Your message dated Fri, 23 Dec 2016 18:32:34 +0000
with message-id <e1ckudu-0007um...@fasolo.debian.org>
and subject line Bug#845425: fixed in tomcat7 7.0.56-3+deb8u6
has caused the Debian Bug report #845425,
regarding DataSource no longer accessible since jessie security update
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
845425: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845425
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: tomcat7
Version: 7.0.56-3+deb8u5
Severity: normal
After the security update 7.0.56-3+deb8u5, I get an error message:
ALLVARLIG: Servlet.service() for servlet [Faces Servlet] in context with
path [/mech] threw exception [Filter execution threw an exception] with
root cause
org.hibernate.HibernateException: Unable to determine appropriate
DataSource to use
This seems likely to be connected with the fix for bug #842666, but I am
not expert enough to determine whether this is due to misconfiguration,
a problem with the fix, a problem in Hibernate, or ...
It used to work with 7.0.56-3+deb8u4, and downgrading to 7.0.56-3+deb8u3
from stable also restores the functionality.
/etc/tomcat7/server.xml:
...
<GlobalNamingResources>
...
<Resource name="jdbc/mechDB" auth="Container" type="javax.sql.DataSource"
factory="org.apache.tomcat.jdbc.pool.DataSourceFactory" ... />
<Resource name="jdbc/mechDB_ro" auth="Container"
type="javax.sql.DataSource"
factory="org.apache.tomcat.jdbc.pool.DataSourceFactory" ... />
...
</GlobalNamingResources>
...
webapp/META-INF/context.xml:
<Context>
<ResourceLink name="jdbc/mechDB" global="jdbc/mechDB_ro"
type="javax.sql.DataSource"/>
</Context>
Thanks,
Arne
--- End Message ---
--- Begin Message ---
Source: tomcat7
Source-Version: 7.0.56-3+deb8u6
We believe that the bug you reported is fixed in the latest version of
tomcat7, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 845...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebo...@apache.org> (supplier of updated tomcat7 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 09 Dec 2016 17:54:59 +0100
Source: tomcat7
Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java
libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs
Architecture: source all
Version: 7.0.56-3+deb8u6
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebo...@apache.org>
Description:
libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes
libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation
libtomcat7-java - Servlet and JSP engine -- core libraries
tomcat7 - Servlet and JSP engine
tomcat7-admin - Servlet and JSP engine -- admin web applications
tomcat7-common - Servlet and JSP engine -- common files
tomcat7-docs - Servlet and JSP engine -- documentation
tomcat7-examples - Servlet and JSP engine -- example web applications
tomcat7-user - Servlet and JSP engine -- tools to create user instances
Closes: 845425 846298
Changes:
tomcat7 (7.0.56-3+deb8u6) jessie-security; urgency=high
.
* Fixed CVE-2016-9774: Potential privilege escalation when the tomcat7
package is upgraded. Thanks to Paul Szabo for the report (see #845393)
* Fixed CVE-2016-9775: Potential privilege escalation when the tomcat7
package is purged. Thanks to Paul Szabo for the report (see #845385)
* Fixed CVE-2016-6816: The code that parsed the HTTP request line permitted
invalid characters. This could be exploited, in conjunction with a proxy
that also permitted the invalid characters but with a different
interpretation, to inject data into the HTTP response. By manipulating the
HTTP response the attacker could poison a web-cache, perform an XSS attack
and/or obtain sensitive information from requests other then their own.
* Fixed CVE-2016-8735: The JmxRemoteLifecycleListener was not updated to take
account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations
using this listener remained vulnerable to a similar remote code execution
vulnerability. This issue has been rated as important rather than critical
due to the small number of installations using this listener and that it
would be highly unusual for the JMX ports to be accessible to an attacker
even when the listener is used.
* Backported the fix for upstream bug 57377: Remove the restriction that
prevented the use of SSL when specifying a bind address for the JMX/RMI
server. Enable SSL to be configured for the registry as well as the server.
