Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Dear Release Team: Please unblock package tomcat6. The upload of -5 addresses the priority serious bug #687818 (postinst modifying conffile) and includes an update to the README regarding CVE2010-4312 (#608286). The debdiff against the -4 package is attached; please let me know if you have any concerns. Thank you for your consideration (and tireless effort). tony unblock tomcat6/6.0.35-5
diff -Nru tomcat6-6.0.35/debian/changelog tomcat6-6.0.35/debian/changelog --- tomcat6-6.0.35/debian/changelog 2012-06-28 10:44:58.000000000 -0700 +++ tomcat6-6.0.35/debian/changelog 2012-09-24 19:40:54.000000000 -0700 @@ -1,3 +1,13 @@ +tomcat6 (6.0.35-5) unstable; urgency=low + + * Apply patch to README.Debian to explain setting the HTTPOnly flag + in cookies by default; CVE-2010-4312. (Closes: #608286) + - Thank you to Thijs Kinkhorst for the patch. + * Use ucf and a template for /etc/logrotate.d/tomcat6 file to avoid + updating the shipped conffile. (Closes: #687818) + + -- tony mancill <tmanc...@debian.org> Mon, 06 Aug 2012 21:29:11 -0700 + tomcat6 (6.0.35-4) unstable; urgency=low [ tony mancill ] diff -Nru tomcat6-6.0.35/debian/logrotate tomcat6-6.0.35/debian/logrotate --- tomcat6-6.0.35/debian/logrotate 2012-06-28 10:44:58.000000000 -0700 +++ tomcat6-6.0.35/debian/logrotate 1969-12-31 16:00:00.000000000 -0800 @@ -1,8 +0,0 @@ -/var/log/tomcat6/catalina.out { - copytruncate - weekly - rotate 52 - compress - missingok - create 640 @@@TOMCAT6USER@@@ adm -} diff -Nru tomcat6-6.0.35/debian/logrotate.md5sum tomcat6-6.0.35/debian/logrotate.md5sum --- tomcat6-6.0.35/debian/logrotate.md5sum 1969-12-31 16:00:00.000000000 -0800 +++ tomcat6-6.0.35/debian/logrotate.md5sum 2012-09-24 19:40:54.000000000 -0700 @@ -0,0 +1 @@ +b5420492288987ba126ea151bd92852d logrotate.template diff -Nru tomcat6-6.0.35/debian/logrotate.template tomcat6-6.0.35/debian/logrotate.template --- tomcat6-6.0.35/debian/logrotate.template 1969-12-31 16:00:00.000000000 -0800 +++ tomcat6-6.0.35/debian/logrotate.template 2012-09-24 19:40:54.000000000 -0700 @@ -0,0 +1,8 @@ +/var/log/tomcat6/catalina.out { + copytruncate + weekly + rotate 52 + compress + missingok + create 640 tomcat6 adm +} diff -Nru tomcat6-6.0.35/debian/README.Debian tomcat6-6.0.35/debian/README.Debian --- tomcat6-6.0.35/debian/README.Debian 2012-06-28 10:44:58.000000000 -0700 +++ tomcat6-6.0.35/debian/README.Debian 2012-09-24 19:40:54.000000000 -0700 @@ -25,6 +25,21 @@ wish. See the "man authbind" for information on configuring authbind. +SECURITY: + +Tomcat 6 session cookies are sent with the httponly flag disabled by default. +It is recommended as a proactive security measure to turn this setting on +to mitigate cross site scripting attacks: httponly cookies cannot be 'stolen' +via JavaScript, a common vector in such attacks. + +The httponly setting can be enabled by adding the useHttpOnly attribute +to <Context> in /etc/tomcat6/context.xml: + + <Context useHttpOnly="true"> + +Httponly not being on by default is referred to as CVE-2010-4172. + + NEWS: tomcat6 (6.0.20-dfsg1-2) unstable; urgency=low diff -Nru tomcat6-6.0.35/debian/rules tomcat6-6.0.35/debian/rules --- tomcat6-6.0.35/debian/rules 2012-06-28 10:44:58.000000000 -0700 +++ tomcat6-6.0.35/debian/rules 2012-09-24 19:40:54.000000000 -0700 @@ -73,7 +73,6 @@ dh_testroot dh_prep dh_installdirs - cp debian/logrotate debian/tomcat6/etc/logrotate.d/tomcat6 binary-indep: build install dh_testdir diff -Nru tomcat6-6.0.35/debian/tomcat6.install tomcat6-6.0.35/debian/tomcat6.install --- tomcat6-6.0.35/debian/tomcat6.install 2012-06-28 10:44:58.000000000 -0700 +++ tomcat6-6.0.35/debian/tomcat6.install 2012-09-24 19:40:54.000000000 -0700 @@ -5,3 +5,5 @@ debian/default_root /usr/share/tomcat6-root/ debian/defaults.template /usr/share/tomcat6/ debian/defaults.md5sum /usr/share/tomcat6/ +debian/logrotate.template /usr/share/tomcat6/ +debian/logrotate.md5sum /usr/share/tomcat6/ diff -Nru tomcat6-6.0.35/debian/tomcat6.postinst tomcat6-6.0.35/debian/tomcat6.postinst --- tomcat6-6.0.35/debian/tomcat6.postinst 2012-06-28 10:44:58.000000000 -0700 +++ tomcat6-6.0.35/debian/tomcat6.postinst 2012-09-24 19:40:54.000000000 -0700 @@ -4,6 +4,8 @@ . /usr/share/debconf/confmodule TEMPLATE="/usr/share/tomcat6/defaults.template" CONFFILE="/etc/default/tomcat6" +LR_TEMPLATE="/usr/share/tomcat6/logrotate.template" +LR_CONFFILE="/etc/logrotate.d/tomcat6" JAVA_OPTS="-Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC" case "$1" in @@ -36,11 +38,12 @@ chown -R $TOMCAT6_USER:adm /var/log/tomcat6 /var/cache/tomcat6 chmod 750 /var/log/tomcat6 /var/cache/tomcat6 - # replace the TOMCAT6USER token in /etc/logrotate.d/tomcat6 if it still contains the token - LOGROTATE_TOKEN="@@@TOMCAT6USER@@@" - if grep -q "$LOGROTATE_TOKEN" /etc/logrotate.d/tomcat6 ; then - sed --in-place "s/$LOGROTATE_TOKEN/$TOMCAT6_USER/" /etc/logrotate.d/tomcat6 - fi + # populate /etc/logrotate.d/tomcat6 + tmpfile=`mktemp /tmp/tomcat6.XXXXXXXXXX` + chmod 644 $tmpfile + cat $LR_TEMPLATE | sed "s%create 640 tomcat6 adm%create 640 $TOMCAT6_USER adm%" >> $tmpfile + ucf --debconf-ok --sum-file /usr/share/tomcat6/logrotate.md5sum $tmpfile $LR_CONFFILE + rm -f $tmpfile # configuration files should not be modifiable by tomcat6 user, as this can be a security issue # (an attacker may insert code in a webapp and have access to all tomcat configuration) diff -Nru tomcat6-6.0.35/debian/tomcat6.postrm tomcat6-6.0.35/debian/tomcat6.postrm --- tomcat6-6.0.35/debian/tomcat6.postrm 2012-06-28 10:44:58.000000000 -0700 +++ tomcat6-6.0.35/debian/tomcat6.postrm 2012-09-24 19:40:54.000000000 -0700 @@ -4,6 +4,7 @@ #DEBHELPER# CONFFILE=/etc/default/tomcat6 +LR_CONFFILE=/etc/logrotate.d/tomcat6 # Remove cached files and auto-generated catalina.policy rm -rf /var/cache/tomcat6/* @@ -47,8 +48,9 @@ set +e if [ -x "/usr/bin/ucf" ]; then ucf --purge $CONFFILE + ucf --purge $LR_CONFFILE fi - rm -rf /var/log/tomcat6 /var/lib/tomcat6/temp $CONFFILE + rm -rf /var/log/tomcat6 /var/lib/tomcat6/temp $CONFFILE $LR_CONFFILE if [ -d "/var/lib/tomcat6" ] ; then rmdir --ignore-fail-on-non-empty /var/lib/tomcat6 fi [The following lists of changes regard files as different if they have different names, permissions or owners.] Files in second .changes but not in first ----------------------------------------- -rw-r--r-- root/root /usr/share/tomcat6/logrotate.md5sum -rw-r--r-- root/root /usr/share/tomcat6/logrotate.template Files in first .changes but not in second ----------------------------------------- -rw-r--r-- root/root /etc/logrotate.d/tomcat6 Control files of package libservlet2.4-java: lines which differ (wdiff format) ------------------------------------------------------------------------------ Version: [-6.0.35-4-] {+6.0.35-5+} Control files of package libservlet2.5-java: lines which differ (wdiff format) ------------------------------------------------------------------------------ Version: [-6.0.35-4-] {+6.0.35-5+} Control files of package libservlet2.5-java-doc: lines which differ (wdiff format) ---------------------------------------------------------------------------------- Version: [-6.0.35-4-] {+6.0.35-5+} Control files of package libtomcat6-java: lines which differ (wdiff format) --------------------------------------------------------------------------- Depends: libecj-java, libcommons-dbcp-java, libcommons-pool-java, libservlet2.5-java (>= [-6.0.35-4)-] {+6.0.35-5)+} Suggests: tomcat6 (>= [-6.0.35-4)-] {+6.0.35-5)+} Version: [-6.0.35-4-] {+6.0.35-5+} Control files of package tomcat6: lines which differ (wdiff format) ------------------------------------------------------------------- Depends: tomcat6-common (>= [-6.0.35-4),-] {+6.0.35-5),+} ucf, adduser, debconf (>= 0.5) | debconf-2.0 Suggests: tomcat6-docs (>= [-6.0.35-4),-] {+6.0.35-5),+} tomcat6-admin (>= [-6.0.35-4),-] {+6.0.35-5),+} tomcat6-examples (>= [-6.0.35-4),-] {+6.0.35-5),+} tomcat6-user (>= [-6.0.35-4),-] {+6.0.35-5),+} libtcnative-1 Version: [-6.0.35-4-] {+6.0.35-5+} Control files of package tomcat6-admin: lines which differ (wdiff format) ------------------------------------------------------------------------- Depends: tomcat6-common (>= [-6.0.35-4)-] {+6.0.35-5)+} Version: [-6.0.35-4-] {+6.0.35-5+} Control files of package tomcat6-common: lines which differ (wdiff format) -------------------------------------------------------------------------- Depends: libtomcat6-java (>= [-6.0.35-4),-] {+6.0.35-5),+} default-jre-headless | java7-runtime-headless | java7-runtime | java6-runtime-headless | java6-runtime | java5-runtime Installed-Size: [-114-] {+115+} Version: [-6.0.35-4-] {+6.0.35-5+} Control files of package tomcat6-docs: lines which differ (wdiff format) ------------------------------------------------------------------------ Depends: tomcat6-common (>= [-6.0.35-4)-] {+6.0.35-5)+} Version: [-6.0.35-4-] {+6.0.35-5+} Control files of package tomcat6-examples: lines which differ (wdiff format) ---------------------------------------------------------------------------- Depends: tomcat6-common (>= [-6.0.35-4)-] {+6.0.35-5)+} Version: [-6.0.35-4-] {+6.0.35-5+} Control files of package tomcat6-extras: lines which differ (wdiff format) -------------------------------------------------------------------------- Depends: tomcat6-common (>= [-6.0.35-4)-] {+6.0.35-5)+} Version: [-6.0.35-4-] {+6.0.35-5+} Control files of package tomcat6-user: lines which differ (wdiff format) ------------------------------------------------------------------------ Depends: tomcat6-common (>= [-6.0.35-4),-] {+6.0.35-5),+} netcat Suggests: tomcat6-docs (>= [-6.0.35-4),-] {+6.0.35-5),+} tomcat6-admin (>= [-6.0.35-4),-] {+6.0.35-5),+} tomcat6-examples (>= [-6.0.35-4),-] {+6.0.35-5),+} tomcat6 (>= [-6.0.35-4)-] {+6.0.35-5)+} Version: [-6.0.35-4-] {+6.0.35-5+}