Bug#452366: marked as done (tomcat5.5-admin: manager servlet requires commons-io to upload WAR files)

Fri, 30 Nov 2007 03:41:46 -0800 

Your message dated Fri, 30 Nov 2007 10:17:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#452366: fixed in tomcat5.5 5.5.25-2
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: tomcat5.5-admin
Version: 5.5.25-1
Severity: important

When uploading a WAR file with the manager servlet, it throws an exception:

ALLVARLIG: Servlet.service() for servlet HTMLManager threw exception
java.lang.NoClassDefFoundError: org/apache/commons/io/output/DeferredFileOutputS
tream
        at org.apache.commons.fileupload.DefaultFileItemFactory.createItem(Defau
ltFileItemFactory.java:103)
        at org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadB
ase.java:350)
        at org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadB
ase.java:302)
        at org.apache.catalina.manager.HTMLManagerServlet.doPost(HTMLManagerServ
let.java:157)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244
)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:2
76)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.
java:162)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:262)
        at org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationF

...

Turns out the manager servlet needs commons-io to be symlinked from its lib/ 
directory:

~$ ls -l /usr/share/tomcat5.5/server/webapps/manager/WEB-INF/lib/commons-io.jar
lrwxrwxrwx 1 root root 30 2007-11-01 14:29 
/usr/share/tomcat5.5/server/webapps/manager/WEB-INF/lib/commons-io.jar -> 
/usr/share/java/commons-io.jar

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.23-rc3-lg (PREEMPT)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages tomcat5.5-admin depends on:
ii  libcommons-beanutils-java     1.7.0-5    utility for manipulating JavaBeans
ii  libcommons-collections3-java  3.1a-3.1   A set of abstract data type interf
ii  libcommons-digester-java      1.8-1      Rule based XML Java object mapping
ii  libcommons-fileupload-java    1.2-2      File upload capability to your ser
ii  libstruts1.2-java             1.2.9-3    Java Framework for MVC web applica
ii  tomcat5.5                     5.5.25-1   Servlet and JSP engine

tomcat5.5-admin recommends no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: tomcat5.5
Source-Version: 5.5.25-2

We believe that the bug you reported is fixed in the latest version of
tomcat5.5, which is due to be installed in the Debian FTP archive:

libtomcat5.5-java_5.5.25-2_all.deb
  to pool/main/t/tomcat5.5/libtomcat5.5-java_5.5.25-2_all.deb
tomcat5.5-admin_5.5.25-2_all.deb
  to pool/main/t/tomcat5.5/tomcat5.5-admin_5.5.25-2_all.deb
tomcat5.5-webapps_5.5.25-2_all.deb
  to pool/main/t/tomcat5.5/tomcat5.5-webapps_5.5.25-2_all.deb
tomcat5.5_5.5.25-2.diff.gz
  to pool/main/t/tomcat5.5/tomcat5.5_5.5.25-2.diff.gz
tomcat5.5_5.5.25-2.dsc
  to pool/main/t/tomcat5.5/tomcat5.5_5.5.25-2.dsc
tomcat5.5_5.5.25-2_all.deb
  to pool/main/t/tomcat5.5/tomcat5.5_5.5.25-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Koch <[EMAIL PROTECTED]> (supplier of updated tomcat5.5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 30 Nov 2007 10:46:33 +0100
Source: tomcat5.5
Binary: libtomcat5.5-java tomcat5.5 tomcat5.5-admin tomcat5.5-webapps
Architecture: source all
Version: 5.5.25-2
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers 
<[email protected]>
Changed-By: Michael Koch <[EMAIL PROTECTED]>
Description: 
 libtomcat5.5-java - Java Servlet engine -- core libraries
 tomcat5.5  - Servlet and JSP engine
 tomcat5.5-admin - Java Servlet engine -- admin & manager web interfaces
 tomcat5.5-webapps - Java Servlet engine -- documentation and example web 
applications
Closes: 448664 452366
Changes: 
 tomcat5.5 (5.5.25-2) unstable; urgency=high
 .
   [ Michael Koch ]
   CVE-2007-5461:
   * Fix absolute path traversal vulnerability. Closes: #448664.
 .
   [ Marcus Better ]
   * Add required commons-io symlink to the admin webapp, which fixes WAR
     file uploads. (Closes: #452366)
   * debian/control: Use the new Homepage and Vcs-* fields.
   * debian/NEWS: Remove outdated entry.
Files: 
 abab7824bd1a66070e2205d9b037c470 1330 web optional tomcat5.5_5.5.25-2.dsc
 7dbc5ca424d9fe25895ce3596f84df8a 31577 web optional tomcat5.5_5.5.25-2.diff.gz
 5d8b8ff8ef1ff64cd99e1a26dc4ba366 60928 web optional tomcat5.5_5.5.25-2_all.deb
 61c8039e098eb021120da4dea70eff4f 2416538 web optional 
libtomcat5.5-java_5.5.25-2_all.deb
 5bd4109cca9d3be8ea9c0a45ffe5ecc0 1486354 web optional 
tomcat5.5-webapps_5.5.25-2_all.deb
 88cf1ff55c9283262f23655545fb2c0c 1135614 web optional 
tomcat5.5-admin_5.5.25-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHT+KFWSOgCCdjSDsRAoZeAJ0cAulaIWrbqb5YZ2DBO79GVDPWvwCginVe
Z2aA65NSY21nGvFebYRgrms=
=ZAd3
-----END PGP SIGNATURE-----

--- End Message ---
_______________________________________________
pkg-java-maintainers mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers

Reply via email to