[Freeipa-users] Re: Apache Tomcat Showing on Security Scan as Outdated.
".Tomcat is (should) not be exposed beyond IPA servers so remote users should not be able to make direct requests." Understood. Thank you. Marcelo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Apache Tomcat Showing on Security Scan as Outdated.
Sam Morris via FreeIPA-users wrote: > On Mon, 2023-10-30 at 22:35 +, Marcelo Carvalho via FreeIPA-users > wrote: >> Hi Rob >> >> Thanks for helping out here. I was pulled sideways and I am >> returning to this issue now. I am sorry. >> >> Vulnerability showing is "Apache Tomcat 9.0.0-M1 < 9.0.68 Request >> Smuggling Vulnerability" > > If this scanner gives you a CVE reference then look it up at > https://access.redhat.com/security/cve/ > > If the vulnerability has been fixed in a backport, or if the scanner > doesn't give you a CVE reference, then that is evidence that the > scanner is garbage. That's a bit blunter than I'd have been :-). But yes, some security scanners seem to compare only version numbers and don't seem to understand the way RHEL handles backports. See https://access.redhat.com/security/updates/backporting/ Tomcat is (should) not be exposed beyond IPA servers so remote users should not be able to make direct requests. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Apache Tomcat Showing on Security Scan as Outdated.
On Mon, 2023-10-30 at 22:35 +, Marcelo Carvalho via FreeIPA-users wrote: > Hi Rob > > Thanks for helping out here. I was pulled sideways and I am > returning to this issue now. I am sorry. > > Vulnerability showing is "Apache Tomcat 9.0.0-M1 < 9.0.68 Request > Smuggling Vulnerability" If this scanner gives you a CVE reference then look it up at https://access.redhat.com/security/cve/ If the vulnerability has been fixed in a backport, or if the scanner doesn't give you a CVE reference, then that is evidence that the scanner is garbage. -- Sam Morris ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Apache Tomcat Showing on Security Scan as Outdated.
Hi Rob Thanks for helping out here. I was pulled sideways and I am returning to this issue now. I am sorry. Vulnerability showing is "Apache Tomcat 9.0.0-M1 < 9.0.68 Request Smuggling Vulnerability" Is there a way and a need to update Apache Tomcat from within FreeIPA? If so, is this upgrade done via FreeIPA update as in. update FreeIPA using.. ipa-ldap-updater --upgrade ipa-upgradeconfig .. or Tomcat is upgradable in separate? Please advise. Many thanks in advance. Marcelo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Apache Tomcat Showing on Security Scan as Outdated.
Marcelo Carvalho via FreeIPA-users wrote: > Hi everyone. > > We are running FreeIPA version: > > VERSION: 4.10.1, API_VERSION: 2.251 > > Tomcat showing running is: > > [root@corp-freeipa-01 tomcat]# java -cp catalina.jar > org.apache.catalina.util.ServerInfo > Server version: Apache Tomcat/9.0.50 > Server built: Jan 8 1970 23:12:05 UTC > Server number: 9.0.50.0 > OS Name:Linux > OS Version: 5.14.0-284.30.1.el9_2.x86_64 > Architecture: amd64 > JVM Version:11.0.20+8-LTS > JVM Vendor: Red Hat, Inc. > > Host is a RHEL 9.2 with OS recently updated. > > The Tomcat version is showing in our Security scan as outdated. > > Is there a way to only update Tomcat or should I update FreeIPA using.. > > # ipa-ldap-updater --upgrade > # ipa-upgradeconfig > > . and expect the Tomcat gets updated? > > Please advise. You're assuming we know which vulnerability you're referring to. A full rebase in RHEL is not common for some packages. Instead they are more often discretely patched as needed. Scanners that check for issues based solely on version in RHEL should be taken with a grain of salt. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue