[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Tomcat 8 security update

Le 30/05/2016 à 00:12, Markus Koschany a écrit :

> I have prepared a security update for Tomcat 8 fixing 7 CVEs. In
> addition I would like to fix #825786. We currently overwrite file
> permissions in /etc/tomcat8/ unconditionally which could break user
> specific changes on upgrade. The fix is to revert to default file
> permissions root:root (rw-r-r) and change only
> /etc/tomcat8/tomcat-users.xml.

Thank you for fixing the CVEs Markus, I was about to handle them.

Regarding #825786 I'm not sure about the suggested fix. Tomcat has to be
able to write to /etc/tomcat8/Catalina and the group change will prevent
that (the postinst script runs chmod 775 on /etc/tomcat8/Catalina).

Emmanuel Bourg

Reply to: