Am 14.03.2016 um 23:06 schrieb Moritz Mühlenhoff: > On Sat, Feb 27, 2016 at 11:45:45PM +0100, Markus Koschany wrote: >> Hi, >> >> as you know Tomcat 6 is affected by new security vulnerabilities that >> are fixed in version 6.0.45. Do you want me to replace the last version >> I sent to you regarding Wheezy with this one or shall I upload version >> 6.0.41 instead, which is more tested, and prepare another upload >> afterwards. I wouldn't mind this incremental approach but I could also >> merge 6.0.45 into Wheezy right now. > > Sorry for the late reply. Let's move to 6.0.45 rightaway. > Hi, I have uploaded 6.0.45 to security-master just now. I'm attaching the debdiff that shows the differences between the version in squeeze-lts and this one. Regards, Markus
diff -Nru tomcat6-6.0.45/debian/changelog tomcat6-6.0.45+dfsg/debian/changelog --- tomcat6-6.0.45/debian/changelog 2016-02-27 15:47:52.000000000 +0100 +++ tomcat6-6.0.45+dfsg/debian/changelog 2016-03-16 14:09:30.000000000 +0100 @@ -1,136 +1,78 @@ -tomcat6 (6.0.45-1~deb6u1) squeeze-lts; urgency=high +tomcat6 (6.0.45+dfsg-1~deb7u1) wheezy-security; urgency=high - * Non-maintainer upload by the Debian LTS team. - * Backport version 6.0.45 to Squeeze-LTS. - The full list of changes between 6.0.41 (the version previously available - in Squeeze-LTS) and 6.0.45 can be seen in the upstream changelog, which is - available online at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html - * This update fixes the following security vulnerabilities: - - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java. - - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45 - processes redirects before considering security constraints and Filters. - - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place - org.apache.catalina.manager.StatusManagerServlet on the - org/apache/catalina/core/RestrictedServlets.properties list which allows - remote authenticated users to bypass intended SecurityManager - restrictions. - - CVE-2016-0714: The session-persistence implementation in Apache Tomcat before - 6.0.45 mishandles session attributes, which allows remote authenticated - users to bypass intended SecurityManager restrictions. - - CVE-2016-0763: The setGlobalContext method in - org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does - not consider whether ResourceLinkFactory.setGlobalContext callers are - authorized, which allows remote authenticated users to bypass intended - SecurityManager restrictions and read or write to arbitrary application - data, or cause a denial of service (application disruption), via a web - application that sets a crafted global context. - - CVE-2015-5351: The Manager and Host Manager applications in - Apache Tomcat establish sessions and send CSRF tokens for arbitrary new - requests, which allows remote attackers to bypass a CSRF protection - mechanism by using a token. - * Drop the following patches. They were applied upstream. - - 0011-Fix-for-NoSuchElementException-when-an-attribute-has.patch. - - CVE-2014-0227.patch. - - CVE-2014-0230.patch. - - CVE-2014-7810-1.patch. - - CVE-2014-7810-2.patch. - - -- Markus Koschany <apo@debian.org> Sat, 27 Feb 2016 15:47:44 +0100 - -tomcat6 (6.0.41-2+squeeze7) squeeze-lts; urgency=medium - - * Security upload by the Debian LTS team. - * This upload fixes the following issues: - - CVE-2014-0227: HTTP request smuggling or DoS by streaming malformed data. - - CVE-2014-0230: non-persistent DoS attack by feeding data aborting an - upload. - - CVE-2014-7810: security manager bypass by using expression language. - - -- Santiago Ruano Rincón <santiagorr@riseup.net> Thu, 28 May 2015 10:02:27 +0200 - -tomcat6 (6.0.41-2+squeeze6) squeeze-lts; urgency=medium - - * Security upload by the Debian LTS team. - * This update fixes a regression: - - Fix for "NoSuchElementException when an attribute has empty string as - value." Reported upstream as - https://issues.apache.org/bugzilla/show_bug.cgi?id=56561 - - -- Mathieu Parent <sathieu@debian.org> Fri, 16 Jan 2015 21:34:40 +0100 - -tomcat6 (6.0.41-2+squeeze5) squeeze-lts; urgency=medium - - * Security upload by the Debian LTS team. + * Team upload. * The full list of changes between 6.0.35 (the version previously available - in squeeze) and 6.0.41 can be see in the upstream changelog, which is + in Wheezy) and 6.0.45 can be seen in the upstream changelog, which is available online at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html * This update fixes the following security issues: - CVE-2014-0033: prevent remote attackers from conducting session fixation attacks via crafted URLs. + - CVE-2014-0119: Fix not properly constraining class loader that accesses + the XML parser used with an XSLT stylesheet which allowed remote + attackers to read arbitrary files via crafted web applications. + - CVE-2014-0099: Fix integer overflow in + java/org/apache/tomcat/util/buf/Ascii.java. + - CVE-2014-0096: Properly restrict XSLT stylesheets that allowed remote + attackers to bypass security-manager restrictions. + - CVE-2014-0075: Fix integer overflow in the parseChunkHeader function in + java/org/apache/coyote/http11/filters/ChunkedInputFilter.java. - CVE-2013-4590: prevent "Tomcat internals" information leaks. - CVE-2013-4322: prevent remote attackers from doing denial of service attacks. - CVE-2013-4286: reject requests with multiple content-length headers or with a content-length header when chunked encoding is being used. - Avoid CVE-2013-1571 when generating Javadoc. - - CVE-2012-3439: various improvements to the DIGEST authenticator. - * Thanks to Tony Mancill for doing the vast amount of the work for this - update! - * Downgrade debian/compat to 8 and reduce build-dependency do debhelper 8 - to match the squeeze squeeze version - - -- Holger Levsen <holger@debian.org> Fri, 21 Nov 2014 20:08:38 +0100 - -tomcat6 (6.0.41-2) unstable; urgency=medium - - [ Emmanuel Bourg ] - * Updated the version required for libtcnative-1 (>= 1.1.30) - - [ tony mancill ] - * Add patch for logfile compression. (Closes: #682955) - - Thank you to Thijs Kinkhorst. + * CVE-2014-0227.patch: + - Add error flag to allow subsequent attempts at reading after an error to + fail fast. + * CVE-2014-0230: Add support for maxSwallowSize. + * CVE-2014-7810: + - Fix potential BeanELResolver issue when running under a security manager. + Some classes may not be accessible but may have accessible interfaces. + * CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java. + * CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45 + processes redirects before considering security constraints and Filters. + * CVE-2016-0706: Apache Tomcat before 6.0.45 does not place + org.apache.catalina.manager.StatusManagerServlet on the + org/apache/catalina/core/RestrictedServlets.properties list which allows + remote authenticated users to bypass intended SecurityManager + restrictions. + * CVE-2016-0714: The session-persistence implementation in Apache Tomcat + before 6.0.45 mishandles session attributes, which allows remote + authenticated users to bypass intended SecurityManager restrictions. + * CVE-2016-0763: The setGlobalContext method in + org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does + not consider whether ResourceLinkFactory.setGlobalContext callers are + authorized, which allows remote authenticated users to bypass intended + SecurityManager restrictions and read or write to arbitrary application + data, or cause a denial of service (application disruption), via a web + application that sets a crafted global context. + * CVE-2015-5351: The Manager and Host Manager applications in + Apache Tomcat establish sessions and send CSRF tokens for arbitrary new + requests, which allows remote attackers to bypass a CSRF protection + mechanism by using a token. + * Drop the following patches. Applied upstream. + - 0011-CVE-2012-0022-regression-fix.patch + - 0012-CVE-2012-3544.patch + - 0014-CVE-2012-4534.patch + - 0015-CVE-2012-4431.patch + - 0016-CVE-2012-3546.patch + - 0017-CVE-2013-2067.patch + - cve-2012-2733.patch + - cve-2012-3439.patch + - CVE-2014-0227.patch + - CVE-2014-0230.patch + - CVE-2014-7810-1.patch + - CVE-2014-7810-2.patch + - 0011-Fix-for-NoSuchElementException-when-an-attribute-has.patch - -- tony mancill <tmancill@debian.org> Sun, 24 Aug 2014 13:52:40 -0700 + -- Markus Koschany <apo@debian.org> Wed, 16 Mar 2016 14:08:48 +0100 -tomcat6 (6.0.41-1) unstable; urgency=medium +tomcat6 (6.0.35-6+deb7u1) stable-security; urgency=low - * New upstream release. - - Refreshed the patches - - -- Emmanuel Bourg <ebourg@apache.org> Thu, 22 May 2014 10:03:04 +0200 - -tomcat6 (6.0.39-1) unstable; urgency=medium - - * Team upload. - * New upstream release. - - Refreshed the patches - * Standards-Version updated to 3.9.5 (no changes) - * Switch to debhelper level 9 - * Use XZ compression for the upstream tarball - * Use canonical URL for the Vcs-Git field - - -- Emmanuel Bourg <ebourg@apache.org> Mon, 17 Feb 2014 00:02:00 +0100 - -tomcat6 (6.0.37-1) unstable; urgency=low - - * New upstream release. - - Drop patches for CVE-2012-4534, CVE-2012-4431, CVE-2012-3546, - CVE-2012-2733, CVE-2012-3439 - - Drop 0011-CVE-02012-0022-regression-fix.patch - - Drop 0017-eclipse-compiler-update.patch - * Freshened remaining patches. - - -- tony mancill <tmancill@debian.org> Sat, 03 Aug 2013 21:50:20 -0700 - -tomcat6 (6.0.35-7) unstable; urgency=low - - * Team upload. - * Fixed the watch file - * Fix FTBFS with ecj 3.8 (closes: #717279, #713796) - * Updated the standards version to 3.9.4 - no changes - * Updated the Vcs-Git field to the canonical url + * CVE-2012-3544, CVE-2013-2067 - -- Stephen Nelson <stephen@eccostudio.com> Tue, 30 Jul 2013 23:07:18 +0100 + -- Moritz Mühlenhoff <jmm@debian.org> Thu, 18 Jul 2013 00:00:35 +0200 tomcat6 (6.0.35-6) unstable; urgency=high diff -Nru tomcat6-6.0.45/debian/compat tomcat6-6.0.45+dfsg/debian/compat --- tomcat6-6.0.45/debian/compat 2016-02-27 15:47:52.000000000 +0100 +++ tomcat6-6.0.45+dfsg/debian/compat 2016-03-16 14:09:30.000000000 +0100 @@ -1 +1 @@ -8 +7 diff -Nru tomcat6-6.0.45/debian/control tomcat6-6.0.45+dfsg/debian/control --- tomcat6-6.0.45/debian/control 2016-02-27 15:47:52.000000000 +0100 +++ tomcat6-6.0.45+dfsg/debian/control 2016-03-16 14:09:30.000000000 +0100 @@ -6,14 +6,13 @@ Ludovic Claude <ludovic.claude@laposte.net>, Damien Raude-Morvan <drazzib@debian.org>, Miguel Landaeta <miguel@miguel.cc>, - tony mancill <tmancill@debian.org>, - Emmanuel Bourg <ebourg@apache.org> -Build-Depends: default-jdk, ant-optional, debhelper (>= 8), po-debconf + tony mancill <tmancill@debian.org> +Build-Depends: default-jdk, ant-optional, debhelper (>= 7), po-debconf Build-Depends-Indep: maven-repo-helper (>> 1.0.1), libecj-java -Standards-Version: 3.9.5 -Vcs-Git: git://anonscm.debian.org/pkg-java/tomcat6.git -Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-java/tomcat6.git +Standards-Version: 3.9.3 Homepage: http://tomcat.apache.org +Vcs-Git: git://git.debian.org/git/pkg-java/tomcat6.git +Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-java/tomcat6.git Package: tomcat6-common Architecture: all @@ -36,7 +35,7 @@ tomcat6-admin (>= ${source:Version}), tomcat6-examples (>= ${source:Version}), tomcat6-user (>= ${source:Version}), - libtcnative-1 (>= 1.1.30) + libtcnative-1 Description: Servlet and JSP engine Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) specifications from Sun Microsystems, and provides a "pure Java" HTTP web diff -Nru tomcat6-6.0.45/debian/copyright tomcat6-6.0.45+dfsg/debian/copyright --- tomcat6-6.0.45/debian/copyright 2016-02-27 15:47:52.000000000 +0100 +++ tomcat6-6.0.45+dfsg/debian/copyright 2016-03-16 14:09:30.000000000 +0100 @@ -9,7 +9,7 @@ It was downloaded from http://tomcat.apache.org Copyright: - Copyright (C) 2000-2014, The Apache Software Foundation. + Copyright (C) 2000-2007 Apache Software Foundation. Copyright (C) International Business Machines Corporation 2002 Authors: diff -Nru tomcat6-6.0.45/debian/defaults.template tomcat6-6.0.45+dfsg/debian/defaults.template --- tomcat6-6.0.45/debian/defaults.template 2016-02-27 15:47:52.000000000 +0100 +++ tomcat6-6.0.45+dfsg/debian/defaults.template 2016-03-16 14:09:30.000000000 +0100 @@ -33,8 +33,6 @@ # Number of days to keep logfiles in /var/log/tomcat6. Default is 14 days. #LOGFILE_DAYS=14 -# Whether to compress logfiles older than today's -#LOGFILE_COMPRESS=1 # Location of the JVM temporary directory # WARNING: This directory will be destroyed and recreated at every startup ! diff -Nru tomcat6-6.0.45/debian/orig-tar.sh tomcat6-6.0.45+dfsg/debian/orig-tar.sh --- tomcat6-6.0.45/debian/orig-tar.sh 2016-02-27 15:47:52.000000000 +0100 +++ tomcat6-6.0.45+dfsg/debian/orig-tar.sh 2016-03-16 14:09:30.000000000 +0100 @@ -6,7 +6,7 @@ TAG=$(echo TOMCAT_$VERSION | sed -e 's/\./_/g') svn export http://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/$TAG $DIR -tar -c -J -f $TAR --exclude 'standard.jar' --exclude 'jstl.jar' $DIR +tar -c -z -f $TAR --exclude 'standard.jar' --exclude 'jstl.jar' $DIR rm -rf $DIR ../$TAG # move to directory 'tarballs' diff -Nru tomcat6-6.0.45/debian/tomcat6.cron.daily tomcat6-6.0.45+dfsg/debian/tomcat6.cron.daily --- tomcat6-6.0.45/debian/tomcat6.cron.daily 2016-02-27 15:47:52.000000000 +0100 +++ tomcat6-6.0.45+dfsg/debian/tomcat6.cron.daily 2016-03-16 14:09:30.000000000 +0100 @@ -2,14 +2,11 @@ NAME=tomcat6 DEFAULT=/etc/default/$NAME -LOGEXT=log # The following variables can be overwritten in $DEFAULT # Default for number of days to keep old log files in /var/log/tomcatN/ LOGFILE_DAYS=14 -# Whether to compress logfiles older than today's -LOGFILE_COMPRESS=1 # End of variables that can be overwritten in $DEFAULT @@ -19,12 +16,6 @@ fi if [ -d /var/log/$NAME ]; then - if [ $LOGFILE_COMPRESS = 1 ]; then - find /var/log/$NAME/ -name \*.$LOGEXT -daystart -mtime +0 -print0 \ - | xargs --no-run-if-empty -0 gzip -9 - LOGEXT=log.gz - fi - - find /var/log/$NAME/ -name \*.$LOGEXT -mtime +$LOGFILE_DAYS -print0 \ + find /var/log/$NAME/ -name \*.log -mtime +$LOGFILE_DAYS -print0 \ | xargs --no-run-if-empty -0 rm -- fi Binary files /mnt/data/tmp/8bVoumrUBT/tomcat6-6.0.45/webapps/examples/WEB-INF/lib/taglibs-standard-impl-1.2.5.jar and /mnt/data/tmp/H6x5rFf3qM/tomcat6-6.0.45+dfsg/webapps/examples/WEB-INF/lib/taglibs-standard-impl-1.2.5.jar differ Binary files /mnt/data/tmp/8bVoumrUBT/tomcat6-6.0.45/webapps/examples/WEB-INF/lib/taglibs-standard-spec-1.2.5.jar and /mnt/data/tmp/H6x5rFf3qM/tomcat6-6.0.45+dfsg/webapps/examples/WEB-INF/lib/taglibs-standard-spec-1.2.5.jar differ
Attachment:
signature.asc
Description: OpenPGP digital signature