>> [ I contacted t...@security.debian.org about this, but no response ... ]
> ... Please send them to the security team
> first and not to a public mailing list.
I did. They did not reply within what seemed a reasonable timeframe.
>> Recently DSA-3670 was released, and /etc/init.d/tomcat8 modified so...
> No, we did not modify this part in /etc/init.d/tomcat8. ...
Whoops, sorry, you are right. Now checking, I do not see how I got
confused. This is a separate, maybe new issue.
> ... more information and a working proof
> of concept code are appreciated. ...
Maybe the security team will understand (recognize, accept) the issue
without a PoC. If they reply with such a need, then I will write one.
You or they might accept the suggested patch/fix: mkdir without -p,
chown with -h.
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia