Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.maint.java > #9142
| Path | csiph.com!news.mixmin.net!aioe.org!bofh.it!news.nic.it!robomod |
|---|---|
| From | Emmanuel Bourg <ebourg@apache.org> |
| Newsgroups | linux.debian.maint.java |
| Subject | Re: Tomcat 8 security update |
| Date | Mon, 30 May 2016 01:10:01 +0200 |
| Message-ID | <rEi0h-4tt-1@gated-at.bofh.it> (permalink) |
| References | <rEhdU-3M0-21@gated-at.bofh.it> |
| X-Original-To | Markus Koschany <apo@debian.org>, "team@security.debian.org" <team@security.debian.org> |
| X-Mailbox-Line | From debian-java-request@lists.debian.org Sun May 29 23:00:42 2016 |
| Old-Return-Path | <emmanuel.bourg@gmail.com> |
| X-Amavis-Spam-Status | No, score=-7.5 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.198, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, LDO_WHITELIST=-5, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no |
| X-Policyd-Weight | using cached result; rate: -7 |
| Dkim-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=1e6jjQBXxa1rXCkelU5GQjtiu2vPcG6Q+QO4g4HzvSo=; b=u3LjksKB0175kgX1OZp5+I9cGI+YlBAfe1fIcKNe/V2+liZLy/r41hkfydMaCW8vTh aVzyftQxjwkvsGs1apHsmdcVXdpHFG+BNrMjwEpC0CgR6j8f5POn6IsE2LDhFx6k3HC/ RjRYblrjyYFWf0jYkeAJVaXsCJ/4V0qKA4iRYu8LjrIIEI6ay2PPk4Dj6odpkPd7L3cC Hd3qUGa3Rs38cZteZtBjz9TOF7JZVjleyIJ3qbRbzhMxw2rDvXioeOk2CDThvr0pey2A MYdB7r+HZXhkd1EGGhmqYoGZzfGQdiaTithM+39G4Hb5J4IfH5RHtlkCzlx7gpB+5890 m1hA== |
| X-Google-Dkim-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:subject:to:references:cc:from:message-id :date:user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=1e6jjQBXxa1rXCkelU5GQjtiu2vPcG6Q+QO4g4HzvSo=; b=A2sD5/55UP14/fRnrp6mCeu5dsFsguKz0wVFmyC6iZ7K4N5Wd7sOgNZXDuKb1jiqWQ EATWjrRYROg5HfKJ3qK7s8BNUz4h0d5QyEzsP9ZvQZCweY4vz7tgezJy+EMxXpQwNQbF aFwXDy9fPGoNyLq5+FaJsFSiL+ah+WMmPNjVj9tC3wtx85mWiV61EHy8ITFyO0Age5C0 lJdaZykWc90fnrgIW193WVUbOA0Uxfl/GhRehw30tWbLXhy35PvjedKBdcihP0mYhE/w 4/utyHPpSnhOqfpuDLiVj0SQuzgg5dWH6rDttaHwkMOQgJh3N4H3tHfzpGy18W9Xy+gH It7g== |
| X-Gm-Message-State | ALyK8tJNcgHz/KSwSDrWzQjvfrBEHkHOUQkqe7xm7ZWsYUj7ts6GYBscptBlFYGfLj17Zw== |
| X-Received | by 10.28.148.210 with SMTP id w201mr8526148wmd.63.1464562825997; Sun, 29 May 2016 16:00:25 -0700 (PDT) |
| Sender | robomod@news.nic.it |
| User-Agent | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 |
| MIME-Version | 1.0 |
| Content-Type | text/plain; charset=utf-8 |
| Content-Transfer-Encoding | 8bit |
| X-Mailing-List | <debian-java@lists.debian.org> archive/latest/19470 |
| List-ID | <debian-java.lists.debian.org> |
| List-URL | <https://lists.debian.org/debian-java/> |
| List-Archive | https://lists.debian.org/msgid-search/5ebe4f0d-65b7-9470-bce8-25c50ef76fdf@apache.org |
| Approved | robomod@news.nic.it |
| Lines | 16 |
| Organization | linux.* mail to news gateway |
| X-Original-Cc | "debian-java@lists.debian.org" <debian-java@lists.debian.org> |
| X-Original-Date | Mon, 30 May 2016 01:00:24 +0200 |
| X-Original-Message-ID | <5ebe4f0d-65b7-9470-bce8-25c50ef76fdf@apache.org> |
| X-Original-References | <0ff46564-4292-c688-61fe-aa885f69c70d@debian.org> |
| X-Original-Sender | Emmanuel Bourg <emmanuel.bourg@gmail.com> |
| Xref | csiph.com linux.debian.maint.java:9142 |
Show key headers only | View raw
Le 30/05/2016 à 00:12, Markus Koschany a écrit : > I have prepared a security update for Tomcat 8 fixing 7 CVEs. In > addition I would like to fix #825786. We currently overwrite file > permissions in /etc/tomcat8/ unconditionally which could break user > specific changes on upgrade. The fix is to revert to default file > permissions root:root (rw-r-r) and change only > /etc/tomcat8/tomcat-users.xml. Thank you for fixing the CVEs Markus, I was about to handle them. Regarding #825786 I'm not sure about the suggested fix. Tomcat has to be able to write to /etc/tomcat8/Catalina and the group change will prevent that (the postinst script runs chmod 775 on /etc/tomcat8/Catalina). Emmanuel Bourg
Back to linux.debian.maint.java | Previous | Next — Previous in thread | Next in thread | Find similar
Tomcat 8 security update Markus Koschany <apo@debian.org> - 2016-05-30 00:20 +0200
Re: Tomcat 8 security update Emmanuel Bourg <ebourg@apache.org> - 2016-05-30 01:10 +0200
Re: Tomcat 8 security update Markus Koschany <apo@debian.org> - 2016-05-30 01:30 +0200
Re: Tomcat 8 security update Emmanuel Bourg <ebourg@apache.org> - 2016-05-30 08:50 +0200
Re: Tomcat 8 security update Moritz Muehlenhoff <jmm@inutil.org> - 2016-05-30 09:00 +0200
csiph-web