Bug#268002: marked as done (tomcat4: server.xml is publically readable so any user can shutdown)

Wed, 09 Jul 2008 01:06:31 -0700 

Your message dated Wed, 9 Jul 2008 05:00:20 -0300
with message-id <[EMAIL PROTECTED]>
and subject line Fw: Tudo Gratis
has caused the Debian Bug report #268002,
regarding tomcat4: server.xml is publically readable so any user can shutdown
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
268002: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=268002
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: tomcat4
Version: 4.1.30-6
Severity: wishlist

At present, /etc/tomcat4/server.xml is mode 644. This means that any
legitimate user or rogue process has access to the shutdown
string and can shut tomcat down. This is a minor DoS and something of
a corner case (it affects tomcat instances running on large multi-user
boxes and stymies hardening measures designed to allow a server to "play
hurt" (continue giving partial service when partially compromised)),
but still an interesting one. This could be overcome by creating a
tomcat4 group, running the tomcat instance with this group ID,
changing the group ownership of server.xml to tomcat4 and changing
the mode to 640. This provides both confidentiality of the
shutdown secret and prevents a compromised tomcat instance from
manipulating its own configuration (because while the tomcat4
group can read the file, only root can write it).

- Raz

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.6-1-686
Locale: LANG=C, LC_CTYPE=C

Versions of packages tomcat4 depends on:
ii  adduser                      3.59        Add and remove users and groups
ii  apache-utils                 1.3.31-3    Utility programs for webservers
ii  eclipse-javac [java-compiler 2.1.3-4     Eclipse Java compiler and ant plug
ii  j2re1.3 [java-virtual-machin 1.3.1.02b-2 Blackdown Java(TM) 2 Runtime Envir
ii  j2re1.4 [java-virtual-machin 1.4.1-6     Blackdown Java(TM) 2 Runtime Envir
ii  j2sdk1.3 [java-compiler]     1.3.1.02b-2 Blackdown Java(TM) 2 SDK, Standard
ii  j2sdk1.4 [java-compiler]     1.4.1-6     Blackdown Java(TM) 2 SDK, Standard
pn  libtomcat4-java                          Not found.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Pessoal, recebi este e-mail e estou repassando...
---
Vocês sabiam que na internet existem sites que oferecem material de qualidade e 
de graça? 
Encontrei um site na internet que disponibiliza muito material de qualidade e 
de GRAÇA.
O site é www.tudogratiswebsite.4d2.net
Algumas apostilas oferecidas são:
"Kit de Mágicas"
"Guia de Sedução"
"Curso de Auto-Hipnose"
"Curso de Desenho"
"Ringtones para celular"
e várias outras... 

Esse é um material GRATUITO de qualidade que está praticamente esquecido na 
internet. Vamos repassar essa oportunidade aos nossos amigos e avisar o maior 
número de pessoas!
Repetindo, o site é: www.tudogratiswebsite.4d2.net

Abraços

--- End Message ---
_______________________________________________
pkg-java-maintainers mailing list
pkg-java-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers

Reply via email to