Bug#688720: unblock: tomcat6/6.0.35-5
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Dear Release Team:
Please unblock package tomcat6. The upload of -5 addresses the priority
serious bug #687818 (postinst modifying conffile) and includes an update
to the README regarding CVE2010-4312 (#608286).
The debdiff against the -4 package is attached; please let me know if you
have any concerns.
Thank you for your consideration (and tireless effort).
tony
unblock tomcat6/6.0.35-5
diff -Nru tomcat6-6.0.35/debian/changelog tomcat6-6.0.35/debian/changelog
--- tomcat6-6.0.35/debian/changelog 2012-06-28 10:44:58.000000000 -0700
+++ tomcat6-6.0.35/debian/changelog 2012-09-24 19:40:54.000000000 -0700
@@ -1,3 +1,13 @@
+tomcat6 (6.0.35-5) unstable; urgency=low
+
+ * Apply patch to README.Debian to explain setting the HTTPOnly flag
+ in cookies by default; CVE-2010-4312. (Closes: #608286)
+ - Thank you to Thijs Kinkhorst for the patch.
+ * Use ucf and a template for /etc/logrotate.d/tomcat6 file to avoid
+ updating the shipped conffile. (Closes: #687818)
+
+ -- tony mancill <tmancill@debian.org> Mon, 06 Aug 2012 21:29:11 -0700
+
tomcat6 (6.0.35-4) unstable; urgency=low
[ tony mancill ]
diff -Nru tomcat6-6.0.35/debian/logrotate tomcat6-6.0.35/debian/logrotate
--- tomcat6-6.0.35/debian/logrotate 2012-06-28 10:44:58.000000000 -0700
+++ tomcat6-6.0.35/debian/logrotate 1969-12-31 16:00:00.000000000 -0800
@@ -1,8 +0,0 @@
-/var/log/tomcat6/catalina.out {
- copytruncate
- weekly
- rotate 52
- compress
- missingok
- create 640 @@@TOMCAT6USER@@@ adm
-}
diff -Nru tomcat6-6.0.35/debian/logrotate.md5sum tomcat6-6.0.35/debian/logrotate.md5sum
--- tomcat6-6.0.35/debian/logrotate.md5sum 1969-12-31 16:00:00.000000000 -0800
+++ tomcat6-6.0.35/debian/logrotate.md5sum 2012-09-24 19:40:54.000000000 -0700
@@ -0,0 +1 @@
+b5420492288987ba126ea151bd92852d logrotate.template
diff -Nru tomcat6-6.0.35/debian/logrotate.template tomcat6-6.0.35/debian/logrotate.template
--- tomcat6-6.0.35/debian/logrotate.template 1969-12-31 16:00:00.000000000 -0800
+++ tomcat6-6.0.35/debian/logrotate.template 2012-09-24 19:40:54.000000000 -0700
@@ -0,0 +1,8 @@
+/var/log/tomcat6/catalina.out {
+ copytruncate
+ weekly
+ rotate 52
+ compress
+ missingok
+ create 640 tomcat6 adm
+}
diff -Nru tomcat6-6.0.35/debian/README.Debian tomcat6-6.0.35/debian/README.Debian
--- tomcat6-6.0.35/debian/README.Debian 2012-06-28 10:44:58.000000000 -0700
+++ tomcat6-6.0.35/debian/README.Debian 2012-09-24 19:40:54.000000000 -0700
@@ -25,6 +25,21 @@
wish. See the "man authbind" for information on configuring
authbind.
+SECURITY:
+
+Tomcat 6 session cookies are sent with the httponly flag disabled by default.
+It is recommended as a proactive security measure to turn this setting on
+to mitigate cross site scripting attacks: httponly cookies cannot be 'stolen'
+via JavaScript, a common vector in such attacks.
+
+The httponly setting can be enabled by adding the useHttpOnly attribute
+to <Context> in /etc/tomcat6/context.xml:
+
+ <Context useHttpOnly="true">
+
+Httponly not being on by default is referred to as CVE-2010-4172.
+
+
NEWS:
tomcat6 (6.0.20-dfsg1-2) unstable; urgency=low
diff -Nru tomcat6-6.0.35/debian/rules tomcat6-6.0.35/debian/rules
--- tomcat6-6.0.35/debian/rules 2012-06-28 10:44:58.000000000 -0700
+++ tomcat6-6.0.35/debian/rules 2012-09-24 19:40:54.000000000 -0700
@@ -73,7 +73,6 @@
dh_testroot
dh_prep
dh_installdirs
- cp debian/logrotate debian/tomcat6/etc/logrotate.d/tomcat6
binary-indep: build install
dh_testdir
diff -Nru tomcat6-6.0.35/debian/tomcat6.install tomcat6-6.0.35/debian/tomcat6.install
--- tomcat6-6.0.35/debian/tomcat6.install 2012-06-28 10:44:58.000000000 -0700
+++ tomcat6-6.0.35/debian/tomcat6.install 2012-09-24 19:40:54.000000000 -0700
@@ -5,3 +5,5 @@
debian/default_root /usr/share/tomcat6-root/
debian/defaults.template /usr/share/tomcat6/
debian/defaults.md5sum /usr/share/tomcat6/
+debian/logrotate.template /usr/share/tomcat6/
+debian/logrotate.md5sum /usr/share/tomcat6/
diff -Nru tomcat6-6.0.35/debian/tomcat6.postinst tomcat6-6.0.35/debian/tomcat6.postinst
--- tomcat6-6.0.35/debian/tomcat6.postinst 2012-06-28 10:44:58.000000000 -0700
+++ tomcat6-6.0.35/debian/tomcat6.postinst 2012-09-24 19:40:54.000000000 -0700
@@ -4,6 +4,8 @@
. /usr/share/debconf/confmodule
TEMPLATE="/usr/share/tomcat6/defaults.template"
CONFFILE="/etc/default/tomcat6"
+LR_TEMPLATE="/usr/share/tomcat6/logrotate.template"
+LR_CONFFILE="/etc/logrotate.d/tomcat6"
JAVA_OPTS="-Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC"
case "$1" in
@@ -36,11 +38,12 @@
chown -R $TOMCAT6_USER:adm /var/log/tomcat6 /var/cache/tomcat6
chmod 750 /var/log/tomcat6 /var/cache/tomcat6
- # replace the TOMCAT6USER token in /etc/logrotate.d/tomcat6 if it still contains the token
- LOGROTATE_TOKEN="@@@TOMCAT6USER@@@"
- if grep -q "$LOGROTATE_TOKEN" /etc/logrotate.d/tomcat6 ; then
- sed --in-place "s/$LOGROTATE_TOKEN/$TOMCAT6_USER/" /etc/logrotate.d/tomcat6
- fi
+ # populate /etc/logrotate.d/tomcat6
+ tmpfile=`mktemp /tmp/tomcat6.XXXXXXXXXX`
+ chmod 644 $tmpfile
+ cat $LR_TEMPLATE | sed "s%create 640 tomcat6 adm%create 640 $TOMCAT6_USER adm%" >> $tmpfile
+ ucf --debconf-ok --sum-file /usr/share/tomcat6/logrotate.md5sum $tmpfile $LR_CONFFILE
+ rm -f $tmpfile
# configuration files should not be modifiable by tomcat6 user, as this can be a security issue
# (an attacker may insert code in a webapp and have access to all tomcat configuration)
diff -Nru tomcat6-6.0.35/debian/tomcat6.postrm tomcat6-6.0.35/debian/tomcat6.postrm
--- tomcat6-6.0.35/debian/tomcat6.postrm 2012-06-28 10:44:58.000000000 -0700
+++ tomcat6-6.0.35/debian/tomcat6.postrm 2012-09-24 19:40:54.000000000 -0700
@@ -4,6 +4,7 @@
#DEBHELPER#
CONFFILE=/etc/default/tomcat6
+LR_CONFFILE=/etc/logrotate.d/tomcat6
# Remove cached files and auto-generated catalina.policy
rm -rf /var/cache/tomcat6/*
@@ -47,8 +48,9 @@
set +e
if [ -x "/usr/bin/ucf" ]; then
ucf --purge $CONFFILE
+ ucf --purge $LR_CONFFILE
fi
- rm -rf /var/log/tomcat6 /var/lib/tomcat6/temp $CONFFILE
+ rm -rf /var/log/tomcat6 /var/lib/tomcat6/temp $CONFFILE $LR_CONFFILE
if [ -d "/var/lib/tomcat6" ] ; then
rmdir --ignore-fail-on-non-empty /var/lib/tomcat6
fi
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in second .changes but not in first
-----------------------------------------
-rw-r--r-- root/root /usr/share/tomcat6/logrotate.md5sum
