[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: On tomcat FTBFS.



Am 08.08.19 um 00:50 schrieb Sylvain Beucler:
> Hi,
> 
> So I reworked CVE-2017-5647, which involved 5 new commits related to
> non-blocking I/O (NIO2 and COMET).
> Stable build.
> 
> Then I got upstream to renew their new certs that were expiring tomorrow (!)
> https://bz.apache.org/bugzilla/show_bug.cgi?id=63648
> and had to fix-up the SSL client tests accordingly (new client DN).
> 
> At last we have a working package that passes the testsuite.
> How would you smoke-test it?
> https://www.beuc.net/tmp/debian-lts/tomcat8/

You can safely ignore all SSL test failures. I suggest you compare the
output of the current Tomcat release with the output after you have
fixed the newly reported CVE. If you discover new test failures
unrelated to the current ones, then it deserves further investigation.
After that you can simply run DEB_BUILD_OPTIONS=nocheck to avoid the
FTBFS. Another option is to upgrade to the latest stable release in case
the changes are too complex and a backport is becoming more and more
time consuming. Please note that I have fixed CVE-2017-5647 2,5 years
ago as a member of the Java team. I don't believe that the new commits
are directly related to CVE-2017-5647. This appears to be a bug that was
always present and was only fixed after Jessie became stable.

Testing the server works similar to testing the Apache web server.
Install Tomcat and the examples and check whether simple web
applications work. Find a more complex web application and configure the
server to use NIO/BIO depending on what was fixed or changed regarding
to the CVE. You can only reproduce certain issues if the connector is
configured correctly.

Bonus points if you or Abhijith send your changes to the Java team, so
that we can incorporate them into Git.

Regards,

Markus

Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: