Bug#929908: marked as done (unblock: tomcat9/9.0.16-4)

Debian Bug Tracking System Sat, 15 Jun 2019 01:30:30 -0700

Your message dated Sat, 15 Jun 2019 10:27:42 +0200
with message-id <[email protected]>
and subject line Re: Bug#929908: unblock: tomcat9/9.0.16-4
has caused the Debian Bug report #929908,
regarding unblock: tomcat9/9.0.16-4
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
929908: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929908
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock

Hi,

This is a pre-upload request to unblock tomcat9/9.0.16-4.

This update fixes:
- a minor security issue (CVE-2019-0221, see #929895)
- a startup failure on the architectures supporting only the Zero VM (#925928)
- the variable enabling the security manager that wasn't properly
  renamed in the startup script
- a couple of regressions compared to the old tomcat8 package that were
  caused by the transition to systemd (variable expansion no longer working
  in /etc/default/tomcat9, wrong permissions on the log directory)

This update doesn't implement the sysvinit script that was discussed
in #925473, this may be reconsidered in a later point release after
sufficient testing in unstable.

Thank you,

Emmanuel Bourg


unblock tomcat9/9.0.16-4



diff -Nru tomcat9-9.0.16/debian/changelog tomcat9-9.0.16/debian/changelog
--- tomcat9-9.0.16/debian/changelog     2019-02-26 09:31:13.000000000 +0100
+++ tomcat9-9.0.16/debian/changelog     2019-06-03 00:44:27.000000000 +0200
@@ -1,3 +1,26 @@
+tomcat9 (9.0.16-4) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Emmanuel Bourg ]
+  * Fixed CVE-2019-0221: The SSI printenv command echoes user provided data
+    without escaping and is, therefore, vulnerable to XSS. SSI is disabled
+    by default (Closes: #929895)
+
+  [ Thorsten Glaser ]
+  * Remove -XX:+UseG1GC from standard JAVA_OPTS; the JRE chooses
+    a suitable GC automatically anyway (Closes: #925928)
+  * Correct the ownership and permissions on the log directory:
+    group adm and setgid (Closes: #925929)
+  * Make the startup script honour the (renamed) $SECURITY_MANAGER
+  * debian/libexec/tomcat-locate-java.sh: Remove shebang and make
+    not executable as this is only ever sourced (makes no sense otherwise)
+
+  [ Christian Hänsel ]
+  * Restored the variable expansion in /etc/default/tomcat9 (Closes: #926319)
+
+ -- Emmanuel Bourg <[email protected]>  Mon, 03 Jun 2019 00:44:27 +0200
+
 tomcat9 (9.0.16-3) unstable; urgency=medium

   * Removed read/write access to /var/lib/solr (Closes: #923299)
diff -Nru tomcat9-9.0.16/debian/default.template 
tomcat9-9.0.16/debian/default.template
--- tomcat9-9.0.16/debian/default.template      2019-02-05 10:11:13.000000000 
+0100
+++ tomcat9-9.0.16/debian/default.template      2019-06-02 23:05:39.000000000 
+0200
@@ -3,9 +3,10 @@
 # OpenJDK and the Oracle JDK are tried.
 #JAVA_HOME=/usr/lib/jvm/java-8-openjdk

-# You may pass JVM startup parameters to Java here. If unset, the default
-# options will be: -Djava.awt.headless=true -XX:+UseG1GC
-JAVA_OPTS="-Djava.awt.headless=true -XX:+UseG1GC"
+# You may pass JVM startup parameters to Java here. If you run Tomcat with
+# Java 8 instead of 9 or newer, add "-XX:+UseG1GC" to select a suitable GC.
+# If unset, the default options will be: -Djava.awt.headless=true
+JAVA_OPTS="-Djava.awt.headless=true"

 # To enable remote debugging uncomment the following line.
 # You will then be able to use a Java debugger on port 8000.
diff -Nru tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh 
tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh
--- tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh 2019-02-05 
10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh 2019-06-03 
00:44:27.000000000 +0200
@@ -1,4 +1,3 @@
-#!/bin/sh
 #
 # Script looking for a Java runtime suitable for running Tomcat
 #
diff -Nru tomcat9-9.0.16/debian/libexec/tomcat-start.sh 
tomcat9-9.0.16/debian/libexec/tomcat-start.sh
--- tomcat9-9.0.16/debian/libexec/tomcat-start.sh       2019-02-05 
10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/libexec/tomcat-start.sh       2019-06-03 
00:44:27.000000000 +0200
@@ -5,6 +5,9 @@

 set -e

+# Load the service settings
+. /etc/default/tomcat9
+
 # Find the Java runtime and set JAVA_HOME
 . /usr/libexec/tomcat9/tomcat-locate-java.sh

@@ -15,7 +18,7 @@

 # Enable the Java security manager?
 SECURITY=""
-[ "$TOMCAT_SECURITY" = "yes" ] && SECURITY="-security"
+[ "$SECURITY_MANAGER" = "true" ] && SECURITY="-security"


 # Start Tomcat
diff -Nru tomcat9-9.0.16/debian/patches/CVE-2019-0221.patch 
tomcat9-9.0.16/debian/patches/CVE-2019-0221.patch
--- tomcat9-9.0.16/debian/patches/CVE-2019-0221.patch   1970-01-01 
01:00:00.000000000 +0100
+++ tomcat9-9.0.16/debian/patches/CVE-2019-0221.patch   2019-06-03 
00:44:27.000000000 +0200
@@ -0,0 +1,16 @@
+Description: Fixes CVE-2019-0221: The SSI printenv command echoes user provided
+ data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by
+ default.
+Origin: upstream, https://github.com/apache/tomcat/commit/15fcd16
+--- a/java/org/apache/catalina/ssi/SSIPrintenv.java
++++ b/java/org/apache/catalina/ssi/SSIPrintenv.java
+@@ -41,8 +41,7 @@
+         } else {
+             Collection<String> variableNames = ssiMediator.getVariableNames();
+             for (String variableName : variableNames) {
+-                String variableValue = ssiMediator
+-                        .getVariableValue(variableName);
++                String variableValue = 
ssiMediator.getVariableValue(variableName, "entity");
+                 //This shouldn't happen, since all the variable names must
+                 // have values
+                 if (variableValue == null) {
diff -Nru tomcat9-9.0.16/debian/patches/series 
tomcat9-9.0.16/debian/patches/series
--- tomcat9-9.0.16/debian/patches/series        2019-02-05 10:11:13.000000000 
+0100
+++ tomcat9-9.0.16/debian/patches/series        2019-06-03 00:44:27.000000000 
+0200
@@ -11,3 +11,4 @@
 0024-systemd-log-formatter.patch
 0025-invalid-configuration-exit-status.patch
 0026-easymock4-compatibility.patch
+CVE-2019-0221.patch
diff -Nru tomcat9-9.0.16/debian/setenv.sh tomcat9-9.0.16/debian/setenv.sh
--- tomcat9-9.0.16/debian/setenv.sh     2019-02-05 10:11:13.000000000 +0100
+++ tomcat9-9.0.16/debian/setenv.sh     2019-06-02 23:05:39.000000000 +0200
@@ -8,5 +8,5 @@

 # Default Java options
 if [ -z "$JAVA_OPTS" ]; then
-       JAVA_OPTS="-Djava.awt.headless=true -XX:+UseG1GC"
+       JAVA_OPTS="-Djava.awt.headless=true"
 fi
diff -Nru tomcat9-9.0.16/debian/tomcat9.postinst 
tomcat9-9.0.16/debian/tomcat9.postinst
--- tomcat9-9.0.16/debian/tomcat9.postinst      2019-02-05 10:11:13.000000000 
+0100
+++ tomcat9-9.0.16/debian/tomcat9.postinst      2019-06-03 00:44:27.000000000 
+0200
@@ -63,8 +63,10 @@
        chmod 775 /var/lib/tomcat9/webapps

        # Grant read/write access to tomcat to the log and cache directories
-       chown -Rh $TOMCAT_USER:$TOMCAT_GROUP /var/log/tomcat9/ 
/var/cache/tomcat9/
-       chmod 750 /var/log/tomcat9/ /var/cache/tomcat9/
+       chown -Rh $TOMCAT_USER:adm /var/log/tomcat9/
+       chmod 2750 /var/log/tomcat9/
+       chown -Rh $TOMCAT_USER:$TOMCAT_GROUP /var/cache/tomcat9/
+       chmod 750 /var/cache/tomcat9/
     ;;
 esac

diff -Nru tomcat9-9.0.16/debian/tomcat9.service 
tomcat9-9.0.16/debian/tomcat9.service
--- tomcat9-9.0.16/debian/tomcat9.service       2019-02-26 09:30:59.000000000 
+0100
+++ tomcat9-9.0.16/debian/tomcat9.service       2019-06-03 00:44:27.000000000 
+0200
@@ -14,7 +14,6 @@
 Environment="CATALINA_BASE=/var/lib/tomcat9"
 Environment="CATALINA_TMPDIR=/tmp"
 Environment="JAVA_OPTS=-Djava.awt.headless=true"
-EnvironmentFile=-/etc/default/tomcat9

 # Lifecycle
 Type=simple
@@ -32,13 +31,13 @@
 PrivateTmp=yes
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 NoNewPrivileges=true
-LogsDirectory=tomcat9
-LogsDirectoryMode=750
 CacheDirectory=tomcat9
 CacheDirectoryMode=750
 ProtectSystem=strict
 ReadWritePaths=/etc/tomcat9/Catalina/
 ReadWritePaths=/var/lib/tomcat9/webapps/
+ReadWritePaths=/var/log/tomcat9/
+RequiresMountsFor=/var/log/tomcat9

 [Install]
 WantedBy=multi-user.target
diff -Nru tomcat9-9.0.16/debian/tomcat9.tmpfile 
tomcat9-9.0.16/debian/tomcat9.tmpfile
--- tomcat9-9.0.16/debian/tomcat9.tmpfile       1970-01-01 01:00:00.000000000 
+0100
+++ tomcat9-9.0.16/debian/tomcat9.tmpfile       2019-06-03 00:44:27.000000000 
+0200
@@ -0,0 +1,6 @@
+# Tomcat log directory permissions
+
+# See tmpfiles.d(5) for details
+
+# Type Path        Mode UID    GID  Age Argument
+d /var/log/tomcat9 2750 tomcat adm  -

--- End Message ---

--- Begin Message ---
Hi,

On 14-06-2019 11:13, Emmanuel Bourg wrote:
> Thank you, the package has been uploaded.

Unblocked, thanks.

Paul
signature.asc
Description: OpenPGP digital signature

--- End Message ---

Bug#929908: marked as done (unblock: tomcat9/9.0.16-4)

Reply via email to