-rw-r--r-- root/root /usr/share/tomcat6/logrotate.template
Files in first .changes but not in second
-----------------------------------------
-rw-r--r-- root/root /etc/logrotate.d/tomcat6
Control files of package libservlet2.4-java: lines which differ (wdiff format)
------------------------------------------------------------------------------
Version: [-6.0.35-4-] {+6.0.35-5+}
Control files of package libservlet2.5-java: lines which differ (wdiff format)
------------------------------------------------------------------------------
Version: [-6.0.35-4-] {+6.0.35-5+}
Control files of package libservlet2.5-java-doc: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Version: [-6.0.35-4-] {+6.0.35-5+}
Control files of package libtomcat6-java: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libecj-java, libcommons-dbcp-java, libcommons-pool-java, libservlet2.5-java (>= [-6.0.35-4)-] {+6.0.35-5)+}
Suggests: tomcat6 (>= [-6.0.35-4)-] {+6.0.35-5)+}
Version: [-6.0.35-4-] {+6.0.35-5+}
Control files of package tomcat6: lines which differ (wdiff format)
-------------------------------------------------------------------
Depends: tomcat6-common (>= [-6.0.35-4),-] {+6.0.35-5),+} ucf, adduser, debconf (>= 0.5) | debconf-2.0
Suggests: tomcat6-docs (>= [-6.0.35-4),-] {+6.0.35-5),+} tomcat6-admin (>= [-6.0.35-4),-] {+6.0.35-5),+} tomcat6-examples (>= [-6.0.35-4),-] {+6.0.35-5),+} tomcat6-user (>= [-6.0.35-4),-] {+6.0.35-5),+} libtcnative-1
Version: [-6.0.35-4-] {+6.0.35-5+}
Control files of package tomcat6-admin: lines which differ (wdiff format)
-------------------------------------------------------------------------
Depends: tomcat6-common (>= [-6.0.35-4)-] {+6.0.35-5)+}
Version: [-6.0.35-4-] {+6.0.35-5+}
Control files of package tomcat6-common: lines which differ (wdiff format)
--------------------------------------------------------------------------
Depends: libtomcat6-java (>= [-6.0.35-4),-] {+6.0.35-5),+} default-jre-headless | java7-runtime-headless | java7-runtime | java6-runtime-headless | java6-runtime | java5-runtime
Installed-Size: [-114-] {+115+}
Version: [-6.0.35-4-] {+6.0.35-5+}
Control files of package tomcat6-docs: lines which differ (wdiff format)
------------------------------------------------------------------------
Depends: tomcat6-common (>= [-6.0.35-4)-] {+6.0.35-5)+}
Version: [-6.0.35-4-] {+6.0.35-5+}
Control files of package tomcat6-examples: lines which differ (wdiff format)
----------------------------------------------------------------------------
Depends: tomcat6-common (>= [-6.0.35-4)-] {+6.0.35-5)+}
Version: [-6.0.35-4-] {+6.0.35-5+}
Control files of package tomcat6-extras: lines which differ (wdiff format)
--------------------------------------------------------------------------
Depends: tomcat6-common (>= [-6.0.35-4)-] {+6.0.35-5)+}
Version: [-6.0.35-4-] {+6.0.35-5+}
Control files of package tomcat6-user: lines which differ (wdiff format)
------------------------------------------------------------------------
Depends: tomcat6-common (>= [-6.0.35-4),-] {+6.0.35-5),+} netcat
Suggests: tomcat6-docs (>= [-6.0.35-4),-] {+6.0.35-5),+} tomcat6-admin (>= [-6.0.35-4),-] {+6.0.35-5),+} tomcat6-examples (>= [-6.0.35-4),-] {+6.0.35-5),+} tomcat6 (>= [-6.0.35-4)-] {+6.0.35-5)+}
Version: [-6.0.35-4-] {+6.0.35-5+}
Reply to: