[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#688720: marked as done (unblock: tomcat6/6.0.35-5)

Your message dated Tue, 25 Sep 2012 06:06:55 +0100
with message-id <1348549615.6724.23.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#688720: unblock: tomcat6/6.0.35-5
has caused the Debian Bug report #688720,
regarding unblock: tomcat6/6.0.35-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
688720: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688720
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear Release Team:

Please unblock package tomcat6.  The upload of -5 addresses the priority
serious bug #687818 (postinst modifying conffile) and includes an update
to the README regarding CVE2010-4312 (#608286).  

The debdiff against the -4 package is attached; please let me know if you
have any concerns.

Thank you for your consideration (and tireless effort).
tony

unblock tomcat6/6.0.35-5

diff -Nru tomcat6-6.0.35/debian/changelog tomcat6-6.0.35/debian/changelog
--- tomcat6-6.0.35/debian/changelog	2012-06-28 10:44:58.000000000 -0700
+++ tomcat6-6.0.35/debian/changelog	2012-09-24 19:40:54.000000000 -0700
@@ -1,3 +1,13 @@
+tomcat6 (6.0.35-5) unstable; urgency=low
+
+  * Apply patch to README.Debian to explain setting the HTTPOnly flag
+    in cookies by default; CVE-2010-4312. (Closes: #608286)
+    - Thank you to Thijs Kinkhorst for the patch.
+  * Use ucf and a template for /etc/logrotate.d/tomcat6 file to avoid
+    updating the shipped conffile. (Closes: #687818)
+
+ -- tony mancill <tmancill@debian.org>  Mon, 06 Aug 2012 21:29:11 -0700
+
 tomcat6 (6.0.35-4) unstable; urgency=low
 
   [ tony mancill ]
diff -Nru tomcat6-6.0.35/debian/logrotate tomcat6-6.0.35/debian/logrotate
--- tomcat6-6.0.35/debian/logrotate	2012-06-28 10:44:58.000000000 -0700
+++ tomcat6-6.0.35/debian/logrotate	1969-12-31 16:00:00.000000000 -0800
@@ -1,8 +0,0 @@
-/var/log/tomcat6/catalina.out {
-  copytruncate
-  weekly
-  rotate 52
-  compress
-  missingok
-  create 640 @@@TOMCAT6USER@@@ adm
-}
diff -Nru tomcat6-6.0.35/debian/logrotate.md5sum tomcat6-6.0.35/debian/logrotate.md5sum
--- tomcat6-6.0.35/debian/logrotate.md5sum	1969-12-31 16:00:00.000000000 -0800
+++ tomcat6-6.0.35/debian/logrotate.md5sum	2012-09-24 19:40:54.000000000 -0700
@@ -0,0 +1 @@
+b5420492288987ba126ea151bd92852d  logrotate.template
diff -Nru tomcat6-6.0.35/debian/logrotate.template tomcat6-6.0.35/debian/logrotate.template
--- tomcat6-6.0.35/debian/logrotate.template	1969-12-31 16:00:00.000000000 -0800
+++ tomcat6-6.0.35/debian/logrotate.template	2012-09-24 19:40:54.000000000 -0700
@@ -0,0 +1,8 @@
+/var/log/tomcat6/catalina.out {
+  copytruncate
+  weekly
+  rotate 52
+  compress
+  missingok
+  create 640 tomcat6 adm
+}
diff -Nru tomcat6-6.0.35/debian/README.Debian tomcat6-6.0.35/debian/README.Debian
--- tomcat6-6.0.35/debian/README.Debian	2012-06-28 10:44:58.000000000 -0700
+++ tomcat6-6.0.35/debian/README.Debian	2012-09-24 19:40:54.000000000 -0700
@@ -25,6 +25,21 @@
     wish.  See the "man authbind" for information on configuring
     authbind.
 
+SECURITY:
+
+Tomcat 6 session cookies are sent with the httponly flag disabled by default.
+It is recommended as a proactive security measure to turn this setting on
+to mitigate cross site scripting attacks: httponly cookies cannot be 'stolen'
+via JavaScript, a common vector in such attacks.
+
+The httponly setting can be enabled by adding the useHttpOnly attribute
+to <Context> in /etc/tomcat6/context.xml:
+
+  <Context useHttpOnly="true">
+
+Httponly not being on by default is referred to as CVE-2010-4172.
+
+
 NEWS:
 
