Your message dated Fri, 23 Dec 2016 18:32:35 +0000
with message-id <e1ckudv-0007va...@fasolo.debian.org>
and subject line Bug#845385: fixed in tomcat8 8.0.14-1+deb8u5
has caused the Debian Bug report #845385,
regarding CVE-2016-9775: privilege escalation via removal
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
845385: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845385
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: tomcat8
Version: 8.0.14-1+deb8u4
Severity: critical
Tags: security

Having installed tomcat8, the directory /etc/tomcat8/Catalina is set
writable by group tomcat8, as per the postinst script. Then the tomcat8
user, in the situation envisaged in DSA-3670 and DSA-3720, see also
  http://seclists.org/fulldisclosure/2016/Oct/4
could use something like commands
  touch /etc/tomcat8/Catalina/attack
  chmod 2747 /etc/tomcat8/Catalina/attack
to create a file:
  # ls -l /etc/tomcat8/Catalina/attack
  -rwxr-Srwx 1 tomcat8 tomcat8 0 Nov 23 09:00 /etc/tomcat8/Catalina/attack
Then if the tomcat8 package is removed (purged?), the postrm script runs
  chown -Rhf root:root /etc/tomcat8/
and that will leave the file world-writable, setgid root:
  # ls -l /etc/tomcat8/Catalina/attack
  -rwxr-Srwx 1 root root 0 Nov 23 09:00 /etc/tomcat8/Catalina/attack
allowing "group root" access to the world.

Cheers, Paul

Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

--- End Message ---
--- Begin Message ---
Source: tomcat8
Source-Version: 8.0.14-1+deb8u5

We believe that the bug you reported is fixed in the latest version of
tomcat8, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 845...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebo...@apache.org> (supplier of updated tomcat8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 17 Dec 2016 09:19:36 +0100
Source: tomcat8
Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libservlet3.1-java 
libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs
Architecture: source all
Version: 8.0.14-1+deb8u5
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebo...@apache.org>
Description:
 libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API 
classes
 libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java 
API documenta
 libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries
 tomcat8    - Apache Tomcat 8 - Servlet and JSP engine
 tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web 
application
 tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files
 tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation
 tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web 
applicati
 tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user
Closes: 845385 845393
Changes:
 tomcat8 (8.0.14-1+deb8u5) jessie-security; urgency=high
 .
   * Fixed CVE-2016-9774: Potential privilege escalation when the tomcat8
     package is upgraded. Thanks to Paul Szabo for the report (Closes: #845393)
   * Fixed CVE-2016-9775: Potential privilege escalation when the tomcat8
     package is purged. Thanks to Paul Szabo for the report (Closes: #845385)
   * Fixed CVE-2016-6816: The code that parsed the HTTP request line permitted
     invalid characters. This could be exploited, in conjunction with a proxy
     that also permitted the invalid characters but with a different
     interpretation, to inject data into the HTTP response. By manipulating the
     HTTP response the attacker could poison a web-cache, perform an XSS attack
     and/or obtain sensitive information from requests other then their own.
   * Fixed CVE-2016-8735: The JmxRemoteLifecycleListener was not updated to take
     account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations
     using this listener remained vulnerable to a similar remote code execution
     vulnerability. This issue has been rated as important rather than critical
     due to the small number of installations using this listener and that it
     would be highly unusual for the JMX ports to be accessible to an attacker
     even when the listener is used.
   * Backported the fix for upstream bug 57377: Remove the restriction that
     prevented the use of SSL when specifying a bind address for the JMX/RMI
     server. Enable SSL to be configured for the registry as well as the server.
   * CVE-2016-5018 follow-up: Applied a missing modification fixing
     a ClassNotFoundException when the security manager is enabled (see #846298)
   * CVE-2016-6797 follow-up: Fixed a regression preventing some applications
     from accessing the global resources (see #845425)
   * CVE-2015-5345 follow-up: Applied a missing modification to DefaultServlet
   * Backported a fix for a test failure in Test*NonLoginAndBasicAuthenticator
     with recent JREs
   * Backported a fix disabling the broken SSLv3 tests
   * Refreshed the expired SSL certificates used by the tests
   * Set the locale when running the tests to prevent locale sensitive tests
     from failing
   * Added asm-all.jar to the test classpath to fix TestWebappServiceLoader
   * Fixed a test failure in the new TestNamingContext test added with the fix
     for CVE-2016-6797
   * Test failures are no longer ignored and now stop the build
Checksums-Sha1:
 863b3c4d475bde4e869f4ebaebf67118dae4b9f9 2842 tomcat8_8.0.14-1+deb8u5.dsc
 9ad63d0fddca86cfd97e8fca65563247e80a718b 70888 
tomcat8_8.0.14-1+deb8u5.debian.tar.xz
 c983ffb5480273647fbc13c0dfcd845fd4cdaf38 57498 
tomcat8-common_8.0.14-1+deb8u5_all.deb
 c758773f15b912d448024e4495125af61bb093a8 47000 tomcat8_8.0.14-1+deb8u5_all.deb
 b2c8c6de94ce645dcbafcfd4ea597293f063a78f 34530 
tomcat8-user_8.0.14-1+deb8u5_all.deb
 feef6365326e829ebf29af02e6c9395a7294f824 4587212 
libtomcat8-java_8.0.14-1+deb8u5_all.deb
 aaa54d72e7ecf58eb9c7e342771cfded676b1650 391938 
libservlet3.1-java_8.0.14-1+deb8u5_all.deb
 0e664137717a28a462964aef6effb4ccf88b0f74 247386 
libservlet3.1-java-doc_8.0.14-1+deb8u5_all.deb
 2e4b17b7870ded1623f89ee22bf61d7bcc835c5e 35942 
tomcat8-admin_8.0.14-1+deb8u5_all.deb
 c7c874c57df41fdf45c8932136bfd86777716960 194150 
tomcat8-examples_8.0.14-1+deb8u5_all.deb
 cc2e6a53b27dda1e2ad95d0a7abe92fc7eaed4d2 688960 
tomcat8-docs_8.0.14-1+deb8u5_all.deb
Checksums-Sha256:
 03a05dc2b15e3241270a7e99c7f5a6afde2fc875dcda8461727970cf5f1b88c8 2842 
tomcat8_8.0.14-1+deb8u5.dsc
 2c56c1343672f97fd42b1b38b82716f92fd7a7d3f1006782de3b014973daa30d 70888 
tomcat8_8.0.14-1+deb8u5.debian.tar.xz
 e83161efde88bb3f0fd8c146439df5c99be73f61280ed631095f13c98403d498 57498 
tomcat8-common_8.0.14-1+deb8u5_all.deb
 dcd7534cf403f239ee8c570795d8d139bb4aaa7556c17a4859cd44fc365f4be6 47000 
tomcat8_8.0.14-1+deb8u5_all.deb
 77d611b6c3cc4623f2909fdd04a9ee956d234f5b79ea18fde2135e2e0e696ab4 34530 
tomcat8-user_8.0.14-1+deb8u5_all.deb
 e0883845d2e042768363e1425ede323fdc60cbdd95c1d4bcf3323f7422466672 4587212 
libtomcat8-java_8.0.14-1+deb8u5_all.deb
 d8c41a1aaecf1e0bab2b28158070e0d2750cf2f0434e917c23b63c7a5a1d5879 391938 
libservlet3.1-java_8.0.14-1+deb8u5_all.deb
 f04d84a02294cdc9a6afa8c9dd6007b040bf26ab5b7dd248855bcb9bbc316479 247386 
libservlet3.1-java-doc_8.0.14-1+deb8u5_all.deb
 6c4cc9f3793df8702a17b62b55abd7e11e482928f755f00ac00b50b3411b1141 35942 
tomcat8-admin_8.0.14-1+deb8u5_all.deb
 9979fdb3802afad02db5a5645a269640e086eb07ecfa200c2b375bfbeadd4595 194150 
tomcat8-examples_8.0.14-1+deb8u5_all.deb
 4b85438c34275b10b62757ee5cbe618dce772551d75948a1243265a8bc48a7c7 688960 
tomcat8-docs_8.0.14-1+deb8u5_all.deb
Files:
 25c13a968a8dc7daa066d594f05b0dcb 2842 java optional tomcat8_8.0.14-1+deb8u5.dsc
 95e06df78dc1c9398884e55044a237ef 70888 java optional 
tomcat8_8.0.14-1+deb8u5.debian.tar.xz
 1abdee40b2cde01e1e65cebff7ef7ee6 57498 java optional 
tomcat8-common_8.0.14-1+deb8u5_all.deb
 2bae4143a2997470561ed1709586a26b 47000 java optional 
tomcat8_8.0.14-1+deb8u5_all.deb
 f626fcac4e1903ed3eda43968f4fc22f 34530 java optional 
tomcat8-user_8.0.14-1+deb8u5_all.deb
 8d9fe2adfa73a4dcb4d8c80e0143d5ac 4587212 java optional 
libtomcat8-java_8.0.14-1+deb8u5_all.deb
 8a457e5d67dc7609f7966af22d56ebea 391938 java optional 
libservlet3.1-java_8.0.14-1+deb8u5_all.deb
 4192b6c66a1081ce709c37b33a5e6e9d 247386 doc optional 
libservlet3.1-java-doc_8.0.14-1+deb8u5_all.deb
 9a72fe5cc3bc07a0286004313845381f 35942 java optional 
tomcat8-admin_8.0.14-1+deb8u5_all.deb
 5e4adc0169686723ffcffc538458120d 194150 java optional 
tomcat8-examples_8.0.14-1+deb8u5_all.deb
 30156d2df7f5b012bc9858114d16d394 688960 doc optional 
tomcat8-docs_8.0.14-1+deb8u5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJYVUMMAAoJEPUTxBnkudCsKvkP/RNqmuIFBgz0PWVleUf1QVXm
7/LJO3Xoc+WAsWjeynEMcZV13+TqeDoPrc6CahstCG7dv5odZffpbelbDNSInxQ+
ka1okoxoUsQCC29109Rh6pLy1j2lX6BovlRzTYgJ7H/a3VcsD+UeJH3TFTqncgG1
GrSmrqi8cTf2Nr3YqEqhpEwGB0EkkHTEXp03GEH8DIKj84oC72ERa5vkkgFNATzp
2YFnzEQLIDCQkcY/gJgEL3k9jNZVI94QOzGmaXiAfhChTRAL39k7NCVgKguNpIdJ
wX1h6nK0UlGfbfUvkQJO93zMVujbzrnFf1htM8uqdfskVcGxlogi0yRKi8ZHBa1t
R7izOWOUTCxem/anWY1Zkt8p9hyXnFr3jalnHmPGRgIfXnM3inPu2FvuOh0bLAMv
pkl1lWVFCYI2ea8X+tl1Mao1JJOJULijGot6QiWYDv1qadqxKkBSByt62vF3PBAn
/udHpYmF+obFe1mAAzunQyhtafeUZyJNIWKthHPszL5pb2D2K7ZB3gtLfAEKG1vk
gMyHsOTXhn51WrfEjcHer12SkUTbmZBNcCE9jjO8/62XPC2dATzMFRQEozjQ5Szr
4ggqqKMHPqDWx3PkjjEESxAjMlT1l+C2+GNvOrKhmIIsRL2vl9brka7ZLEdQ8TZY
U32bDL1Spp1aHg9RzmfP
=C3ZY
-----END PGP SIGNATURE-----

--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to