[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#929908: marked as done (unblock: tomcat9/9.0.16-4)

Your message dated Sat, 15 Jun 2019 10:27:42 +0200
with message-id <c92d3e07-91b4-5d20-101e-cff49ff77e42@debian.org>
and subject line Re: Bug#929908: unblock: tomcat9/9.0.16-4
has caused the Debian Bug report #929908,
regarding unblock: tomcat9/9.0.16-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
929908: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929908
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

This is a pre-upload request to unblock tomcat9/9.0.16-4.

This update fixes:
- a minor security issue (CVE-2019-0221, see #929895)
- a startup failure on the architectures supporting only the Zero VM (#925928)
- the variable enabling the security manager that wasn't properly
  renamed in the startup script
- a couple of regressions compared to the old tomcat8 package that were
  caused by the transition to systemd (variable expansion no longer working
  in /etc/default/tomcat9, wrong permissions on the log directory)

This update doesn't implement the sysvinit script that was discussed
in #925473, this may be reconsidered in a later point release after
sufficient testing in unstable.

Thank you,

Emmanuel Bourg


unblock tomcat9/9.0.16-4



diff -Nru tomcat9-9.0.16/debian/changelog tomcat9-9.0.16/debian/changelog
--- tomcat9-9.0.16/debian/changelog     2019-02-26 09:31:13.000000000 +0100
+++ tomcat9-9.0.16/debian/changelog     2019-06-03 00:44:27.000000000 +0200
@@ -1,3 +1,26 @@
+tomcat9 (9.0.16-4) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Emmanuel Bourg ]
+  * Fixed CVE-2019-0221: The SSI printenv command echoes user provided data
+    without escaping and is, therefore, vulnerable to XSS. SSI is disabled
+    by default (Closes: #929895)
+
+  [ Thorsten Glaser ]
+  * Remove -XX:+UseG1GC from standard JAVA_OPTS; the JRE chooses
+    a suitable GC automatically anyway (Closes: #925928)
+  * Correct the ownership and permissions on the log directory:
+    group adm and setgid (Closes: #925929)
+  * Make the startup script honour the (renamed) $SECURITY_MANAGER
+  * debian/libexec/tomcat-locate-java.sh: Remove shebang and make
+    not executable as this is only ever sourced (makes no sense otherwise)
+
+  [ Christian Hänsel ]
+  * Restored the variable expansion in /etc/default/tomcat9 (Closes: #926319)
+
+ -- Emmanuel Bourg <ebourg@apache.org>  Mon, 03 Jun 2019 00:44:27 +0200
+
 tomcat9 (9.0.16-3) unstable; urgency=medium

   * Removed read/write access to /var/lib/solr (Closes: #923299)
diff -Nru tomcat9-9.0.16/debian/default.template tomcat9-9.0.16/debian/default.template
--- tomcat9-9.0.16/debian/default.template      2019-02-05 10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/default.template      2019-06-02 23:05:39.000000000 +0200
@@ -3,9 +3,10 @@
 # OpenJDK and the Oracle JDK are tried.
 #JAVA_HOME=/usr/lib/jvm/java-8-openjdk

-# You may pass JVM startup parameters to Java here. If unset, the default
-# options will be: -Djava.awt.headless=true -XX:+UseG1GC
-JAVA_OPTS="-Djava.awt.headless=true -XX:+UseG1GC"
+# You may pass JVM startup parameters to Java here. If you run Tomcat with
+# Java 8 instead of 9 or newer, add "-XX:+UseG1GC" to select a suitable GC.
+# If unset, the default options will be: -Djava.awt.headless=true
+JAVA_OPTS="-Djava.awt.headless=true"

 # To enable remote debugging uncomment the following line.
 # You will then be able to use a Java debugger on port 8000.
diff -Nru tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh
--- tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh 2019-02-05 10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh 2019-06-03 00:44:27.000000000 +0200
@@ -1,4 +1,3 @@
-#!/bin/sh
 #
 # Script looking for a Java runtime suitable for running Tomcat
 #
diff -Nru tomcat9-9.0.16/debian/libexec/tomcat-start.sh tomcat9-9.0.16/debian/libexec/tomcat-start.sh
--- tomcat9-9.0.16/debian/libexec/tomcat-start.sh       2019-02-05 10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/libexec/tomcat-start.sh       2019-06-03 00:44:27.000000000 +0200
@@ -5,6 +5,9 @@

 set -e

+# Load the service settings
+. /etc/default/tomcat9
+
 # Find the Java runtime and set JAVA_HOME
 . /usr/libexec/tomcat9/tomcat-locate-java.sh

@@ -15,7 +18,7 @@

 # Enable the Java security manager?
 SECURITY=""
-[ "$TOMCAT_SECURITY" = "yes" ] && SECURITY="-security"
+[ "$SECURITY_MANAGER" = "true" ] && SECURITY="-security"


