Re: Tomcat 6 security vulnerabilities in Wheezy

To: "team@security.debian.org" <team@security.debian.org>
Cc: debian-java@lists.debian.org
Subject: Re: Tomcat 6 security vulnerabilities in Wheezy
From: Markus Koschany <apo@debian.org>
Date: Wed, 16 Mar 2016 14:21:06 +0100
Message-id: <[🔎] 56E95DC2.2070909@debian.org>
In-reply-to: <[🔎] 20160314220627.GA8779@pisco.westfalen.local>
References: <56C5CB0C.8040400@debian.org> <56C5FAF0.80801@apache.org> <56C5FE41.9020603@debian.org> <20160218194601.GA2305@pisco.westfalen.local> <56C9F70A.7050601@debian.org> <56D22719.5020003@debian.org> <[🔎] 20160314220627.GA8779@pisco.westfalen.local>

Am 14.03.2016 um 23:06 schrieb Moritz Mühlenhoff:
> On Sat, Feb 27, 2016 at 11:45:45PM +0100, Markus Koschany wrote:
>> Hi,
>>
>> as you know Tomcat 6 is affected by new security vulnerabilities that
>> are fixed in version 6.0.45. Do you want me to replace the last version
>> I sent to you regarding Wheezy with this one or shall I upload version
>> 6.0.41 instead, which is more tested, and prepare another upload
>> afterwards. I wouldn't mind this incremental approach but I could also
>> merge 6.0.45 into Wheezy right now.
> 
> Sorry for the late reply. Let's move to 6.0.45 rightaway.
> 

Hi,

I have uploaded 6.0.45 to security-master just now. I'm attaching the
debdiff that shows the differences between the version in squeeze-lts
and this one.

Regards,

Markus

diff -Nru tomcat6-6.0.45/debian/changelog tomcat6-6.0.45+dfsg/debian/changelog
--- tomcat6-6.0.45/debian/changelog	2016-02-27 15:47:52.000000000 +0100
+++ tomcat6-6.0.45+dfsg/debian/changelog	2016-03-16 14:09:30.000000000 +0100
@@ -1,136 +1,78 @@
-tomcat6 (6.0.45-1~deb6u1) squeeze-lts; urgency=high
+tomcat6 (6.0.45+dfsg-1~deb7u1) wheezy-security; urgency=high
 
-  * Non-maintainer upload by the Debian LTS team.
-  * Backport version 6.0.45 to Squeeze-LTS.
-    The full list of changes between 6.0.41 (the version previously available
-    in Squeeze-LTS) and 6.0.45 can be seen in the upstream changelog, which is
-    available online at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html
-  * This update fixes the following security vulnerabilities:
-    - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
-    - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
-      processes redirects before considering security constraints and Filters.
-    - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
-      org.apache.catalina.manager.StatusManagerServlet on the
-      org/apache/catalina/core/RestrictedServlets.properties list which allows
-      remote authenticated users to bypass intended SecurityManager
-      restrictions.
-    - CVE-2016-0714: The session-persistence implementation in Apache Tomcat before
-      6.0.45 mishandles session attributes, which allows remote authenticated
-      users to bypass intended SecurityManager restrictions.
-    - CVE-2016-0763: The setGlobalContext method in
-      org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
-      not consider whether ResourceLinkFactory.setGlobalContext callers are
-      authorized, which allows remote authenticated users to bypass intended
-      SecurityManager restrictions and read or write to arbitrary application
-      data, or cause a denial of service (application disruption), via a web
-      application that sets a crafted global context.
-    - CVE-2015-5351: The Manager and Host Manager applications in
-      Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
-      requests, which allows remote attackers to bypass a CSRF protection
-      mechanism by using a token.
-  * Drop the following patches. They were applied upstream.
-    - 0011-Fix-for-NoSuchElementException-when-an-attribute-has.patch.
-    - CVE-2014-0227.patch.
-    - CVE-2014-0230.patch.
-    - CVE-2014-7810-1.patch.
-    - CVE-2014-7810-2.patch.
-
- -- Markus Koschany <apo@debian.org>  Sat, 27 Feb 2016 15:47:44 +0100
-
-tomcat6 (6.0.41-2+squeeze7) squeeze-lts; urgency=medium
-
-  * Security upload by the Debian LTS team.
-  * This upload fixes the following issues:
-    - CVE-2014-0227: HTTP request smuggling or DoS by streaming malformed data.
-    - CVE-2014-0230: non-persistent DoS attack by feeding data aborting an
-      upload.
-    - CVE-2014-7810: security manager bypass by using expression language.
-
- -- Santiago Ruano Rincón <santiagorr@riseup.net>  Thu, 28 May 2015 10:02:27 +0200
-
-tomcat6 (6.0.41-2+squeeze6) squeeze-lts; urgency=medium
-
-  * Security upload by the Debian LTS team.
-  * This update fixes a regression:
-    - Fix for "NoSuchElementException when an attribute has empty string as
-      value." Reported upstream as
-      https://issues.apache.org/bugzilla/show_bug.cgi?id=56561
-
- -- Mathieu Parent <sathieu@debian.org>  Fri, 16 Jan 2015 21:34:40 +0100
-
-tomcat6 (6.0.41-2+squeeze5) squeeze-lts; urgency=medium
-
-  * Security upload by the Debian LTS team.
+  * Team upload.
   * The full list of changes between 6.0.35 (the version previously available
-    in squeeze) and 6.0.41 can be see in the upstream changelog, which is
+    in Wheezy) and 6.0.45 can be seen in the upstream changelog, which is
     available online at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html
   * This update fixes the following security issues:
     - CVE-2014-0033: prevent remote attackers from conducting session
       fixation attacks via crafted URLs.
+    - CVE-2014-0119: Fix not properly constraining class loader that accesses
+      the XML parser used with an XSLT stylesheet which allowed remote
+      attackers to read arbitrary files via crafted web applications.
+    - CVE-2014-0099: Fix integer overflow in
+      java/org/apache/tomcat/util/buf/Ascii.java.
+    - CVE-2014-0096: Properly restrict XSLT stylesheets that allowed remote
+      attackers to bypass security-manager restrictions.
+    - CVE-2014-0075: Fix integer overflow in the parseChunkHeader function in
+      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
     - CVE-2013-4590: prevent "Tomcat internals" information leaks.
     - CVE-2013-4322: prevent remote attackers from doing denial of service
       attacks.
     - CVE-2013-4286: reject requests with multiple content-length headers or
       with a content-length header when chunked encoding is being used.
     - Avoid CVE-2013-1571 when generating Javadoc.
-    - CVE-2012-3439: various improvements to the DIGEST authenticator.
-  * Thanks to Tony Mancill for doing the vast amount of the work for this
-    update!
-  * Downgrade debian/compat to 8 and reduce build-dependency do debhelper 8
-    to match the squeeze squeeze version
-
- -- Holger Levsen <holger@debian.org>  Fri, 21 Nov 2014 20:08:38 +0100
-
-tomcat6 (6.0.41-2) unstable; urgency=medium
-
-  [ Emmanuel Bourg ]
-  * Updated the version required for libtcnative-1 (>= 1.1.30)
-
-  [ tony mancill ]
-  * Add patch for logfile compression. (Closes: #682955)
-    - Thank you to Thijs Kinkhorst.
+  * CVE-2014-0227.patch:
+    - Add error flag to allow subsequent attempts at reading after an error to
+      fail fast.
+  * CVE-2014-0230: Add support for maxSwallowSize.
+  * CVE-2014-7810:
+    - Fix potential BeanELResolver issue when running under a security manager.
+      Some classes may not be accessible but may have accessible interfaces.
+  * CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
+  * CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
+    processes redirects before considering security constraints and Filters.
+  * CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
+    org.apache.catalina.manager.StatusManagerServlet on the
+    org/apache/catalina/core/RestrictedServlets.properties list which allows
+    remote authenticated users to bypass intended SecurityManager
+    restrictions.
+  * CVE-2016-0714: The session-persistence implementation in Apache Tomcat
+    before 6.0.45 mishandles session attributes, which allows remote
+    authenticated users to bypass intended SecurityManager restrictions.
+  * CVE-2016-0763: The setGlobalContext method in
+    org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
+    not consider whether ResourceLinkFactory.setGlobalContext callers are
+    authorized, which allows remote authenticated users to bypass intended
+    SecurityManager restrictions and read or write to arbitrary application
+    data, or cause a denial of service (application disruption), via a web
+    application that sets a crafted global context.
+  * CVE-2015-5351: The Manager and Host Manager applications in
+    Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
+    requests, which allows remote attackers to bypass a CSRF protection
+    mechanism by using a token.
+  * Drop the following patches. Applied upstream.
+    - 0011-CVE-2012-0022-regression-fix.patch
+    - 0012-CVE-2012-3544.patch
+    - 0014-CVE-2012-4534.patch
+    - 0015-CVE-2012-4431.patch
+    - 0016-CVE-2012-3546.patch
+    - 0017-CVE-2013-2067.patch
+    - cve-2012-2733.patch
+    - cve-2012-3439.patch
+    - CVE-2014-0227.patch
+    - CVE-2014-0230.patch
+    - CVE-2014-7810-1.patch
+    - CVE-2014-7810-2.patch
+    - 0011-Fix-for-NoSuchElementException-when-an-attribute-has.patch
 
- -- tony mancill <tmancill@debian.org>  Sun, 24 Aug 2014 13:52:40 -0700
+ -- Markus Koschany <apo@debian.org>  Wed, 16 Mar 2016 14:08:48 +0100
 
-tomcat6 (6.0.41-1) unstable; urgency=medium
+tomcat6 (6.0.35-6+deb7u1) stable-security; urgency=low
 
-  * New upstream release.
-    - Refreshed the patches
-
- -- Emmanuel Bourg <ebourg@apache.org>  Thu, 22 May 2014 10:03:04 +0200
-
-tomcat6 (6.0.39-1) unstable; urgency=medium
-
-  * Team upload.
-  * New upstream release.
-    - Refreshed the patches
-  * Standards-Version updated to 3.9.5 (no changes)
-  * Switch to debhelper level 9
-  * Use XZ compression for the upstream tarball
-  * Use canonical URL for the Vcs-Git field
-
- -- Emmanuel Bourg <ebourg@apache.org>  Mon, 17 Feb 2014 00:02:00 +0100
-
-tomcat6 (6.0.37-1) unstable; urgency=low
-
-  * New upstream release.
-    - Drop patches for CVE-2012-4534, CVE-2012-4431, CVE-2012-3546,
-      CVE-2012-2733, CVE-2012-3439
-    - Drop 0011-CVE-02012-0022-regression-fix.patch
-    - Drop 0017-eclipse-compiler-update.patch
-  * Freshened remaining patches.
-
- -- tony mancill <tmancill@debian.org>  Sat, 03 Aug 2013 21:50:20 -0700
-
-tomcat6 (6.0.35-7) unstable; urgency=low
-
-  * Team upload.
-  * Fixed the watch file
-  * Fix FTBFS with ecj 3.8 (closes: #717279, #713796) 
-  * Updated the standards version to 3.9.4 - no changes
-  * Updated the Vcs-Git field to the canonical url
+  * CVE-2012-3544, CVE-2013-2067
 
- -- Stephen Nelson <stephen@eccostudio.com>  Tue, 30 Jul 2013 23:07:18 +0100
+ -- Moritz Mühlenhoff <jmm@debian.org>  Thu, 18 Jul 2013 00:00:35 +0200
 
 tomcat6 (6.0.35-6) unstable; urgency=high
 
diff -Nru tomcat6-6.0.45/debian/compat tomcat6-6.0.45+dfsg/debian/compat
--- tomcat6-6.0.45/debian/compat	2016-02-27 15:47:52.000000000 +0100
+++ tomcat6-6.0.45+dfsg/debian/compat	2016-03-16 14:09:30.000000000 +0100
@@ -1 +1 @@
-8
+7
diff -Nru tomcat6-6.0.45/debian/control tomcat6-6.0.45+dfsg/debian/control
--- tomcat6-6.0.45/debian/control	2016-02-27 15:47:52.000000000 +0100
+++ tomcat6-6.0.45+dfsg/debian/control	2016-03-16 14:09:30.000000000 +0100
@@ -6,14 +6,13 @@
  Ludovic Claude <ludovic.claude@laposte.net>,
  Damien Raude-Morvan <drazzib@debian.org>,
  Miguel Landaeta <miguel@miguel.cc>,
- tony mancill <tmancill@debian.org>,
- Emmanuel Bourg <ebourg@apache.org>
-Build-Depends: default-jdk, ant-optional, debhelper (>= 8), po-debconf
+ tony mancill <tmancill@debian.org>
+Build-Depends: default-jdk, ant-optional, debhelper (>= 7), po-debconf
 Build-Depends-Indep: maven-repo-helper (>> 1.0.1), libecj-java
-Standards-Version: 3.9.5
-Vcs-Git: git://anonscm.debian.org/pkg-java/tomcat6.git
-Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-java/tomcat6.git
+Standards-Version: 3.9.3
 Homepage: http://tomcat.apache.org
+Vcs-Git: git://git.debian.org/git/pkg-java/tomcat6.git
+Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-java/tomcat6.git
 
 Package: tomcat6-common
 Architecture: all
@@ -36,7 +35,7 @@
  tomcat6-admin (>= ${source:Version}),
  tomcat6-examples (>= ${source:Version}),
  tomcat6-user (>= ${source:Version}),
- libtcnative-1 (>= 1.1.30)
+ libtcnative-1
 Description: Servlet and JSP engine
  Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
  specifications from Sun Microsystems, and provides a "pure Java" HTTP web
diff -Nru tomcat6-6.0.45/debian/copyright tomcat6-6.0.45+dfsg/debian/copyright
--- tomcat6-6.0.45/debian/copyright	2016-02-27 15:47:52.000000000 +0100
+++ tomcat6-6.0.45+dfsg/debian/copyright	2016-03-16 14:09:30.000000000 +0100
@@ -9,7 +9,7 @@
 It was downloaded from http://tomcat.apache.org
 
 Copyright: 
-  Copyright (C) 2000-2014, The Apache Software Foundation.
+  Copyright (C) 2000-2007 Apache Software Foundation.
   Copyright (C) International Business Machines Corporation 2002
 
 Authors:
diff -Nru tomcat6-6.0.45/debian/defaults.template tomcat6-6.0.45+dfsg/debian/defaults.template
--- tomcat6-6.0.45/debian/defaults.template	2016-02-27 15:47:52.000000000 +0100
+++ tomcat6-6.0.45+dfsg/debian/defaults.template	2016-03-16 14:09:30.000000000 +0100
@@ -33,8 +33,6 @@
 
 # Number of days to keep logfiles in /var/log/tomcat6. Default is 14 days.
 #LOGFILE_DAYS=14
-# Whether to compress logfiles older than today's
-#LOGFILE_COMPRESS=1
 
 # Location of the JVM temporary directory
 # WARNING: This directory will be destroyed and recreated at every startup !
diff -Nru tomcat6-6.0.45/debian/orig-tar.sh tomcat6-6.0.45+dfsg/debian/orig-tar.sh
--- tomcat6-6.0.45/debian/orig-tar.sh	2016-02-27 15:47:52.000000000 +0100
+++ tomcat6-6.0.45+dfsg/debian/orig-tar.sh	2016-03-16 14:09:30.000000000 +0100
@@ -6,7 +6,7 @@
 TAG=$(echo TOMCAT_$VERSION | sed -e 's/\./_/g')
 
 svn export http://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/$TAG $DIR
-tar -c -J -f $TAR --exclude 'standard.jar' --exclude 'jstl.jar' $DIR
+tar -c -z -f $TAR --exclude 'standard.jar' --exclude 'jstl.jar' $DIR
 rm -rf $DIR ../$TAG
 
 # move to directory 'tarballs'
diff -Nru tomcat6-6.0.45/debian/tomcat6.cron.daily tomcat6-6.0.45+dfsg/debian/tomcat6.cron.daily
--- tomcat6-6.0.45/debian/tomcat6.cron.daily	2016-02-27 15:47:52.000000000 +0100
+++ tomcat6-6.0.45+dfsg/debian/tomcat6.cron.daily	2016-03-16 14:09:30.000000000 +0100
@@ -2,14 +2,11 @@
 
 NAME=tomcat6
 DEFAULT=/etc/default/$NAME
-LOGEXT=log
 
 # The following variables can be overwritten in $DEFAULT
 
 # Default for number of days to keep old log files in /var/log/tomcatN/
 LOGFILE_DAYS=14
-# Whether to compress logfiles older than today's
-LOGFILE_COMPRESS=1
 
 # End of variables that can be overwritten in $DEFAULT
 
@@ -19,12 +16,6 @@
 fi
 
 if [ -d /var/log/$NAME ]; then
-	if [ $LOGFILE_COMPRESS = 1 ]; then
-		find /var/log/$NAME/ -name \*.$LOGEXT -daystart -mtime +0 -print0 \
-			| xargs --no-run-if-empty -0 gzip -9
-		LOGEXT=log.gz
-	fi
-
-	find /var/log/$NAME/ -name \*.$LOGEXT -mtime +$LOGFILE_DAYS -print0 \
+	find /var/log/$NAME/ -name \*.log -mtime +$LOGFILE_DAYS -print0 \
 		| xargs --no-run-if-empty -0 rm --
 fi
Binary files /mnt/data/tmp/8bVoumrUBT/tomcat6-6.0.45/webapps/examples/WEB-INF/lib/taglibs-standard-impl-1.2.5.jar and /mnt/data/tmp/H6x5rFf3qM/tomcat6-6.0.45+dfsg/webapps/examples/WEB-INF/lib/taglibs-standard-impl-1.2.5.jar differ
Binary files /mnt/data/tmp/8bVoumrUBT/tomcat6-6.0.45/webapps/examples/WEB-INF/lib/taglibs-standard-spec-1.2.5.jar and /mnt/data/tmp/H6x5rFf3qM/tomcat6-6.0.45+dfsg/webapps/examples/WEB-INF/lib/taglibs-standard-spec-1.2.5.jar differ

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Tomcat 6 security vulnerabilities in Wheezy
  - From: Moritz Mühlenhoff <jmm@inutil.org>

References:
- Re: Tomcat 6 security vulnerabilities in Wheezy
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Re: [Help]: Bug#808593: htsjdk: FTBFS: [testng] FAILED: testHTTPNotExist
Next by Date: ActiveMQ security update
Previous by thread: Re: Tomcat 6 security vulnerabilities in Wheezy
Next by thread: Re: Tomcat 6 security vulnerabilities in Wheezy
Index(es):
- Date
- Thread