Your message dated Sat, 15 Jun 2019 10:27:42 +0200 with message-id <c92d3e07-91b4-5d20-101e-cff49ff77e42@debian.org> and subject line Re: Bug#929908: unblock: tomcat9/9.0.16-4 has caused the Debian Bug report #929908, regarding unblock: tomcat9/9.0.16-4 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 929908: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929908 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: tomcat9/9.0.16-4
- From: Emmanuel Bourg <ebourg@apache.org>
- Date: Mon, 03 Jun 2019 01:54:54 +0200
- Message-id: <[🔎] 155951969402.12473.5995302456837427990.reportbug@icare.ariane-software.com>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Hi, This is a pre-upload request to unblock tomcat9/9.0.16-4. This update fixes: - a minor security issue (CVE-2019-0221, see #929895) - a startup failure on the architectures supporting only the Zero VM (#925928) - the variable enabling the security manager that wasn't properly renamed in the startup script - a couple of regressions compared to the old tomcat8 package that were caused by the transition to systemd (variable expansion no longer working in /etc/default/tomcat9, wrong permissions on the log directory) This update doesn't implement the sysvinit script that was discussed in #925473, this may be reconsidered in a later point release after sufficient testing in unstable. Thank you, Emmanuel Bourg unblock tomcat9/9.0.16-4 diff -Nru tomcat9-9.0.16/debian/changelog tomcat9-9.0.16/debian/changelog --- tomcat9-9.0.16/debian/changelog 2019-02-26 09:31:13.000000000 +0100 +++ tomcat9-9.0.16/debian/changelog 2019-06-03 00:44:27.000000000 +0200 @@ -1,3 +1,26 @@ +tomcat9 (9.0.16-4) unstable; urgency=medium + + * Team upload. + + [ Emmanuel Bourg ] + * Fixed CVE-2019-0221: The SSI printenv command echoes user provided data + without escaping and is, therefore, vulnerable to XSS. SSI is disabled + by default (Closes: #929895) + + [ Thorsten Glaser ] + * Remove -XX:+UseG1GC from standard JAVA_OPTS; the JRE chooses + a suitable GC automatically anyway (Closes: #925928) + * Correct the ownership and permissions on the log directory: + group adm and setgid (Closes: #925929) + * Make the startup script honour the (renamed) $SECURITY_MANAGER + * debian/libexec/tomcat-locate-java.sh: Remove shebang and make + not executable as this is only ever sourced (makes no sense otherwise) + + [ Christian Hänsel ] + * Restored the variable expansion in /etc/default/tomcat9 (Closes: #926319) + + -- Emmanuel Bourg <ebourg@apache.org> Mon, 03 Jun 2019 00:44:27 +0200 + tomcat9 (9.0.16-3) unstable; urgency=medium * Removed read/write access to /var/lib/solr (Closes: #923299) diff -Nru tomcat9-9.0.16/debian/default.template tomcat9-9.0.16/debian/default.template --- tomcat9-9.0.16/debian/default.template 2019-02-05 10:11:13.000000000 +0100 +++ tomcat9-9.0.16/debian/default.template 2019-06-02 23:05:39.000000000 +0200 @@ -3,9 +3,10 @@ # OpenJDK and the Oracle JDK are tried. #JAVA_HOME=/usr/lib/jvm/java-8-openjdk -# You may pass JVM startup parameters to Java here. If unset, the default -# options will be: -Djava.awt.headless=true -XX:+UseG1GC -JAVA_OPTS="-Djava.awt.headless=true -XX:+UseG1GC" +# You may pass JVM startup parameters to Java here. If you run Tomcat with +# Java 8 instead of 9 or newer, add "-XX:+UseG1GC" to select a suitable GC. +# If unset, the default options will be: -Djava.awt.headless=true +JAVA_OPTS="-Djava.awt.headless=true" # To enable remote debugging uncomment the following line. # You will then be able to use a Java debugger on port 8000. diff -Nru tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh --- tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh 2019-02-05 10:11:13.000000000 +0100 +++ tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh 2019-06-03 00:44:27.000000000 +0200 @@ -1,4 +1,3 @@ -#!/bin/sh # # Script looking for a Java runtime suitable for running Tomcat # diff -Nru tomcat9-9.0.16/debian/libexec/tomcat-start.sh tomcat9-9.0.16/debian/libexec/tomcat-start.sh --- tomcat9-9.0.16/debian/libexec/tomcat-start.sh 2019-02-05 10:11:13.000000000 +0100 +++ tomcat9-9.0.16/debian/libexec/tomcat-start.sh 2019-06-03 00:44:27.000000000 +0200 @@ -5,6 +5,9 @@ set -e +# Load the service settings +. /etc/default/tomcat9 + # Find the Java runtime and set JAVA_HOME . /usr/libexec/tomcat9/tomcat-locate-java.sh @@ -15,7 +18,7 @@ # Enable the Java security manager? SECURITY="" -[ "$TOMCAT_SECURITY" = "yes" ] && SECURITY="-security" +[ "$SECURITY_MANAGER" = "true" ] && SECURITY="-security" # Start Tomcat diff -Nru tomcat9-9.0.16/debian/patches/CVE-2019-0221.patch tomcat9-9.0.16/debian/patches/CVE-2019-0221.patch --- tomcat9-9.0.16/debian/patches/CVE-2019-0221.patch 1970-01-01 01:00:00.000000000 +0100 +++ tomcat9-9.0.16/debian/patches/CVE-2019-0221.patch 2019-06-03 00:44:27.000000000 +0200 @@ -0,0 +1,16 @@ +Description: Fixes CVE-2019-0221: The SSI printenv command echoes user provided + data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by + default. +Origin: upstream, https://github.com/apache/tomcat/commit/15fcd16 +--- a/java/org/apache/catalina/ssi/SSIPrintenv.java ++++ b/java/org/apache/catalina/ssi/SSIPrintenv.java +@@ -41,8 +41,7 @@ + } else { + Collection<String> variableNames = ssiMediator.getVariableNames(); + for (String variableName : variableNames) { +- String variableValue = ssiMediator +- .getVariableValue(variableName); ++ String variableValue = ssiMediator.getVariableValue(variableName, "entity"); + //This shouldn't happen, since all the variable names must + // have values + if (variableValue == null) { diff -Nru tomcat9-9.0.16/debian/patches/series tomcat9-9.0.16/debian/patches/series --- tomcat9-9.0.16/debian/patches/series 2019-02-05 10:11:13.000000000 +0100 +++ tomcat9-9.0.16/debian/patches/series 2019-06-03 00:44:27.000000000 +0200 @@ -11,3 +11,4 @@ 0024-systemd-log-formatter.patch 0025-invalid-configuration-exit-status.patch 0026-easymock4-compatibility.patch +CVE-2019-0221.patch diff -Nru tomcat9-9.0.16/debian/setenv.sh tomcat9-9.0.16/debian/setenv.sh --- tomcat9-9.0.16/debian/setenv.sh 2019-02-05 10:11:13.000000000 +0100 +++ tomcat9-9.0.16/debian/setenv.sh 2019-06-02 23:05:39.000000000 +0200 @@ -8,5 +8,5 @@ # Default Java options if [ -z "$JAVA_OPTS" ]; then - JAVA_OPTS="-Djava.awt.headless=true -XX:+UseG1GC" + JAVA_OPTS="-Djava.awt.headless=true" fi diff -Nru tomcat9-9.0.16/debian/tomcat9.postinst tomcat9-9.0.16/debian/tomcat9.postinst --- tomcat9-9.0.16/debian/tomcat9.postinst 2019-02-05 10:11:13.000000000 +0100 +++ tomcat9-9.0.16/debian/tomcat9.postinst 2019-06-03 00:44:27.000000000 +0200 @@ -63,8 +63,10 @@ chmod 775 /var/lib/tomcat9/webapps # Grant read/write access to tomcat to the log and cache directories - chown -Rh $TOMCAT_USER:$TOMCAT_GROUP /var/log/tomcat9/ /var/cache/tomcat9/ - chmod 750 /var/log/tomcat9/ /var/cache/tomcat9/ + chown -Rh $TOMCAT_USER:adm /var/log/tomcat9/ + chmod 2750 /var/log/tomcat9/ + chown -Rh $TOMCAT_USER:$TOMCAT_GROUP /var/cache/tomcat9/ + chmod 750 /var/cache/tomcat9/ ;; esac diff -Nru tomcat9-9.0.16/debian/tomcat9.service tomcat9-9.0.16/debian/tomcat9.service --- tomcat9-9.0.16/debian/tomcat9.service 2019-02-26 09:30:59.000000000 +0100 +++ tomcat9-9.0.16/debian/tomcat9.service 2019-06-03 00:44:27.000000000 +0200 @@ -14,7 +14,6 @@ Environment="CATALINA_BASE=/var/lib/tomcat9" Environment="CATALINA_TMPDIR=/tmp" Environment="JAVA_OPTS=-Djava.awt.headless=true" -EnvironmentFile=-/etc/default/tomcat9 # Lifecycle Type=simple @@ -32,13 +31,13 @@ PrivateTmp=yes AmbientCapabilities=CAP_NET_BIND_SERVICE NoNewPrivileges=true -LogsDirectory=tomcat9 -LogsDirectoryMode=750 CacheDirectory=tomcat9 CacheDirectoryMode=750 ProtectSystem=strict ReadWritePaths=/etc/tomcat9/Catalina/ ReadWritePaths=/var/lib/tomcat9/webapps/ +ReadWritePaths=/var/log/tomcat9/ +RequiresMountsFor=/var/log/tomcat9 [Install] WantedBy=multi-user.target diff -Nru tomcat9-9.0.16/debian/tomcat9.tmpfile tomcat9-9.0.16/debian/tomcat9.tmpfile --- tomcat9-9.0.16/debian/tomcat9.tmpfile 1970-01-01 01:00:00.000000000 +0100 +++ tomcat9-9.0.16/debian/tomcat9.tmpfile 2019-06-03 00:44:27.000000000 +0200 @@ -0,0 +1,6 @@ +# Tomcat log directory permissions + +# See tmpfiles.d(5) for details + +# Type Path Mode UID GID Age Argument +d /var/log/tomcat9 2750 tomcat adm -
--- End Message ---
--- Begin Message ---
- To: Emmanuel Bourg <ebourg@apache.org>, 929908-done@bugs.debian.org
- Subject: Re: Bug#929908: unblock: tomcat9/9.0.16-4
- From: Paul Gevers <elbrus@debian.org>
- Date: Sat, 15 Jun 2019 10:27:42 +0200
- Message-id: <c92d3e07-91b4-5d20-101e-cff49ff77e42@debian.org>
- In-reply-to: <[🔎] e98e22cf-cd0a-ebf5-cde6-e97cf97bb53f@apache.org>
- References: <[🔎] 155951969402.12473.5995302456837427990.reportbug@icare.ariane-software.com> <[🔎] a125b244-48a1-174a-8724-34e67f0ebd57@debian.org> <[🔎] 155951969402.12473.5995302456837427990.reportbug@icare.ariane-software.com> <[🔎] e98e22cf-cd0a-ebf5-cde6-e97cf97bb53f@apache.org>
Hi, On 14-06-2019 11:13, Emmanuel Bourg wrote: > Thank you, the package has been uploaded. Unblocked, thanks. PaulAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---