 # Start Tomcat
diff -Nru tomcat9-9.0.16/debian/patches/CVE-2019-0221.patch tomcat9-9.0.16/debian/patches/CVE-2019-0221.patch
--- tomcat9-9.0.16/debian/patches/CVE-2019-0221.patch   1970-01-01 01:00:00.000000000 +0100
+++ tomcat9-9.0.16/debian/patches/CVE-2019-0221.patch   2019-06-03 00:44:27.000000000 +0200
@@ -0,0 +1,16 @@
+Description: Fixes CVE-2019-0221: The SSI printenv command echoes user provided
+ data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by
+ default.
+Origin: upstream, https://github.com/apache/tomcat/commit/15fcd16
+--- a/java/org/apache/catalina/ssi/SSIPrintenv.java
++++ b/java/org/apache/catalina/ssi/SSIPrintenv.java
+@@ -41,8 +41,7 @@
+         } else {
+             Collection<String> variableNames = ssiMediator.getVariableNames();
+             for (String variableName : variableNames) {
+-                String variableValue = ssiMediator
+-                        .getVariableValue(variableName);
++                String variableValue = ssiMediator.getVariableValue(variableName, "entity");
+                 //This shouldn't happen, since all the variable names must
+                 // have values
+                 if (variableValue == null) {
diff -Nru tomcat9-9.0.16/debian/patches/series tomcat9-9.0.16/debian/patches/series
--- tomcat9-9.0.16/debian/patches/series        2019-02-05 10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/patches/series        2019-06-03 00:44:27.000000000 +0200
@@ -11,3 +11,4 @@
 0024-systemd-log-formatter.patch
 0025-invalid-configuration-exit-status.patch
 0026-easymock4-compatibility.patch
+CVE-2019-0221.patch
diff -Nru tomcat9-9.0.16/debian/setenv.sh tomcat9-9.0.16/debian/setenv.sh
--- tomcat9-9.0.16/debian/setenv.sh     2019-02-05 10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/setenv.sh     2019-06-02 23:05:39.000000000 +0200
@@ -8,5 +8,5 @@

 # Default Java options
 if [ -z "$JAVA_OPTS" ]; then
-       JAVA_OPTS="-Djava.awt.headless=true -XX:+UseG1GC"
+       JAVA_OPTS="-Djava.awt.headless=true"
 fi
diff -Nru tomcat9-9.0.16/debian/tomcat9.postinst tomcat9-9.0.16/debian/tomcat9.postinst
--- tomcat9-9.0.16/debian/tomcat9.postinst      2019-02-05 10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/tomcat9.postinst      2019-06-03 00:44:27.000000000 +0200
@@ -63,8 +63,10 @@
        chmod 775 /var/lib/tomcat9/webapps

        # Grant read/write access to tomcat to the log and cache directories
-       chown -Rh $TOMCAT_USER:$TOMCAT_GROUP /var/log/tomcat9/ /var/cache/tomcat9/
-       chmod 750 /var/log/tomcat9/ /var/cache/tomcat9/
+       chown -Rh $TOMCAT_USER:adm /var/log/tomcat9/
+       chmod 2750 /var/log/tomcat9/
+       chown -Rh $TOMCAT_USER:$TOMCAT_GROUP /var/cache/tomcat9/
+       chmod 750 /var/cache/tomcat9/
     ;;
 esac

diff -Nru tomcat9-9.0.16/debian/tomcat9.service tomcat9-9.0.16/debian/tomcat9.service
--- tomcat9-9.0.16/debian/tomcat9.service       2019-02-26 09:30:59.000000000 +0100
+++ tomcat9-9.0.16/debian/tomcat9.service       2019-06-03 00:44:27.000000000 +0200
@@ -14,7 +14,6 @@
 Environment="CATALINA_BASE=/var/lib/tomcat9"
 Environment="CATALINA_TMPDIR=/tmp"
 Environment="JAVA_OPTS=-Djava.awt.headless=true"
-EnvironmentFile=-/etc/default/tomcat9

 # Lifecycle
 Type=simple
@@ -32,13 +31,13 @@
 PrivateTmp=yes
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 NoNewPrivileges=true
-LogsDirectory=tomcat9
-LogsDirectoryMode=750
 CacheDirectory=tomcat9
 CacheDirectoryMode=750
 ProtectSystem=strict
 ReadWritePaths=/etc/tomcat9/Catalina/
 ReadWritePaths=/var/lib/tomcat9/webapps/
+ReadWritePaths=/var/log/tomcat9/
+RequiresMountsFor=/var/log/tomcat9

 [Install]
 WantedBy=multi-user.target
diff -Nru tomcat9-9.0.16/debian/tomcat9.tmpfile tomcat9-9.0.16/debian/tomcat9.tmpfile
--- tomcat9-9.0.16/debian/tomcat9.tmpfile       1970-01-01 01:00:00.000000000 +0100
+++ tomcat9-9.0.16/debian/tomcat9.tmpfile       2019-06-03 00:44:27.000000000 +0200
@@ -0,0 +1,6 @@
+# Tomcat log directory permissions
+
+# See tmpfiles.d(5) for details
+
+# Type Path        Mode UID    GID  Age Argument
+d /var/log/tomcat9 2750 tomcat adm  -

--- End Message ---
--- Begin Message --- 
Hi,

On 14-06-2019 11:13, Emmanuel Bourg wrote:
> Thank you, the package has been uploaded.

Unblocked, thanks.

Paul

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
Reply to: