FEDORA-2020-0e42878ba7 created by csutherl 2 years ago for Fedora 32
stable

This update includes a rebase from 9.0.30 up to 9.0.31 which resolves one CVE along with various other bugs/features:

  • #1806805 CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability
  • #1801729 tomcat-9.0.31 is available

WARNING - This update does not enforce the change in defaults for the AJP Connector like the upstream fix does. This is done to prevent breakage of current installations, but it is highly advised to review your AJP Connector configuration to ensure that it is only accessible by your proxy! For more information see the Tomcat Security Page and the Tomcat Security Considerations Document.

How to install

sudo dnf upgrade --advisory=FEDORA-2020-0e42878ba7

This update has been submitted for testing by csutherl.

2 years ago

This update's test gating status has been changed to 'waiting'.

2 years ago

This update's test gating status has been changed to 'ignored'.

2 years ago

This update has been pushed to testing.

2 years ago
User Icon adamwill commented & provided feedback 2 years ago
karma

This breaks the openQA FreeIPA tests - see links on Automated Tests tab. Logs available in 'Logs & Assets' tab of the failed tests. Didn't look into the cause myself yet, but it definitely broke something. @ab

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

2 years ago

@adamwill @abbra the breakage occurred due to changes in the defaults on the AJP Connector to mitigate CVE-2020-1938. There are two changes that likely caused issue: the default bind address for the connector changed from all interfaces to localhost and the connector will no longer start unless you define a secret. We can proceed two different ways. You can update the FreeIPA configuration to address those (add 'address' and 'secretRequired=false' to your Connector config), or I can create a patch to undo those changes (which is what I did for RHEL tomcat). The problem with the second approach is that I don't know of any mechanism to tell users that they need to review their configurations, so they likely won't do anything and remain vulnerable to exploitation. Got any tips on that?

This update can be pushed to stable now if the maintainer wishes

2 years ago

I'm afraid I don't, I'm just the test monkey :) ab might.

It's the secret. Alexander is working on a PR to address the issue, https://github.com/freeipa/freeipa/pull/4337

I think it's best to rollback those default changes for f30-f32 (and fix this like I did for RHEL) so we don't break current user environments. The work done in the freeipa project to use the secret is still valid, but after I introduce a new build it won't be broken by default.

csutherl edited this update.

New build(s):

  • tomcat-9.0.31-2.fc32

Removed build(s):

  • tomcat-9.0.31-1.fc32

Karma has been reset.

2 years ago

This update has been submitted for testing by csutherl.

2 years ago

csutherl edited this update.

2 years ago

We are going to do a FreeIPA 4.8 release tomorrow that will include the fixes for AJP protection (and will migrate old configuration to a new one too).

This update has been pushed to testing.

2 years ago

This update can be pushed to stable now if the maintainer wishes

2 years ago

This update has been submitted for stable by pwalter.

2 years ago

This update has been pushed to stable.

2 years ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
2 years ago
in testing
2 years ago
in stable
2 years ago
modified
2 years ago

Automated Test Results