* CVE-2016-5018 follow-up: Applied a missing modification fixing
a ClassNotFoundException when the security manager is enabled
(Closes: #846298)
* CVE-2016-6797 follow-up: Fixed a regression preventing some applications
from accessing the global resources (Closes: #845425)
* CVE-2015-5345 follow-up: Added a missing modification enabling the use of
the mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled
attributes on a context.
* Backported a fix for a test failure in Test*NonLoginAndBasicAuthenticator
with recent JREs
* Refreshed the expired SSL certificates used by the tests
* Set the locale when running the tests to prevent locale sensitive tests
from failing
* Fixed a test failure in the new TestNamingContext test added with the fix
for CVE-2016-6797
* Fixed a test failure in TestResourceBundleELResolver
* Reduced the verbosity of the tests
Checksums-Sha1:
f515f7a7fb70ea78d53a961509968615992c1ccd 2758 tomcat7_7.0.56-3+deb8u6.dsc
8b3a36fea4e5d86815f4230d5eeb1ac0b179b209 89984
tomcat7_7.0.56-3+deb8u6.debian.tar.xz
605223126836be410caca78b0ee2f303d261e7fb 63598
tomcat7-common_7.0.56-3+deb8u6_all.deb
9a47f0581bfbff62745e6b307e878c19e8a0ebb1 52578 tomcat7_7.0.56-3+deb8u6_all.deb
da05b5aa94cb92f0134d174c679262311821f7e3 39956
tomcat7-user_7.0.56-3+deb8u6_all.deb
e61dedf5deb25c0558f775c7a2d3e5f973ea538e 3628460
libtomcat7-java_7.0.56-3+deb8u6_all.deb
c7e3bba59decd0ac74b7c9b9822e013f085303d0 315966
libservlet3.0-java_7.0.56-3+deb8u6_all.deb
2f3a110bba17e31c051e0daef417a142168a8c29 206570
libservlet3.0-java-doc_7.0.56-3+deb8u6_all.deb
d94179fa60b701dc38c57521fcfd8517a2601766 40890
tomcat7-admin_7.0.56-3+deb8u6_all.deb
88ed030e1c4cb32967d0e23594ef460941aafaf2 198736
tomcat7-examples_7.0.56-3+deb8u6_all.deb
33479c785c758c5ac746b1eb0dd46a04a3998ae2 603878
tomcat7-docs_7.0.56-3+deb8u6_all.deb
Checksums-Sha256:
051837a099da5e5abd64bac4bc910d76feb17bcecf9f871477d26023d0218621 2758
tomcat7_7.0.56-3+deb8u6.dsc
92f958bd0040baab247c06ba153cab3c587930f8eae530ee695870af92668c6b 89984
tomcat7_7.0.56-3+deb8u6.debian.tar.xz
6925b315cca1d7f1aa9048be13431d2b0071cc6bfd9644bc3e60ac53e0c4ce0f 63598
tomcat7-common_7.0.56-3+deb8u6_all.deb
55a25a7fd14f8ccbbd3d453f0ca8ca7b228d5e5a76b1e8c4d9d2b56371e1d120 52578
tomcat7_7.0.56-3+deb8u6_all.deb
637d620b28365ae63c1c19beaf3e3cb211d48bb023374ff8999b5996898d9426 39956
tomcat7-user_7.0.56-3+deb8u6_all.deb
defbcb126990f86b6322bb10b6ea9354debc2a6d67efe98e2e6ce0f3e9eca3bf 3628460
libtomcat7-java_7.0.56-3+deb8u6_all.deb
70edf84cfcae5e7530ef838b3fdbfc10a2694bf0bf128085ffcb208ba1929c8a 315966
libservlet3.0-java_7.0.56-3+deb8u6_all.deb
5997e175eb1cf0c6ee55ca1b467b3cb23b69aee3203e3a3a00439598eedd72cc 206570
libservlet3.0-java-doc_7.0.56-3+deb8u6_all.deb
d884fc761accfc7c0bae2cc62be2ba78028f7a0187ff38edfa2c13db3506a7ac 40890
tomcat7-admin_7.0.56-3+deb8u6_all.deb
a0bcb95ee80dbba2ccde18272c80af50f95e97166a2557a61ba681ea7ec1532b 198736
tomcat7-examples_7.0.56-3+deb8u6_all.deb
377a8422547d0244b3674ca9f2c54a88744a111568fcd5e4adaddb057df60045 603878
tomcat7-docs_7.0.56-3+deb8u6_all.deb
Files:
920ab5b90f2238e72b3b345dbe1fc9dc 2758 java optional tomcat7_7.0.56-3+deb8u6.dsc
4c39b36e1c173d19fb2d98b46c754b2d 89984 java optional
tomcat7_7.0.56-3+deb8u6.debian.tar.xz
55e083ef8381e096c5cba2a033a99d93 63598 java optional
tomcat7-common_7.0.56-3+deb8u6_all.deb
d7d91536cf784d855262d87a17299a04 52578 java optional
tomcat7_7.0.56-3+deb8u6_all.deb
14946666862b196ffdc255bae13b0ab4 39956 java optional
tomcat7-user_7.0.56-3+deb8u6_all.deb
814bf2ceb5d8a17153a32158c7318c40 3628460 java optional
libtomcat7-java_7.0.56-3+deb8u6_all.deb
95a27232a905e6a58a2b5f4c6c373748 315966 java optional
libservlet3.0-java_7.0.56-3+deb8u6_all.deb
9479f67b76f5236b853bf0cc4ecc1d11 206570 doc optional
libservlet3.0-java-doc_7.0.56-3+deb8u6_all.deb
1d9674d0151022cc73877e14dcb0a5d2 40890 java optional
tomcat7-admin_7.0.56-3+deb8u6_all.deb
e94a3438559476f40c5e657b9074785e 198736 java optional
tomcat7-examples_7.0.56-3+deb8u6_all.deb
302da96a4c19d27accf4e5da130793f2 603878 doc optional
tomcat7-docs_7.0.56-3+deb8u6_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJYSuLzAAoJEPUTxBnkudCsc9gQAKEheMfktBDCqY9wTy2NoF+l
F8RumcveSq/8FMFebVUqIc4rmE3oa4vr5eewn4ZTEkY0y626qIccRXiAzX80E/bI
FrHmpGVJQz3MrA7EYVYpvwbkiA5Wko5HvESXRjAqfVb8eI6BJs673+82yYPF2KTP
u5yaD2/F55m5krq6w9KsmDF32B78rmS/ILV6gTWB5Pm0cfHn6r2JdF81rThAk07P
B6KuhRoD6BlyM7fgMSboirG9unTr1vr422oFRLJeT03W0O6x6xsX5jWG4x/OAByH
1zqCUtfSxEnNp4eOj8JQVQWJ/XG6ZFroManxIlnbf5Xlrew7zp/bXLu/hPVpp+RF
vBpmLzkTHZea66oqnRsv0DRwf3+V+bE3NIeiOIwQO1TVknnflIYqhIJeGezu5vIJ
fLbjDs2cEUiOkkxWVDcbOx9M6dV9mL06TPdjQP9hkJWlP3qMSl3XdCRDle2T70ID
+HtRG/aKC0r43OpLP/YHrnCPWBmTSJS2kmYE+263cRK7sG0oAdGGlY5dvu8XpH/2
9D2UVzKWFaOj828Ph4oZcxf1UVLAVGja5WYAKkgRpx3rsfdpB/b4x1Vu8F7HEWmf
yjvV23gO64uyF60PKwN7ghjhIZ4CEWkN9oIh6/n2kdGliCmUqyaNak4YLpER+lnr
StsZZRYOIABYk56xSALT
=C3Q2
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
debian-j...@lists.debian.org for discussions and questions.