Author: ludovicc-guest Date: 2009-09-14 12:01:22 +0000 (Mon, 14 Sep 2009) New Revision: 10355
Added: trunk/tomcat6/debian/README.source Modified: trunk/tomcat6/debian/changelog trunk/tomcat6/debian/control trunk/tomcat6/debian/policy/02debian.policy trunk/tomcat6/debian/tomcat6.postinst Log: * tomcat6.postinst: set the ownership of files in /etc/tomcat6/ to root:tomcat6, to prevent an attacker running inside a tomcat6 instance to change the tomcat configuration * debian/policy/02debian.policy: grant access to /usr/share/maven-repo/ as it is a valid source of Debian JARs. (Closes: #545674) * Bump up Standards-Version to 3.8.3 - add debian/README.source that describes the quilt patch system. * debian/control: Add Conflicts on libtomcat6-java with old versions of tomcat6-common (Closes: #542397) Added: trunk/tomcat6/debian/README.source =================================================================== --- trunk/tomcat6/debian/README.source (rev 0) +++ trunk/tomcat6/debian/README.source 2009-09-14 12:01:22 UTC (rev 10355) @@ -0,0 +1,9 @@ +Patch System +============ + +This package uses quilt to manage all modifications to the upstream +source. Changes are stored in the source package as diffs in +debian/patches and applied during the build. + +See /usr/share/doc/quilt/README.source for a detailed explanation. + Modified: trunk/tomcat6/debian/changelog =================================================================== --- trunk/tomcat6/debian/changelog 2009-09-14 05:20:02 UTC (rev 10354) +++ trunk/tomcat6/debian/changelog 2009-09-14 12:01:22 UTC (rev 10355) @@ -1,3 +1,18 @@ +tomcat6 (6.0.20-6) unstable; urgency=low + + * tomcat6.postinst: set the ownership of files in /etc/tomcat6/ + to root:tomcat6, to prevent an attacker running inside a tomcat6 + instance to change the tomcat configuration + * debian/policy/02debian.policy: grant access to + /usr/share/maven-repo/ as it is a valid source of Debian JARs. + (Closes: #545674) + * Bump up Standards-Version to 3.8.3 + - add debian/README.source that describes the quilt patch system. + * debian/control: Add Conflicts on libtomcat6-java with old versions + of tomcat6-common (Closes: #542397) + + -- Ludovic Claude <[email protected]> Mon, 14 Sep 2009 11:03:37 +0100 + tomcat6 (6.0.20-5) unstable; urgency=low * Fix jsp-api dependency in the Maven descriptors. Modified: trunk/tomcat6/debian/control =================================================================== --- trunk/tomcat6/debian/control 2009-09-14 05:20:02 UTC (rev 10354) +++ trunk/tomcat6/debian/control 2009-09-14 12:01:22 UTC (rev 10355) @@ -6,7 +6,7 @@ Torsten Werner <[email protected]> Build-Depends: openjdk-6-jdk, ant-optional, debhelper (>= 6), quilt Build-Depends-Indep: maven-repo-helper, libecj-java -Standards-Version: 3.8.2 +Standards-Version: 3.8.3 Homepage: http://tomcat.apache.org Vcs-Svn: svn://svn.debian.org/svn/pkg-java/trunk/tomcat6 Vcs-Browser: http://svn.debian.org/wsvn/pkg-java/trunk/tomcat6 @@ -60,6 +60,7 @@ libcommons-pool-java, libservlet2.5-java (>= ${source:Version}) Suggests: tomcat6 (>= ${source:Version}) +Conflicts: tomcat6-common (<< 6.0.20-5) Description: Servlet and JSP engine -- core libraries Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) specifications from Sun Microsystems, and provides a "pure Java" HTTP web Modified: trunk/tomcat6/debian/policy/02debian.policy =================================================================== --- trunk/tomcat6/debian/policy/02debian.policy 2009-09-14 05:20:02 UTC (rev 10354) +++ trunk/tomcat6/debian/policy/02debian.policy 2009-09-14 12:01:22 UTC (rev 10355) @@ -2,6 +2,9 @@ grant codeBase "file:/usr/share/java/-" { permission java.security.AllPermission; }; +grant codeBase "file:/usr/share/maven-repo/-" { + permission java.security.AllPermission; +}; grant codeBase "file:/usr/share/ant/lib/-" { permission java.security.AllPermission; }; Modified: trunk/tomcat6/debian/tomcat6.postinst =================================================================== --- trunk/tomcat6/debian/tomcat6.postinst 2009-09-14 05:20:02 UTC (rev 10354) +++ trunk/tomcat6/debian/tomcat6.postinst 2009-09-14 12:01:22 UTC (rev 10355) @@ -9,7 +9,10 @@ fi chown -R tomcat6:adm /var/log/tomcat6 /var/cache/tomcat6 chmod 750 /var/log/tomcat6 /var/cache/tomcat6 - chown -Rh tomcat6:adm /etc/tomcat6/* + # configuration files should not be modifiable by tomcat6 user, as this can be a security issue + # (an attacker may insert code in a webapp and have access to all tomcat configuration) + # but those files should be readable by tomcat6, so we set the group to tomcat6 + chown -Rh root:tomcat6 /etc/tomcat6/* chmod 640 /etc/tomcat6/tomcat-users.xml chown -Rh tomcat6:adm /var/lib/tomcat6/webapps /var/lib/tomcat6/common /var/lib/tomcat6/server /var/lib/tomcat6/shared chmod 775 /var/lib/tomcat6/webapps _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/pkg-java-commits
