Bug#782635: tomcat8-admin: Default upload limit for manager app too small with no way to override
On Wed, Apr 15, 2015 at 11:22:26AM +0100, Dominic Hargreaves wrote: On Wed, Apr 15, 2015 at 12:13:56PM +0200, Emmanuel Bourg wrote: The web.xml file of the manager application is packaged as is, there is no difference with the file distributed upstream. I suggest that you raise this question on the Tomcat user list, someone should be able to help you with this configuration issue there. I'll ask, but the impression I get from reading around is that web.xml should simply be edited. I don't think we can do much at the packaging level to help you though. If it turns out that the above is correct, then I think that the Debian package should be able to enable this (eg by making web.xml a symlink to somewhere where it can be a conffile). I'll report back here either way! Hi, Here's a useful response from someone on the tomcat-users list, who seems to agree that this is something that should be changed at the Debian side. Dominic. ---BeginMessage--- On 15/04/2015 05:28, Dominic Hargreaves wrote: Hello, This is reposted from [1] and [2]; the Debian maintainers of the package suggested I ask for advice here. I am running the Tomcat manager application via a Debian package (tomcat8-admin), which deploys the webapp from /usr/share/tomcat8-admin/manager. We ran into a problem hitting th maximum upload size (configured as the multipart-config element in the HTMLManager servlet block). This is easy to fix if you're willing to edit Debian-packaged files, but this is incorrect: files in /usr/share are owned exclusively by dpkg. Is there a way to override this element from somewhere in tomcat's conf directory (which is symlinked to /etc/tomcat8 in Debian)? No. The web application setting would take priority. Searching for this problem on the web only results in suggestions about editing web.xml directly (eg http://www.giantgeek.com/blog/?p=1000) or about different programming approaches using context parameters (if I understand correctly; I'm not especially familiar with the jargon). If it's not possible to override this at the moment, then is this a bug in Tomcat, or the Debian packaging? I'd say the bug is in the Debian packaging (but I would say that wouldn't I). Without know how Tomcat is packaged in Debian, I would expect the following: - the Manager web application to be a separate, optional package - the web.xml to be placed in an appropriate location for users to be able to edit it. I took a quick look through the web.xml for the Manager app. There are plenty of settings I wouldn't expect to change but there are a handful of things that users might want to tweak. In theory, it should be possible to move those settings to context.xml but that would require code changes and would mean do things that were contrary to the spirit of the servlet spec so there would likely be resistance to such changes from the Tomcat community. One option would be for Debian to use external entities for the configurable elements and place the file that defines those entities somewhere where users can edit it. Of course I could maintain a local version of the Debian package with this overriden, but for such an apparently-obvious piece of configuration that seems wrong too. Agreed. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ---End Message--- __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
jenkins REMOVED from testing
FYI: The status of the jenkins source package in Debian's testing distribution has changed. Previous version: 1.565.3-3 Current version: (not in testing) Hint: http://release.debian.org/britney/hints/nthykier #2015-04-08; done 2015-04-15 # https://lists.debian.org/552554b7.7070...@thykier.net The script that generates this mail tries to extract removal reasons from comments in the britney hint files. Those comments were not originally meant to be machine readable, so if the reason for removing your package seems to be nonsense, it is probably the reporting script that got confused. Please check the actual hints file before you complain about meaningless removals. -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
jenkins-antisamy-markup-formatter-plugin REMOVED from testing
FYI: The status of the jenkins-antisamy-markup-formatter-plugin source package in Debian's testing distribution has changed. Previous version: 1.2-1 Current version: (not in testing) Hint: http://release.debian.org/britney/hints/nthykier #2015-04-08; done 2015-04-15 # https://lists.debian.org/552554b7.7070...@thykier.net The script that generates this mail tries to extract removal reasons from comments in the britney hint files. Those comments were not originally meant to be machine readable, so if the reason for removing your package seems to be nonsense, it is probably the reporting script that got confused. Please check the actual hints file before you complain about meaningless removals. -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
jenkins-instance-identity REMOVED from testing
FYI: The status of the jenkins-instance-identity source package in Debian's testing distribution has changed. Previous version: 1.4-1 Current version: (not in testing) Hint: http://release.debian.org/britney/hints/nthykier #2015-04-08; done 2015-04-15 # https://lists.debian.org/552554b7.7070...@thykier.net The script that generates this mail tries to extract removal reasons from comments in the britney hint files. Those comments were not originally meant to be machine readable, so if the reason for removing your package seems to be nonsense, it is probably the reporting script that got confused. Please check the actual hints file before you complain about meaningless removals. -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
jenkins-matrix-auth-plugin REMOVED from testing
FYI: The status of the jenkins-matrix-auth-plugin source package in Debian's testing distribution has changed. Previous version: 1.2-1 Current version: (not in testing) Hint: http://release.debian.org/britney/hints/nthykier #2015-04-08; done 2015-04-15 # https://lists.debian.org/552554b7.7070...@thykier.net The script that generates this mail tries to extract removal reasons from comments in the britney hint files. Those comments were not originally meant to be machine readable, so if the reason for removing your package seems to be nonsense, it is probably the reporting script that got confused. Please check the actual hints file before you complain about meaningless removals. -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
jenkins-ssh-cli-auth REMOVED from testing
FYI: The status of the jenkins-ssh-cli-auth source package in Debian's testing distribution has changed. Previous version: 1.2-1 Current version: (not in testing) Hint: http://release.debian.org/britney/hints/nthykier #2015-04-08; done 2015-04-15 # https://lists.debian.org/552554b7.7070...@thykier.net The script that generates this mail tries to extract removal reasons from comments in the britney hint files. Those comments were not originally meant to be machine readable, so if the reason for removing your package seems to be nonsense, it is probably the reporting script that got confused. Please check the actual hints file before you complain about meaningless removals. -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
jenkins-matrix-project-plugin REMOVED from testing
FYI: The status of the jenkins-matrix-project-plugin source package in Debian's testing distribution has changed. Previous version: 1.3-1 Current version: (not in testing) Hint: http://release.debian.org/britney/hints/nthykier #2015-04-08; done 2015-04-15 # https://lists.debian.org/552554b7.7070...@thykier.net The script that generates this mail tries to extract removal reasons from comments in the britney hint files. Those comments were not originally meant to be machine readable, so if the reason for removing your package seems to be nonsense, it is probably the reporting script that got confused. Please check the actual hints file before you complain about meaningless removals. -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
jenkins-ant-plugin REMOVED from testing
FYI: The status of the jenkins-ant-plugin source package in Debian's testing distribution has changed. Previous version: 1.2-1 Current version: (not in testing) Hint: http://release.debian.org/britney/hints/nthykier #2015-04-08; done 2015-04-15 # https://lists.debian.org/552554b7.7070...@thykier.net The script that generates this mail tries to extract removal reasons from comments in the britney hint files. Those comments were not originally meant to be machine readable, so if the reason for removing your package seems to be nonsense, it is probably the reporting script that got confused. Please check the actual hints file before you complain about meaningless removals. -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
jenkins-mailer-plugin REMOVED from testing
FYI: The status of the jenkins-mailer-plugin source package in Debian's testing distribution has changed. Previous version: 1.11-1 Current version: (not in testing) Hint: http://release.debian.org/britney/hints/nthykier #2015-04-08; done 2015-04-15 # https://lists.debian.org/552554b7.7070...@thykier.net The script that generates this mail tries to extract removal reasons from comments in the britney hint files. Those comments were not originally meant to be machine readable, so if the reason for removing your package seems to be nonsense, it is probably the reporting script that got confused. Please check the actual hints file before you complain about meaningless removals. -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#758086: CVE-2014-3577: Apache HttpComponents hostname verification bypass
On Apr/15, Markus Koschany wrote: I have prepared a patch for CVE-2014-3577 (commons-httpclient). [1] The patch is identical to the Jessie / Sid fix. Do you consider this vulnerability important enough for a DSA or do you prefer a point release update? Hi Markus, this issue was marked no-dsa some time ago (see https://security-tracker.debian.org/tracker/CVE-2014-3577), so a point-release update will be the way to go. Cheers, --Seb __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#782660: java-package: Provide a transitional way for the package name
Package: java-package Version: 0.52 Severity: normal Hi, during the 0.52 cycle the package names were changed from (i.e.) oracle-j2re1.7 to oracle-java7-jre While I generally think the new names are cleaner the old package is not replaced by the new package automatically. I can think of two ways for this to happen. a) add appropriate Breaks+Replaces to the generated package b) document a way to build transitional packages I have attached our local way of doing b) here. Probably not perfect, but seems to do the job. Best Regards, Bernhard lrz-java-transitional.tar.gz Description: application/gzip __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#758086: CVE-2014-3577: Apache HttpComponents hostname verification bypass
Hello security team,
I have prepared a patch for CVE-2014-3577 (commons-httpclient). [1] The
patch is identical to the Jessie / Sid fix. Do you consider this
vulnerability important enough for a DSA or do you prefer a point
release update?
Regards,
Markus
[1] https://bugs.debian.org/758086
diff -Nru commons-httpclient-3.1/debian/ant.properties
commons-httpclient-3.1/debian/ant.properties
--- commons-httpclient-3.1/debian/ant.properties2011-08-30
11:42:03.0 +0200
+++ commons-httpclient-3.1/debian/ant.properties2015-04-15
21:24:54.0 +0200
@@ -1,5 +1,5 @@
# JSSE stub classes required for build
lib.dir=/usr/share/java
#jsse.jar=/usr/share/java/jsse.jar
-ant.build.javac.source=1.4
-ant.build.javac.target=1.4
+ant.build.javac.source=1.5
+ant.build.javac.target=1.5
diff -Nru commons-httpclient-3.1/debian/changelog
commons-httpclient-3.1/debian/changelog
--- commons-httpclient-3.1/debian/changelog 2012-12-06 14:41:48.0
+0100
+++ commons-httpclient-3.1/debian/changelog 2015-04-15 21:24:54.0
+0200
@@ -1,3 +1,20 @@
+commons-httpclient (3.1-10.2+deb7u1) wheezy-security; urgency=high
+
+ * Team upload.
+ * Add CVE-2014-3577.patch. (Closes: #758086)
+It was found that the fix for CVE-2012-6153 was incomplete: the code added
+to check that the server hostname matches the domain name in a subject's
+Common Name (CN) field in X.509 certificates was flawed. A
+man-in-the-middle attacker could use this flaw to spoof an SSL server using
+a specially crafted X.509 certificate. The fix for CVE-2012-6153 was
+intended to address the incomplete patch for CVE-2012-5783. The issue is
+now completely resolved by applying this patch and the
+06_fix_CVE-2012-5783.patch.
+ * Change java.source and java.target ant properties to 1.5, otherwise
+commons-httpclient will not compile with this patch.
+
+ -- Markus Koschany a...@gambaru.de Wed, 15 Apr 2015 21:24:48 +0200
+
commons-httpclient (3.1-10.2) unstable; urgency=low
* Non-maintainer upload.
diff -Nru commons-httpclient-3.1/debian/patches/CVE-2014-3577.patch
commons-httpclient-3.1/debian/patches/CVE-2014-3577.patch
--- commons-httpclient-3.1/debian/patches/CVE-2014-3577.patch 1970-01-01
01:00:00.0 +0100
+++ commons-httpclient-3.1/debian/patches/CVE-2014-3577.patch 2015-04-15
21:24:54.0 +0200
@@ -0,0 +1,110 @@
+From: Markus Koschany a...@gambaru.de
+Date: Mon, 23 Mar 2015 22:45:14 +0100
+Subject: CVE-2014-3577
+
+It was found that the fix for CVE-2012-6153 was incomplete: the code added to
+check that the server hostname matches the domain name in a subject's Common
+Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker
+could use this flaw to spoof an SSL server using a specially crafted X.509
+certificate.
+The fix for CVE-2012-6153 was intended to address the incomplete patch for
+CVE-2012-5783. This means the issue is now completely resolved by applying
+this patch and the 06_fix_CVE-2012-5783.patch.
+
+References:
+
+upstream announcement:
+https://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577
+
+Fedora-Fix:
+http://pkgs.fedoraproject.org/cgit/jakarta-commons-httpclient.git/tree/jakarta-commons-httpclient-CVE-2014-3577.patch
+
+CentOS-Fix:
+https://git.centos.org/blob/rpms!jakarta-commons-httpclient/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch
+
+Debian-Bug: https://bugs.debian.org/758086
+Forwarded: not-needed, already fixed
+---
+ .../protocol/SSLProtocolSocketFactory.java | 57 ++
+ 1 file changed, 37 insertions(+), 20 deletions(-)
+
+diff --git
a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+index fa0acc7..e6ce513 100644
+---
a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+@@ -44,9 +44,15 @@ import java.util.Iterator;
+ import java.util.LinkedList;
+ import java.util.List;
+ import java.util.Locale;
+-import java.util.StringTokenizer;
++import java.util.NoSuchElementException;
+ import java.util.regex.Pattern;
+
++import javax.naming.InvalidNameException;
++import javax.naming.NamingException;
++import javax.naming.directory.Attribute;
++import javax.naming.directory.Attributes;
++import javax.naming.ldap.LdapName;
++import javax.naming.ldap.Rdn;
+ import javax.net.ssl.SSLException;
+ import javax.net.ssl.SSLSession;
+ import javax.net.ssl.SSLSocket;
+@@ -424,28 +430,39 @@ public class SSLProtocolSocketFactory implements
SecureProtocolSocketFactory {
+ return dots;
+ }
+
+- private static String getCN(X509Certificate cert) {
+-// Note: toString() seems to do a better job than getName()
+-//
+-// For example, getName() gives me this:
+-//
Bug#782635: tomcat8-admin: Default upload limit for manager app too small with no way to override
Le 15/04/2015 16:05, Dominic Hargreaves a écrit : Here's a useful response from someone on the tomcat-users list, who seems to agree that this is something that should be changed at the Debian side. Here is the link for the reference: http://mail-archives.apache.org/mod_mbox/tomcat-users/201504.mbox/%3C552E688C.6080600%40apache.org%3E As I understand, the web.xml file of the manager application should be moved to /etc/tomcat8, symlinked to /usr/share/tomcat8-admin/manager/WEB-INF. Do you think you could provide a patch implementing this change? __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#782635: tomcat8-admin: Default upload limit for manager app too small with no way to override
On Wed, Apr 15, 2015 at 12:13:56PM +0200, Emmanuel Bourg wrote: The web.xml file of the manager application is packaged as is, there is no difference with the file distributed upstream. I suggest that you raise this question on the Tomcat user list, someone should be able to help you with this configuration issue there. I'll ask, but the impression I get from reading around is that web.xml should simply be edited. I don't think we can do much at the packaging level to help you though. If it turns out that the above is correct, then I think that the Debian package should be able to enable this (eg by making web.xml a symlink to somewhere where it can be a conffile). I'll report back here either way! Cheers, Dominic. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#782635: tomcat8-admin: Default upload limit for manager app too small with no way to override
Package: tomcat8-admin Version: 8.0.14-1 Severity: normal Hi, I found that the manager app file upload limit was too small for our purposes. As per [1] I've been unable to find a way to override the maximum file upload size defined in web.xml without editing web.xml directly, which is obviously the wrong thing to do. At the moment this feels like a bug either in the packaging of tomcat8-admin or Tomcat itself, but it's equally possible that the bug is in my understanding of how configuring Tomcat is supposed to work, in which case any hints would be appreciated. Cheers, Dominic. [1] http://serverfault.com/questions/681211/overriding-parts-of-a-webapps-web-xml-in-tomcat-eg-manager-application-max-fil __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#782635: tomcat8-admin: Default upload limit for manager app too small with no way to override
Hi Dominic, The web.xml file of the manager application is packaged as is, there is no difference with the file distributed upstream. I suggest that you raise this question on the Tomcat user list, someone should be able to help you with this configuration issue there. I don't think we can do much at the packaging level to help you though. Emmanuel Bourg __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
