Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.maint.java > #8961 > unrolled thread
| Started by | Markus Koschany <apo@gambaru.de> |
|---|---|
| First post | 2016-03-28 18:10 +0200 |
| Last post | 2016-04-16 16:50 +0200 |
| Articles | 5 — 3 participants |
Back to article view | Back to linux.debian.maint.java
Tomcat 7 security update Markus Koschany <apo@gambaru.de> - 2016-03-28 18:10 +0200
Re: Tomcat 7 security update Markus Koschany <apo@debian.org> - 2016-04-16 16:40 +0200
Re: Tomcat 7 security update Florian Weimer <fw@deneb.enyo.de> - 2016-04-16 20:00 +0200
Re: Tomcat 7 security update Markus Koschany <apo@debian.org> - 2016-04-17 14:50 +0200
Re: Tomcat 7 security update Florian Weimer <fw@deneb.enyo.de> - 2016-04-16 16:50 +0200
| From | Markus Koschany <apo@gambaru.de> |
|---|---|
| Date | 2016-03-28 18:10 +0200 |
| Subject | Tomcat 7 security update |
| Message-ID | <rhHTQ-ZO-19@gated-at.bofh.it> |
[Multipart message — attachments visible in raw view] — view raw
[first e-mail failed, attachment is compressed now] Hello Security Team, hello Java Team I have prepared security updates for Tomcat 7 fixing 9 CVEs in Wheezy and 7 CVEs in Jessie. I would be glad for any help with testing those patches. Apparently they pass the test suite but I am seeing a build failure in my cowbuilder environment due to other test failures that are also present in the actual Debian packages. I vaguely remember that we were facing a similar issue before. I wonder what I need to change in my environment to allow them to succeed because it obviously wasn't a problem when the last version was uploaded. I could successfully build the Wheezy version with debbuild but I had no luck with Jessie so far. The changes are in Git now: Jessie: https://anonscm.debian.org/cgit/pkg-java/tomcat7.git/commit/?h=jessie&id=3db3a3938950a9f8827ac0f90c109e04c2720328 Wheezy: https://anonscm.debian.org/cgit/pkg-java/tomcat7.git/commit/?h=wheezy&id=1bccc33dbbe97c6d5b6f2f538d3606251ee614fb Regards, Markus Wheezy test failures: TEST-org.apache.catalina.tribes.group.TestGroupChannelMemberArrival.BIO.txt: FAILED TEST-org.apache.catalina.tribes.group.TestGroupChannelStartStop.NIO.txt: FAILED TEST-org.apache.catalina.tribes.group.TestGroupChannelStartStop.NIO.txt: FAILED TEST-org.apache.catalina.tribes.group.TestGroupChannelStartStop.BIO.txt: FAILED TEST-org.apache.catalina.tribes.group.TestGroupChannelStartStop.BIO.txt: FAILED TEST-org.apache.catalina.tribes.group.interceptors.TestOrderInterceptor.NIO.txt: FAILED TEST-org.apache.catalina.tribes.group.TestGroupChannelMemberArrival.NIO.txt: FAILED TEST-org.apache.catalina.tribes.group.interceptors.TestOrderInterceptor.BIO.txt: FAILED Jessie test errors: TEST-org.apache.catalina.authenticator.TestNonLoginAndBasicAuthenticator.NIO.txt: Caused an ERROR TEST-org.apache.catalina.authenticator.TestNonLoginAndBasicAuthenticator.NIO.txt: Caused an ERROR TEST-org.apache.catalina.authenticator.TestNonLoginAndBasicAuthenticator.NIO.txt: Caused an ERROR TEST-org.apache.catalina.authenticator.TestSSOnonLoginAndBasicAuthenticator.NIO.txt: Caused an ERROR TEST-org.apache.catalina.authenticator.TestSSOnonLoginAndBasicAuthenticator.NIO.txt: Caused an ERROR TEST-org.apache.catalina.authenticator.TestSSOnonLoginAndBasicAuthenticator.NIO.txt: Caused an ERROR TEST-org.apache.catalina.authenticator.TestNonLoginAndBasicAuthenticator.BIO.txt: Caused an ERROR TEST-org.apache.catalina.authenticator.TestNonLoginAndBasicAuthenticator.BIO.txt: Caused an ERROR TEST-org.apache.catalina.authenticator.TestNonLoginAndBasicAuthenticator.BIO.txt: Caused an ERROR TEST-org.apache.catalina.authenticator.TestSSOnonLoginAndDigestAuthenticator.BIO.txt: Caused an ERROR TEST-org.apache.catalina.authenticator.TestSSOnonLoginAndDigestAuthenticator.BIO.txt: Caused an ERROR TEST-org.apache.catalina.authenticator.TestSSOnonLoginAndDigestAuthenticator.NIO.txt: Caused an ERROR TEST-org.apache.catalina.authenticator.TestSSOnonLoginAndDigestAuthenticator.NIO.txt: Caused an ERROR TEST-org.apache.catalina.authenticator.TestSSOnonLoginAndBasicAuthenticator.BIO.txt: Caused an ERROR TEST-org.apache.catalina.authenticator.TestSSOnonLoginAndBasicAuthenticator.BIO.txt: Caused an ERROR TEST-org.apache.catalina.authenticator.TestSSOnonLoginAndBasicAuthenticator.BIO.txt: Caused an ERROR
[toc] | [next] | [standalone]
| From | Markus Koschany <apo@debian.org> |
|---|---|
| Date | 2016-04-16 16:40 +0200 |
| Message-ID | <rozy9-4VT-3@gated-at.bofh.it> |
| In reply to | #8961 |
[Multipart message — attachments visible in raw view] — view raw
Am 16.04.2016 um 16:14 schrieb Florian Weimer: [...] > Packaging-wise, the changes look okay. Could you please upload? Uploaded to security-master. Regards, Markus
[toc] | [prev] | [next] | [standalone]
| From | Florian Weimer <fw@deneb.enyo.de> |
|---|---|
| Date | 2016-04-16 20:00 +0200 |
| Message-ID | <roCFI-7pv-11@gated-at.bofh.it> |
| In reply to | #9032 |
* Markus Koschany: > Am 16.04.2016 um 16:14 schrieb Florian Weimer: > [...] >> Packaging-wise, the changes look okay. Could you please upload? > > Uploaded to security-master. Have you tested these packages by running some real-world web application? Are they ready for release? Thanks.
[toc] | [prev] | [next] | [standalone]
| From | Markus Koschany <apo@debian.org> |
|---|---|
| Date | 2016-04-17 14:50 +0200 |
| Message-ID | <roUjg-4lh-19@gated-at.bofh.it> |
| In reply to | #9035 |
[Multipart message — attachments visible in raw view] — view raw
Am 16.04.2016 um 19:58 schrieb Florian Weimer: > * Markus Koschany: > >> Am 16.04.2016 um 16:14 schrieb Florian Weimer: >> [...] >>> Packaging-wise, the changes look okay. Could you please upload? >> >> Uploaded to security-master. > > Have you tested these packages by running some real-world web > application? Are they ready for release? Thanks. Yes, of course. That's what I tried to imply when I wrote "My other usage tests went fine" but I mostly rely on Tomcat's extensive test suite and the additional tests that were added for those bug fixes. I consider both packages to be ready to upload. Markus
[toc] | [prev] | [next] | [standalone]
| From | Florian Weimer <fw@deneb.enyo.de> |
|---|---|
| Date | 2016-04-16 16:50 +0200 |
| Message-ID | <rozy9-4VT-5@gated-at.bofh.it> |
| In reply to | #8961 |
* Markus Koschany: > Am 28.03.2016 um 18:07 schrieb Markus Koschany: >> [first e-mail failed, attachment is compressed now] >> >> Hello Security Team, hello Java Team >> >> I have prepared security updates for Tomcat 7 fixing 9 CVEs in Wheezy >> and 7 CVEs in Jessie. > > Hi, > > since I haven't heard anything negative about the security update for > Tomcat7 so far, I'm hereby sending you the final debdiffs for Wheezy and > Jessie. > > After further investigation into the test failures I'm convinced now > that they are unrelated to the update because they also occur with the > current version and it seems they can be traced back to an update of > OpenJDK 7. According to [1] the error is caused by stricter checking of > values in cookie names. The error message is: > > Illegal character(s) in message header field: Cookie: Yes, the test appears to be broken. I found this upstream commit: ------------------------------------------------------------------------ r1715547 | fschumacher | 2015-11-21 18:54:14 +0100 (Sat, 21 Nov 2015) | 4 lines Don't add ":" to cookie name. It is illegal in newer jre. Merge from r1715544 /tomcat/tc8.0.x/trunk Packaging-wise, the changes look okay. Could you please upload? Thanks, Florian
[toc] | [prev] | [standalone]
Back to top | Article view | linux.debian.maint.java
csiph-web