tomcat7_7.0.62-1_amd64.changes ACCEPTED into unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Wed, 27 May 2015 11:43:31 +0200 Source: tomcat7 Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs Architecture: source all Version: 7.0.62-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers pkg-java-maintainers@lists.alioth.debian.org Changed-By: Emmanuel Bourg ebo...@apache.org Description: libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation libtomcat7-java - Servlet and JSP engine -- core libraries tomcat7- Servlet and JSP engine tomcat7-admin - Servlet and JSP engine -- admin web applications tomcat7-common - Servlet and JSP engine -- common files tomcat7-docs - Servlet and JSP engine -- documentation tomcat7-examples - Servlet and JSP engine -- example web applications tomcat7-user - Servlet and JSP engine -- tools to create user instances Changes: tomcat7 (7.0.62-1) unstable; urgency=medium . * New upstream release - Refreshed the patches * Replaced the date in ServerInfo.properties and in the documentation with the latest date in debian/changelog to make the build reproducible * debian/rules: - Modified to use the dh sequencer - Simplified the ant invocation and moved some properties to debian/ant.properties - Do not set the version.* properties already defined in build.properties.default - Renamed T_VER to VERSION - Removed the RWFILES and RWLOC variables - Merged the ANT_ARGS and ANT_INVOKE variables - No longer remove the long gone .svn directories under /usr/share/tomcat8/webapps/default_root - Let dh_fixperms set the permissions instead of calling chmod +x - Use debian/tomcat7-user.manpages instead of calling dh_installman - Updated the copyright year in the Javadoc Checksums-Sha1: 527018ed73badc8a4f1c87ab775bc347d4d5c518 2743 tomcat7_7.0.62-1.dsc 414862e69badbcf1a1aa74263fb93d645697d5b6 2947964 tomcat7_7.0.62.orig.tar.xz 7321b08cc86bed562e0546c5571cab9ab0d343fd 66444 tomcat7_7.0.62-1.debian.tar.xz 836dae6e8887e6cdc8899fba0fa3a31f8a7a7439 61636 tomcat7-common_7.0.62-1_all.deb 308aeb25df70e7e5337d88c8daa26a109e0b478f 50432 tomcat7_7.0.62-1_all.deb 6b695f5242e3e0e4568736606e11fe01455f87e0 38070 tomcat7-user_7.0.62-1_all.deb a2d9812e2071c08a3f44caaac8b6a009df4905c0 3666716 libtomcat7-java_7.0.62-1_all.deb 24db6233240e06278a952edfb411c7051af5bd7d 313816 libservlet3.0-java_7.0.62-1_all.deb 3837187a10635353b8818d160544ced224d07367 205238 libservlet3.0-java-doc_7.0.62-1_all.deb d8f6a9f5a7406aed11c1d17c3544a21a87bb20c2 39010 tomcat7-admin_7.0.62-1_all.deb 6c2d9f698004892f0102fb96dfc712955394468f 197612 tomcat7-examples_7.0.62-1_all.deb 90ed8582dd3f7bb9ff687e09a11597b5742f9203 618030 tomcat7-docs_7.0.62-1_all.deb Checksums-Sha256: 965e324d34d1a96febb1c5087bba9e7b7b3161255b5625af933f1097bc7dc512 2743 tomcat7_7.0.62-1.dsc eb11ce945de514846cc2c141abee8b1922943039c057207c92007068bca61d5e 2947964 tomcat7_7.0.62.orig.tar.xz e2ea27deb15bc4754929ee9286b656ffc455ad9f40e7f66b8728d4d068d71af4 66444 tomcat7_7.0.62-1.debian.tar.xz 528f59b197e3e1e98ee6eca9aaf4f2903f5b0cb8b6ef8eaf749500d5f3211b32 61636 tomcat7-common_7.0.62-1_all.deb fd1e472d1a50222fae2bc68b37569905ea3dfa955a6993b6a4c655c632c62c20 50432 tomcat7_7.0.62-1_all.deb 4aaf891d9e9f95654d7ea6bbdad1421f16c7c48741d3734936247fe44c769426 38070 tomcat7-user_7.0.62-1_all.deb 2a7852582b532f62eb265147b109d71156becd5f1088a85cfdfe1cacd137cbd9 3666716 libtomcat7-java_7.0.62-1_all.deb 9e7f0fc2a3c9b5fc4f95b0fcfd37b56cf9228c5271ae195d00746db498eef245 313816 libservlet3.0-java_7.0.62-1_all.deb c5644cbb8a656eb228e1dfaeeac03f1271ed100fae3bb891760f951cdf9898ce 205238 libservlet3.0-java-doc_7.0.62-1_all.deb c5b4de878b8151630aa3526ff30d4ee201b65eaf842c2ff0c0649b4a448fa4e0 39010 tomcat7-admin_7.0.62-1_all.deb 03dccb0f0980bfd117f68d198fb0c96a2e73d3f197ff28b260aa017976622535 197612 tomcat7-examples_7.0.62-1_all.deb 08fea9cba5ada4171a5b113e092cab6cd1a23361554289e7e2b7cae0b3f43c77 618030 tomcat7-docs_7.0.62-1_all.deb Files: 4034d3bd29ef1944d6820ca2a9ce0e5f 2743 java optional tomcat7_7.0.62-1.dsc 7eb6e07600ade776ac76d3925f06e194 2947964 java optional tomcat7_7.0.62.orig.tar.xz 973a90799846027205cdebedf129844a 66444 java optional tomcat7_7.0.62-1.debian.tar.xz e87efc6127530e48833cfec6c5edcc95 61636 java optional tomcat7-common_7.0.62-1_all.deb 056d4cbb3570c1014e2029e6895419f2 50432 java optional tomcat7_7.0.62-1_all.deb a89988f21976dd412b444f79d9095b56 38070 java optional tomcat7-user_7.0.62-1_all.deb 8870b1f53c81f6a26e39dcc870faab6a 3666716 java optional libtomcat7-java_7.0.62-1_all.deb 904e912869f4febc552f6e9c91008c21 313816 java optional libservlet3.0-java_7.0.62-1_all.deb 9c746fafc7c423568e27e8e7512b2de8 205238 doc optional
Processing of tomcat7_7.0.62-1_amd64.changes
tomcat7_7.0.62-1_amd64.changes uploaded successfully to localhost along with the files: tomcat7_7.0.62-1.dsc tomcat7_7.0.62.orig.tar.xz tomcat7_7.0.62-1.debian.tar.xz tomcat7-common_7.0.62-1_all.deb tomcat7_7.0.62-1_all.deb tomcat7-user_7.0.62-1_all.deb libtomcat7-java_7.0.62-1_all.deb libservlet3.0-java_7.0.62-1_all.deb libservlet3.0-java-doc_7.0.62-1_all.deb tomcat7-admin_7.0.62-1_all.deb tomcat7-examples_7.0.62-1_all.deb tomcat7-docs_7.0.62-1_all.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#787010: tomcat6: CVE-2014-7810: Security Manager bypass by expression language
Source: tomcat6
Version: 6.0.41-2+squeeze6
Severity: normal
Tags: security patch upstream fixed-upstream
Dear Debian Java maintainers,
The Tomcat security team has identified a security issue [cve] that
allows malicious web applications to bypass the Security Manager, by the
use of expression language. The code related to this vulnerability is
present in squeeze and wheezy.
I have prepared the attached patches for squeeze, based on [fix].
[cve] https://security-tracker.debian.org/tracker/CVE-2014-7810
[fix] http://svn.apache.org/viewvc?view=revisionrevision=1645366
http://svn.apache.org/viewvc?view=revisionrevision=1659538
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities Exposures) id in your changelog entry.
Please adjust the affected versions in the BTS as needed.
Cheers!
Santiago
P.S. This is part of my first security bug reports against tomcat.
Please let me know how can I improve them.
Description: Fix potential BeanELResolver issue when running under a security manager.
Some classes may not be accessible but may have accessible interfaces.
This is part of the fix for CVE-2014-7810
Origin: http://svn.apache.org/viewvc?view=revisionrevision=1645366
--- a/java/javax/el/BeanELResolver.java
+++ b/java/javax/el/BeanELResolver.java
@@ -188,25 +188,49 @@
return null;
}
- protected final static class BeanProperties {
- private final MapString, BeanProperty properties;
+protected final static class BeanProperties {
+private final MapString, BeanProperty properties;
- private final Class? type;
+private final Class? type;
- public BeanProperties(Class? type) throws ELException {
- this.type = type;
- this.properties = new HashMapString, BeanProperty();
- try {
-BeanInfo info = Introspector.getBeanInfo(this.type);
-PropertyDescriptor[] pds = info.getPropertyDescriptors();
-for (int i = 0; i pds.length; i++) {
- this.properties.put(pds[i].getName(), new BeanProperty(
- type, pds[i]));
-}
- } catch (IntrospectionException ie) {
-throw new ELException(ie);
- }
- }
+public BeanProperties(Class? type) throws ELException {
+this.type = type;
+this.properties = new HashMapString, BeanProperty();
+try {
+BeanInfo info = Introspector.getBeanInfo(this.type);
+PropertyDescriptor[] pds = info.getPropertyDescriptors();
+for (PropertyDescriptor pd: pds) {
+this.properties.put(pd.getName(), new BeanProperty(type, pd));
+}
+if (System.getSecurityManager() != null) {
+// When running with SecurityManager, some classes may be
+// not accessible, but have accessible interfaces.
+populateFromInterfaces(type);
+}
+} catch (IntrospectionException ie) {
+throw new ELException(ie);
+}
+}
+
+private void populateFromInterfaces(Class? aClass) throws IntrospectionException {
+Class? interfaces[] = aClass.getInterfaces();
+if (interfaces.length 0) {
+for (Class? ifs : interfaces) {
+BeanInfo info = Introspector.getBeanInfo(ifs);
+PropertyDescriptor[] pds = info.getPropertyDescriptors();
+for (PropertyDescriptor pd : pds) {
+if (!this.properties.containsKey(pd.getName())) {
+this.properties.put(pd.getName(), new BeanProperty(
+this.type, pd));
+}
+}
+}
+}
+Class? superclass = aClass.getSuperclass();
+if (superclass != null) {
+populateFromInterfaces(superclass);
+}
+}
private BeanProperty get(ELContext ctx, String name) {
BeanProperty property = this.properties.get(name);
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -952,6 +952,15 @@
/fix
/changelog
/subsection
+ subsection name=Jasper
+changelog
+ fix
+Fix potential issue with BeanELResolver when running under a security
+manager. Some classes may not be accessible but may have accessible
+interfaces. (markt)
+ /fix
+/changelog
+ /subsection
subsection name=Web applications
changelog
fix
Description: Backport some Jasper clean-up that might provide a marginal performance improvement.
Even if it doesn't it removes some unnecessary code.
This is part of the fix for CVE-2014-7810
Origin: http://svn.apache.org/viewvc?view=revisionrevision=1659538
--- a/java/org/apache/jasper/runtime/PageContextImpl.java
+++ b/java/org/apache/jasper/runtime/PageContextImpl.java
@@ -5,9 +5,9 @@
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the
Processed: found 787010 in 6.0.41-1
Processing commands for cont...@bugs.debian.org: found 787010 6.0.41-1 Bug #787010 [src:tomcat6] tomcat6: CVE-2014-7810: Security Manager bypass by expression language Marked as found in versions tomcat6/6.0.41-1. thanks Stopping processing here. Please contact me if you need assistance. -- 787010: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787010 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Processed: found 787010 in 6.0.35-1, fixed 787010 in 6.0.41-3
Processing commands for cont...@bugs.debian.org: found 787010 6.0.35-1 Bug #787010 [src:tomcat6] tomcat6: CVE-2014-7810: Security Manager bypass by expression language Marked as found in versions tomcat6/6.0.35-1. # some version tracking update for the BTS fixed 787010 6.0.41-3 Bug #787010 [src:tomcat6] tomcat6: CVE-2014-7810: Security Manager bypass by expression language Marked as fixed in versions tomcat6/6.0.41-3. thanks Stopping processing here. Please contact me if you need assistance. -- 787010: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787010 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
libxmpcore-java 5.1.2-3 MIGRATED to testing
FYI: The status of the libxmpcore-java source package in Debian's testing distribution has changed. Previous version: 5.1.2-2 Current version: 5.1.2-3 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Processed: Re: jruby: has poor cryptographic support
Processing commands for cont...@bugs.debian.org: tags 743746 + confirmed Bug #743746 [jruby] jruby: has poor cryptographic support Added tag(s) confirmed. owner 743746 ! Bug #743746 [jruby] jruby: has poor cryptographic support Owner recorded as Miguel Landaeta nomad...@debian.org. thanks Stopping processing here. Please contact me if you need assistance. -- 743746: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743746 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#743746: jruby: has poor cryptographic support
tags 743746 + confirmed owner 743746 ! thanks On Sat, Apr 05, 2014 at 09:52:25PM +, brian m. carlson wrote: Package: jruby Version: 1.5.6-7 Severity: normal JRuby has really bad cryptographic support. First, many algorithms are missing. The output directs me to the jruby-openssl gem, but that isn't packaged. If JRuby requires that gem in order to be as functional as MRI, then it needs to be packaged and be an appropriate dependency (at least a Recommends, if not a Depends) of jruby. In this era, cryptography is not an optional component. Hi Brian, Sorry for the delay to answer this issue. We (pkg-java team) intend to upload very soon an updated package with a new upstream release (1.7.19). I'm aware of this issue, jruby-openssl needs to be packaged and we take care of it soon. Thanks, -- Miguel Landaeta, nomadium at debian.org secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key. Faith means not wanting to know what is true. -- Nietzsche signature.asc Description: Digital signature __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
glassfish 1:2.1.1-b31g+dfsg1-3 MIGRATED to testing
FYI: The status of the glassfish source package in Debian's testing distribution has changed. Previous version: 1:2.1.1-b31g+dfsg1-2 Current version: 1:2.1.1-b31g+dfsg1-3 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
libzeus-jscl-java_1.72-1_amd64.changes REJECTED
Hi Andreas, please take care of src/gr/zeus/res/eclipse-icons-license.txt Thanks! Thorsten === Please feel free to respond to this email if you don't understand why your files were rejected, or if you upload new files which address our concerns. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
japi-compliance-checker 1.4.1-1 MIGRATED to testing
FYI: The status of the japi-compliance-checker source package in Debian's testing distribution has changed. Previous version: 1.3.7-1 Current version: 1.4.1-1 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Processed: your mail
Processing commands for cont...@bugs.debian.org: owner 663342 ! Bug #663342 [jruby] jruby: Please add /usr/lib/ruby/vendor_ruby to the default $LOAD_PATH Owner recorded as Miguel Landaeta nomad...@debian.org. tags 663342 + confirmed pending Bug #663342 [jruby] jruby: Please add /usr/lib/ruby/vendor_ruby to the default $LOAD_PATH Added tag(s) confirmed and pending. thanks Stopping processing here. Please contact me if you need assistance. -- 663342: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663342 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Processing of libzeus-jscl-java_1.72-1_amd64.changes
libzeus-jscl-java_1.72-1_amd64.changes uploaded successfully to localhost along with the files: libzeus-jscl-java_1.72-1.dsc libzeus-jscl-java_1.72.orig.tar.xz libzeus-jscl-java_1.72-1.debian.tar.xz libzeus-jscl-java-doc_1.72-1_all.deb libzeus-jscl-java_1.72-1_all.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Re: libzeus-jscl-java_1.72-1_amd64.changes REJECTED
Done. Thanks for checking Andreas. On Wed, May 27, 2015 at 05:00:13PM +, Thorsten Alteholz wrote: Hi Andreas, please take care of src/gr/zeus/res/eclipse-icons-license.txt Thanks! Thorsten === Please feel free to respond to this email if you don't understand why your files were rejected, or if you upload new files which address our concerns. -- http://fam-tille.de __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#663342: /usr/lib/ruby/vendor_ruby now in $LOAD_PATH
It looks like this has been fixed, at least in sid: root@56264f4d8fa9:/Source/pkg-java/jruby# cat /etc/issue Debian GNU/Linux 8 \n \l root@56264f4d8fa9:/Source/pkg-java/jruby# ruby -v ruby 2.1.5p273 (2014-11-13) [x86_64-linux-gnu] root@56264f4d8fa9:/Source/pkg-java/jruby# irb irb(main):001:0 puts $LOAD_PATH /usr/local/lib/site_ruby/2.1.0 /usr/local/lib/x86_64-linux-gnu/site_ruby /usr/local/lib/site_ruby /usr/lib/ruby/vendor_ruby/2.1.0 /usr/lib/x86_64-linux-gnu/ruby/vendor_ruby/2.1.0 /usr/lib/ruby/vendor_ruby /usr/lib/ruby/2.1.0 /usr/lib/x86_64-linux-gnu/ruby/2.1.0 = nil smime.p7s Description: S/MIME cryptographic signature __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
libzeus-jscl-java_1.72-1_amd64.changes is NEW
binary:libzeus-jscl-java is NEW. binary:libzeus-jscl-java-doc is NEW. source:libzeus-jscl-java is NEW. Your package has been put into the NEW queue, which requires manual action from the ftpteam to process. The upload was otherwise valid (it had a good OpenPGP signature and file hashes are valid), so please be patient. Packages are routinely processed through to the archive, and do feel free to browse the NEW queue[1]. If there is an issue with the upload, you will recieve an email from a member of the ftpteam. If you have any questions, you may reply to this email. [1]: https://ftp-master.debian.org/new.html __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
