This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch jessie in repository tomcat7.
commit ca577e895d14937c63f5ca7424c99f4c83cefb8d Author: Emmanuel Bourg <[email protected]> Date: Fri Dec 9 00:46:49 2016 +0100 Fixed CVE-2016-8735: Remote Code Execution --- debian/changelog | 7 +++++++ debian/patches/CVE-2016-8735.patch | 30 ++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 38 insertions(+) diff --git a/debian/changelog b/debian/changelog index a681196..103038b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -10,6 +10,13 @@ tomcat7 (7.0.56-3+deb8u6) UNRELEASED; urgency=medium interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. + * Fixed CVE-2016-8735: The JmxRemoteLifecycleListener was not updated to take + account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations + using this listener remained vulnerable to a similar remote code execution + vulnerability. This issue has been rated as important rather than critical + due to the small number of installations using this listener and that it + would be highly unusual for the JMX ports to be accessible to an attacker + even when the listener is used. * Backported the fix for upstream bug 57377: Remove the restriction that prevented the use of SSL when specifying a bind address for the JMX/RMI server. Enable SSL to be configured for the registry as well as the server. diff --git a/debian/patches/CVE-2016-8735.patch b/debian/patches/CVE-2016-8735.patch new file mode 100644 index 0000000..f9c4b10 --- /dev/null +++ b/debian/patches/CVE-2016-8735.patch @@ -0,0 +1,30 @@ +Description: Fixes CVE-2016-8735: The JmxRemoteLifecycleListener was not updated + to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations + using this listener remained vulnerable to a similar remote code execution + vulnerability. This issue has been rated as important rather than critical due + to the small number of installations using this listener and that it would be + highly unusual for the JMX ports to be accessible to an attacker even when the + listener is used. +Origin: backport, https://svn.apache.org/r1767676 +--- a/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java ++++ b/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java +@@ -264,6 +264,10 @@ + serverCsf = new RmiClientLocalhostSocketFactory(serverCsf); + } + ++ env.put("jmx.remote.rmi.server.credential.types", new String[] { ++ String[].class.getName(), ++ String.class.getName() }); ++ + // Populate the env properties used to create the server + if (serverCsf != null) { + env.put(RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE, serverCsf); +@@ -328,7 +332,7 @@ + cs = new RMIConnectorServer(serviceUrl, theEnv, server, + ManagementFactory.getPlatformMBeanServer()); + cs.start(); +- registry.bind("jmxrmi", server); ++ registry.bind("jmxrmi", server.toStub()); + log.info(sm.getString("jmxRemoteLifecycleListener.start", + Integer.toString(theRmiRegistryPort), + Integer.toString(theRmiServerPort), serverName)); diff --git a/debian/patches/series b/debian/patches/series index 26401e9..26a94e4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -36,3 +36,4 @@ CVE-2016-6796.patch CVE-2016-6797.patch CVE-2016-6816.patch BZ-57377.patch +CVE-2016-8735.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
