Bug#929908: unblock: tomcat9/9.0.16-4
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi,
This is a pre-upload request to unblock tomcat9/9.0.16-4.
This update fixes:
- a minor security issue (CVE-2019-0221, see #929895)
- a startup failure on the architectures supporting only the Zero VM (#925928)
- the variable enabling the security manager that wasn't properly
renamed in the startup script
- a couple of regressions compared to the old tomcat8 package that were
caused by the transition to systemd (variable expansion no longer working
in /etc/default/tomcat9, wrong permissions on the log directory)
This update doesn't implement the sysvinit script that was discussed
in #925473, this may be reconsidered in a later point release after
sufficient testing in unstable.
Thank you,
Emmanuel Bourg
unblock tomcat9/9.0.16-4
diff -Nru tomcat9-9.0.16/debian/changelog tomcat9-9.0.16/debian/changelog
--- tomcat9-9.0.16/debian/changelog 2019-02-26 09:31:13.000000000 +0100
+++ tomcat9-9.0.16/debian/changelog 2019-06-03 00:44:27.000000000 +0200
@@ -1,3 +1,26 @@
+tomcat9 (9.0.16-4) unstable; urgency=medium
+
+ * Team upload.
+
+ [ Emmanuel Bourg ]
+ * Fixed CVE-2019-0221: The SSI printenv command echoes user provided data
+ without escaping and is, therefore, vulnerable to XSS. SSI is disabled
+ by default (Closes: #929895)
+
+ [ Thorsten Glaser ]
+ * Remove -XX:+UseG1GC from standard JAVA_OPTS; the JRE chooses
+ a suitable GC automatically anyway (Closes: #925928)
+ * Correct the ownership and permissions on the log directory:
+ group adm and setgid (Closes: #925929)
+ * Make the startup script honour the (renamed) $SECURITY_MANAGER
+ * debian/libexec/tomcat-locate-java.sh: Remove shebang and make
+ not executable as this is only ever sourced (makes no sense otherwise)
+
+ [ Christian Hänsel ]
+ * Restored the variable expansion in /etc/default/tomcat9 (Closes: #926319)
+
+ -- Emmanuel Bourg <ebourg@apache.org> Mon, 03 Jun 2019 00:44:27 +0200
+
tomcat9 (9.0.16-3) unstable; urgency=medium
* Removed read/write access to /var/lib/solr (Closes: #923299)
diff -Nru tomcat9-9.0.16/debian/default.template tomcat9-9.0.16/debian/default.template
--- tomcat9-9.0.16/debian/default.template 2019-02-05 10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/default.template 2019-06-02 23:05:39.000000000 +0200
@@ -3,9 +3,10 @@
# OpenJDK and the Oracle JDK are tried.
#JAVA_HOME=/usr/lib/jvm/java-8-openjdk
-# You may pass JVM startup parameters to Java here. If unset, the default
-# options will be: -Djava.awt.headless=true -XX:+UseG1GC
-JAVA_OPTS="-Djava.awt.headless=true -XX:+UseG1GC"
+# You may pass JVM startup parameters to Java here. If you run Tomcat with
+# Java 8 instead of 9 or newer, add "-XX:+UseG1GC" to select a suitable GC.
+# If unset, the default options will be: -Djava.awt.headless=true
+JAVA_OPTS="-Djava.awt.headless=true"
# To enable remote debugging uncomment the following line.
# You will then be able to use a Java debugger on port 8000.
diff -Nru tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh
--- tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh 2019-02-05 10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh 2019-06-03 00:44:27.000000000 +0200
@@ -1,4 +1,3 @@
-#!/bin/sh
#
# Script looking for a Java runtime suitable for running Tomcat
#
diff -Nru tomcat9-9.0.16/debian/libexec/tomcat-start.sh tomcat9-9.0.16/debian/libexec/tomcat-start.sh
--- tomcat9-9.0.16/debian/libexec/tomcat-start.sh 2019-02-05 10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/libexec/tomcat-start.sh 2019-06-03 00:44:27.000000000 +0200
@@ -5,6 +5,9 @@
set -e
+# Load the service settings
+. /etc/default/tomcat9
+
# Find the Java runtime and set JAVA_HOME
. /usr/libexec/tomcat9/tomcat-locate-java.sh
@@ -15,7 +18,7 @@
# Enable the Java security manager?
SECURITY=""
-[ "$TOMCAT_SECURITY" = "yes" ] && SECURITY="-security"
+[ "$SECURITY_MANAGER" = "true" ] && SECURITY="-security"
# Start Tomcat
diff -Nru tomcat9-9.0.16/debian/patches/CVE-2019-0221.patch tomcat9-9.0.16/debian/patches/CVE-2019-0221.patch
--- tomcat9-9.0.16/debian/patches/CVE-2019-0221.patch 1970-01-01 01:00:00.000000000 +0100
+++ tomcat9-9.0.16/debian/patches/CVE-2019-0221.patch 2019-06-03 00:44:27.000000000 +0200
@@ -0,0 +1,16 @@
+Description: Fixes CVE-2019-0221: The SSI printenv command echoes user provided
+ data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by
+ default.
+Origin: upstream, https://github.com/apache/tomcat/commit/15fcd16
+--- a/java/org/apache/catalina/ssi/SSIPrintenv.java
++++ b/java/org/apache/catalina/ssi/SSIPrintenv.java
+@@ -41,8 +41,7 @@
+ } else {
+ Collection<String> variableNames = ssiMediator.getVariableNames();
+ for (String variableName : variableNames) {
+- String variableValue = ssiMediator
+- .getVariableValue(variableName);
++ String variableValue = ssiMediator.getVariableValue(variableName, "entity");
+ //This shouldn't happen, since all the variable names must
+ // have values
+ if (variableValue == null) {
diff -Nru tomcat9-9.0.16/debian/patches/series tomcat9-9.0.16/debian/patches/series
--- tomcat9-9.0.16/debian/patches/series 2019-02-05 10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/patches/series 2019-06-03 00:44:27.000000000 +0200
@@ -11,3 +11,4 @@
0024-systemd-log-formatter.patch
0025-invalid-configuration-exit-status.patch
0026-easymock4-compatibility.patch
+CVE-2019-0221.patch
diff -Nru tomcat9-9.0.16/debian/setenv.sh tomcat9-9.0.16/debian/setenv.sh
--- tomcat9-9.0.16/debian/setenv.sh 2019-02-05 10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/setenv.sh 2019-06-02 23:05:39.000000000 +0200
@@ -8,5 +8,5 @@
# Default Java options
if [ -z "$JAVA_OPTS" ]; then
- JAVA_OPTS="-Djava.awt.headless=true -XX:+UseG1GC"
+ JAVA_OPTS="-Djava.awt.headless=true"
fi
diff -Nru tomcat9-9.0.16/debian/tomcat9.postinst tomcat9-9.0.16/debian/tomcat9.postinst
--- tomcat9-9.0.16/debian/tomcat9.postinst 2019-02-05 10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/tomcat9.postinst 2019-06-03 00:44:27.000000000 +0200
@@ -63,8 +63,10 @@
chmod 775 /var/lib/tomcat9/webapps
# Grant read/write access to tomcat to the log and cache directories
- chown -Rh $TOMCAT_USER:$TOMCAT_GROUP /var/log/tomcat9/ /var/cache/tomcat9/
- chmod 750 /var/log/tomcat9/ /var/cache/tomcat9/
+ chown -Rh $TOMCAT_USER:adm /var/log/tomcat9/
+ chmod 2750 /var/log/tomcat9/
+ chown -Rh $TOMCAT_USER:$TOMCAT_GROUP /var/cache/tomcat9/
+ chmod 750 /var/cache/tomcat9/
;;
esac
diff -Nru tomcat9-9.0.16/debian/tomcat9.service tomcat9-9.0.16/debian/tomcat9.service
--- tomcat9-9.0.16/debian/tomcat9.service 2019-02-26 09:30:59.000000000 +0100
+++ tomcat9-9.0.16/debian/tomcat9.service 2019-06-03 00:44:27.000000000 +0200
@@ -14,7 +14,6 @@
Environment="CATALINA_BASE=/var/lib/tomcat9"
Environment="CATALINA_TMPDIR=/tmp"
Environment="JAVA_OPTS=-Djava.awt.headless=true"
-EnvironmentFile=-/etc/default/tomcat9
# Lifecycle
Type=simple
@@ -32,13 +31,13 @@
PrivateTmp=yes
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
-LogsDirectory=tomcat9
-LogsDirectoryMode=750
CacheDirectory=tomcat9
CacheDirectoryMode=750
ProtectSystem=strict
ReadWritePaths=/etc/tomcat9/Catalina/
ReadWritePaths=/var/lib/tomcat9/webapps/
+ReadWritePaths=/var/log/tomcat9/
+RequiresMountsFor=/var/log/tomcat9
[Install]
WantedBy=multi-user.target
diff -Nru tomcat9-9.0.16/debian/tomcat9.tmpfile tomcat9-9.0.16/debian/tomcat9.tmpfile
--- tomcat9-9.0.16/debian/tomcat9.tmpfile 1970-01-01 01:00:00.000000000 +0100
+++ tomcat9-9.0.16/debian/tomcat9.tmpfile 2019-06-03 00:44:27.000000000 +0200
@@ -0,0 +1,6 @@
+# Tomcat log directory permissions
+
+# See tmpfiles.d(5) for details
+
+# Type Path Mode UID GID Age Argument
+d /var/log/tomcat9 2750 tomcat adm -
Reply to: