon csutherl commented & provided feedback 2 years ago

Are you sure this isn't an environmental issue? The changes committed to rebase were minimal and should not have caused this problem. Additionally, looking at the build information in koji shows that the tomcat-lib package does in fact provide "tomcat-lib = 1:8.0.53-1.fc27". I'll setup a VM to test as soon as I can, but I don't see any cause for this at first glance.


Please login to add feedback.

Metadata
Type
security
Karma
-1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
2 years ago
in testing
2 years ago
BZ#1579612 CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins [fedora-all]
0
0
BZ#1607586 CVE-2018-8034 tomcat: host name verification missing in WebSocket client [fedora-all]
0
0

Automated Test Results