 tomcat6 (6.0.20-dfsg1-2) unstable; urgency=low
diff -Nru tomcat6-6.0.35/debian/rules tomcat6-6.0.35/debian/rules
--- tomcat6-6.0.35/debian/rules	2012-06-28 10:44:58.000000000 -0700
+++ tomcat6-6.0.35/debian/rules	2012-09-24 19:40:54.000000000 -0700
@@ -73,7 +73,6 @@
 	dh_testroot
 	dh_prep 
 	dh_installdirs
-	cp debian/logrotate debian/tomcat6/etc/logrotate.d/tomcat6
 
 binary-indep: build install
 	dh_testdir
diff -Nru tomcat6-6.0.35/debian/tomcat6.install tomcat6-6.0.35/debian/tomcat6.install
--- tomcat6-6.0.35/debian/tomcat6.install	2012-06-28 10:44:58.000000000 -0700
+++ tomcat6-6.0.35/debian/tomcat6.install	2012-09-24 19:40:54.000000000 -0700
@@ -5,3 +5,5 @@
 debian/default_root /usr/share/tomcat6-root/
 debian/defaults.template /usr/share/tomcat6/
 debian/defaults.md5sum /usr/share/tomcat6/
+debian/logrotate.template /usr/share/tomcat6/
+debian/logrotate.md5sum /usr/share/tomcat6/
diff -Nru tomcat6-6.0.35/debian/tomcat6.postinst tomcat6-6.0.35/debian/tomcat6.postinst
--- tomcat6-6.0.35/debian/tomcat6.postinst	2012-06-28 10:44:58.000000000 -0700
+++ tomcat6-6.0.35/debian/tomcat6.postinst	2012-09-24 19:40:54.000000000 -0700
@@ -4,6 +4,8 @@
 . /usr/share/debconf/confmodule
 TEMPLATE="/usr/share/tomcat6/defaults.template"
 CONFFILE="/etc/default/tomcat6"
+LR_TEMPLATE="/usr/share/tomcat6/logrotate.template"
+LR_CONFFILE="/etc/logrotate.d/tomcat6"
 JAVA_OPTS="-Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC"
 
 case "$1" in
@@ -36,11 +38,12 @@
 	chown -R $TOMCAT6_USER:adm /var/log/tomcat6 /var/cache/tomcat6
 	chmod 750 /var/log/tomcat6 /var/cache/tomcat6
 
-  # replace the TOMCAT6USER token in /etc/logrotate.d/tomcat6 if it still contains the token
-  LOGROTATE_TOKEN="@@@TOMCAT6USER@@@"
-  if grep -q "$LOGROTATE_TOKEN" /etc/logrotate.d/tomcat6 ; then
-    sed --in-place "s/$LOGROTATE_TOKEN/$TOMCAT6_USER/" /etc/logrotate.d/tomcat6
-  fi
+	# populate /etc/logrotate.d/tomcat6
+	tmpfile=`mktemp /tmp/tomcat6.XXXXXXXXXX`
+	chmod 644 $tmpfile
+	cat $LR_TEMPLATE | sed "s%create 640 tomcat6 adm%create 640 $TOMCAT6_USER adm%" >> $tmpfile
+	ucf --debconf-ok --sum-file /usr/share/tomcat6/logrotate.md5sum $tmpfile $LR_CONFFILE
+	rm -f $tmpfile
 
 	# configuration files should not be modifiable by tomcat6 user, as this can be a security issue
 	# (an attacker may insert code in a webapp and have access to all tomcat configuration)
diff -Nru tomcat6-6.0.35/debian/tomcat6.postrm tomcat6-6.0.35/debian/tomcat6.postrm
--- tomcat6-6.0.35/debian/tomcat6.postrm	2012-06-28 10:44:58.000000000 -0700
+++ tomcat6-6.0.35/debian/tomcat6.postrm	2012-09-24 19:40:54.000000000 -0700
@@ -4,6 +4,7 @@
 #DEBHELPER#
 
 CONFFILE=/etc/default/tomcat6
+LR_CONFFILE=/etc/logrotate.d/tomcat6
 
 # Remove cached files and auto-generated catalina.policy
 rm -rf /var/cache/tomcat6/*
@@ -47,8 +48,9 @@
         set +e
         if [ -x "/usr/bin/ucf" ]; then
             ucf --purge $CONFFILE
+            ucf --purge $LR_CONFFILE
         fi
-        rm -rf /var/log/tomcat6 /var/lib/tomcat6/temp $CONFFILE
+        rm -rf /var/log/tomcat6 /var/lib/tomcat6/temp $CONFFILE $LR_CONFFILE
         if [ -d "/var/lib/tomcat6" ] ; then
             rmdir --ignore-fail-on-non-empty /var/lib/tomcat6
         fi
[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .changes but not in first
-----------------------------------------
-rw-r--r--  root/root   /usr/share/tomcat6/logrotate.md5sum
-rw-r--r--  root/root   /usr/share/tomcat6/logrotate.template

Files in first .changes but not in second
-----------------------------------------
-rw-r--r--  root/root   /etc/logrotate.d/tomcat6

Control files of package libservlet2.4-java: lines which differ (wdiff format)
------------------------------------------------------------------------------
Version: [-6.0.35-4-] {+6.0.35-5+}

Control files of package libservlet2.5-java: lines which differ (wdiff format)
------------------------------------------------------------------------------
Version: [-6.0.35-4-] {+6.0.35-5+}

Control files of package libservlet2.5-java-doc: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Version: [-6.0.35-4-] {+6.0.35-5+}

Control files of package libtomcat6-java: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libecj-java, libcommons-dbcp-java, libcommons-pool-java, libservlet2.5-java (>= [-6.0.35-4)-] {+6.0.35-5)+}
Suggests: tomcat6 (>= [-6.0.35-4)-] {+6.0.35-5)+}
Version: [-6.0.35-4-] {+6.0.35-5+}

Control files of package tomcat6: lines which differ (wdiff format)
-------------------------------------------------------------------
Depends: tomcat6-common (>= [-6.0.35-4),-] {+6.0.35-5),+} ucf, adduser, debconf (>= 0.5) | debconf-2.0
Suggests: tomcat6-docs (>= [-6.0.35-4),-] {+6.0.35-5),+} tomcat6-admin (>= [-6.0.35-4),-] {+6.0.35-5),+} tomcat6-examples (>= [-6.0.35-4),-] {+6.0.35-5),+} tomcat6-user (>= [-6.0.35-4),-] {+6.0.35-5),+} libtcnative-1
Version: [-6.0.35-4-] {+6.0.35-5+}

Control files of package tomcat6-admin: lines which differ (wdiff format)
-------------------------------------------------------------------------
Depends: tomcat6-common (>= [-6.0.35-4)-] {+6.0.35-5)+}
Version: [-6.0.35-4-] {+6.0.35-5+}

Control files of package tomcat6-common: lines which differ (wdiff format)
--------------------------------------------------------------------------
Depends: libtomcat6-java (>= [-6.0.35-4),-] {+6.0.35-5),+} default-jre-headless | java7-runtime-headless | java7-runtime | java6-runtime-headless | java6-runtime | java5-runtime
Installed-Size: [-114-] {+115+}
Version: [-6.0.35-4-] {+6.0.35-5+}

Control files of package tomcat6-docs: lines which differ (wdiff format)
------------------------------------------------------------------------
Depends: tomcat6-common (>= [-6.0.35-4)-] {+6.0.35-5)+}
Version: [-6.0.35-4-] {+6.0.35-5+}

Control files of package tomcat6-examples: lines which differ (wdiff format)
----------------------------------------------------------------------------
Depends: tomcat6-common (>= [-6.0.35-4)-] {+6.0.35-5)+}
Version: [-6.0.35-4-] {+6.0.35-5+}

Control files of package tomcat6-extras: lines which differ (wdiff format)
--------------------------------------------------------------------------
Depends: tomcat6-common (>= [-6.0.35-4)-] {+6.0.35-5)+}
Version: [-6.0.35-4-] {+6.0.35-5+}

Control files of package tomcat6-user: lines which differ (wdiff format)
------------------------------------------------------------------------
Depends: tomcat6-common (>= [-6.0.35-4),-] {+6.0.35-5),+} netcat
Suggests: tomcat6-docs (>= [-6.0.35-4),-] {+6.0.35-5),+} tomcat6-admin (>= [-6.0.35-4),-] {+6.0.35-5),+} tomcat6-examples (>= [-6.0.35-4),-] {+6.0.35-5),+} tomcat6 (>= [-6.0.35-4)-] {+6.0.35-5)+}
Version: [-6.0.35-4-] {+6.0.35-5+}

--- End Message ---
--- Begin Message --- 
On Mon, 2012-09-24 at 19:57 -0700, tony mancill wrote:
> Please unblock package tomcat6.  The upload of -5 addresses the priority
> serious bug #687818 (postinst modifying conffile) and includes an update
> to the README regarding CVE2010-4312 (#608286).  

Unblocked; thanks.

Regards,

Adam

--- End Message ---
Reply to: