On Wed, Nov 08, 2017 at 03:03:06PM +0100, Markus Koschany wrote:
> Thank you for the report. There was a recent security update of Tomcat 7
> which is the likely cause for this issue.
> 
> Roberto can you take a look please?
> 
Hi Markus & others,

I was able to identify the cause of the regression that I introduced.

There are updated packages here: https://people.debian.org/~roberto/

My testing this time around was more thorough and I believe that this
update properly addresses the CVE without introducing a regression.  If
some intrepid souls could test these packages and give a thumbs up, I
will upload the packages in the next 12-18 hours and then release an
updated advisory.

Here is my proposed advisory text:

====================

The update for tomcat7 issued as DLA-1166-1 caused a regressions whereby every
request, including for the root document (/), returned HTTP status 404. Updated
packages are now available to address this problem. For reference, the original
advisory text follows.

    When HTTP PUT was enabled (e.g., via setting the readonly initialization
    parameter of the Default servlet to false) it was possible to upload a JSP
    file to the server via a specially crafted request. This JSP could then be
    requested and any code it contained would be executed by the server.

For Debian 7 "Wheezy", these problems have been fixed in version
7.0.28-4+deb7u17.

====================

For those who are interested, the regression resulted from a combination
of two factors.

 - When incorporating one of the upstream change sets, an unclean patch
   application produced a .rej rejection file which I overlooked
 - When incorporating another upstream changeset, my attempt to
   integrate the minimal change was too minimal and left out an
   important additional change

These problems did not manifest themselves in my initial testing of the
7.0.28-4+deb7u16 packages because of browser caching.

I offer my apologies for causing this problem and my thanks for your
help in resolving it.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Attachment: signature.asc
Description: PGP signature

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to