Re: Tomcat 8 security update

To: Markus Koschany <apo@debian.org>, "team@security.debian.org" <team@security.debian.org>
Cc: "debian-java@lists.debian.org" <debian-java@lists.debian.org>
Subject: Re: Tomcat 8 security update
From: Emmanuel Bourg <ebourg@apache.org>
Date: Mon, 30 May 2016 01:00:24 +0200
Message-id: <[🔎] 5ebe4f0d-65b7-9470-bce8-25c50ef76fdf@apache.org>
In-reply-to: <[🔎] 0ff46564-4292-c688-61fe-aa885f69c70d@debian.org>
References: <[🔎] 0ff46564-4292-c688-61fe-aa885f69c70d@debian.org>

Le 30/05/2016 à 00:12, Markus Koschany a écrit :

> I have prepared a security update for Tomcat 8 fixing 7 CVEs. In
> addition I would like to fix #825786. We currently overwrite file
> permissions in /etc/tomcat8/ unconditionally which could break user
> specific changes on upgrade. The fix is to revert to default file
> permissions root:root (rw-r-r) and change only
> /etc/tomcat8/tomcat-users.xml.

Thank you for fixing the CVEs Markus, I was about to handle them.

Regarding #825786 I'm not sure about the suggested fix. Tomcat has to be
able to write to /etc/tomcat8/Catalina and the group change will prevent
that (the postinst script runs chmod 775 on /etc/tomcat8/Catalina).

Emmanuel Bourg

Reply to:

Follow-Ups:
- Re: Tomcat 8 security update
  - From: Markus Koschany <apo@debian.org>

References:
- Tomcat 8 security update
  - From: Markus Koschany <apo@debian.org>

Prev by Date: Tomcat 8 security update
Next by Date: Re: Tomcat 8 security update
Previous by thread: Tomcat 8 security update
Next by thread: Re: Tomcat 8 security update
Index(es):
- Date
- Thread