Your message dated Thu, 01 Dec 2016 18:20:30 +0000 with message-id <e1ccvya-0008hm...@fasolo.debian.org> and subject line Bug#845385: fixed in tomcat8 8.5.8-2 has caused the Debian Bug report #845385, regarding Privilege escalation via removal to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 845385: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845385 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: tomcat8 Version: 8.0.14-1+deb8u4 Severity: critical Tags: security Having installed tomcat8, the directory /etc/tomcat8/Catalina is set writable by group tomcat8, as per the postinst script. Then the tomcat8 user, in the situation envisaged in DSA-3670 and DSA-3720, see also http://seclists.org/fulldisclosure/2016/Oct/4 could use something like commands touch /etc/tomcat8/Catalina/attack chmod 2747 /etc/tomcat8/Catalina/attack to create a file: # ls -l /etc/tomcat8/Catalina/attack -rwxr-Srwx 1 tomcat8 tomcat8 0 Nov 23 09:00 /etc/tomcat8/Catalina/attack Then if the tomcat8 package is removed (purged?), the postrm script runs chown -Rhf root:root /etc/tomcat8/ and that will leave the file world-writable, setgid root: # ls -l /etc/tomcat8/Catalina/attack -rwxr-Srwx 1 root root 0 Nov 23 09:00 /etc/tomcat8/Catalina/attack allowing "group root" access to the world. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia
--- End Message ---
--- Begin Message ---Source: tomcat8 Source-Version: 8.5.8-2 We believe that the bug you reported is fixed in the latest version of tomcat8, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 845...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebo...@apache.org> (supplier of updated tomcat8 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 01 Dec 2016 18:41:14 +0100 Source: tomcat8 Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libtomcat8-embed-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs Architecture: source all Version: 8.5.8-2 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Description: libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta libtomcat8-embed-java - Apache Tomcat 8 - Servlet and JSP engine -- embed libraries libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries tomcat8 - Apache Tomcat 8 - Servlet and JSP engine tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user Closes: 833261 843135 845385 845393 845661 Changes: tomcat8 (8.5.8-2) unstable; urgency=medium . * Team upload. * Upload to unstable. * No longer make /etc/tomcat8/Catalina/localhost writable by the tomcat8 user in the postinst script (Closes: #845393) * The tomcat8 user is no longer removed when the package is purged (Closes: #845385) * Compress and remove the access log files with a .txt extension (Closes: #845661) * Added the delaycompress option to the logrotate configuration of catalina.out (Closes: #843135) * Changed the home directory for the tomcat8 user from /usr/share/tomcat8 to /var/lib/tomcat8 (Closes: #833261) * Aligned the logging configuration with the upstream one * Set the proper permissions for /etc/tomcat8/jaspic-providers.xml * Install the new library jaspic-api.jar * Install the Maven artifacts for tomcat-storeconfig * Simplified debian/rules Checksums-Sha1: ba39e853718cc71f25f039caec4849756efc50dd 2930 tomcat8_8.5.8-2.dsc d622980772d71749d69006f4fefd28132397ae73 40980 tomcat8_8.5.8-2.debian.tar.xz 8776a1921fd655bacd4194740400bea7fdc45c28 240680 libservlet3.1-java-doc_8.5.8-2_all.deb bf22e6a60afea4410b29052b238ad56d341a8e0c 391618 libservlet3.1-java_8.5.8-2_all.deb eb3a667eced8f3a8a8d2261f8bc04c509a318bc9 3831334 libtomcat8-embed-java_8.5.8-2_all.deb 591d25c063c10ba6e64a97a1c7772b44bb368fa7 4773086 libtomcat8-java_8.5.8-2_all.deb d3d1605723a80d180bb853f0404cbe3dcb1f4fd6 35414 tomcat8-admin_8.5.8-2_all.deb 5f1748f4f875725454a7db3feec32e09c1b915e5 60942 tomcat8-common_8.5.8-2_all.deb 797da9f9b03ad998519ae81a69ddfaefb5906c67 714994 tomcat8-docs_8.5.8-2_all.deb b43c8ecf7ff5b45a4afb19af0284ed1625bcc662 187274 tomcat8-examples_8.5.8-2_all.deb e89a7be273859cea3473ac6bf4eb2f6c494e81fb 37524 tomcat8-user_8.5.8-2_all.deb cb6d5e3711bda1f1370c1b8a2291867a91bfed25 49712 tomcat8_8.5.8-2_all.deb f3679354e62e7249ba488d419f1c1c40c809dd9e 12383 tomcat8_8.5.8-2_amd64.buildinfo Checksums-Sha256: 4516dbf9034a416786e00c4aa6f9a712bb2a7e065b0ffd401c5e6c8015fcc4b2 2930 tomcat8_8.5.8-2.dsc a0c8545e9d0d608a0d12c8c4d37da7204875a20b2ef078c199fe53dbe603b983 40980 tomcat8_8.5.8-2.debian.tar.xz 3d6dc54667b58b88a1f8302872dd93e0ffd5eea74534bcacb131ee846a8b78b2 240680 libservlet3.1-java-doc_8.5.8-2_all.deb f72a160fe805cae9d783a0edf3989553122938c39b8528d538905bcfa719f3b6 391618 libservlet3.1-java_8.5.8-2_all.deb e560b3abcc74b3322d0132bb69425157b8687a02e27efc9e92c0905e1d4aca40 3831334 libtomcat8-embed-java_8.5.8-2_all.deb 0e81f00cc5e902ec600928bf63634f873d39fd0b7c2fbea8ab0e1d935bbe217e 4773086 libtomcat8-java_8.5.8-2_all.deb d6ff595c2a2032762f8cea739ee06a14b429a8a8ebff8ee012950a58889f93a5 35414 tomcat8-admin_8.5.8-2_all.deb 18735f210595a5b3220883b4860d6fa832fd6aebb742ff3d8c20d7435f267229 60942 tomcat8-common_8.5.8-2_all.deb 579bd560339d7ba7f5a78c73e1e47cd813a373d05d5e9578c4f41e39d38145be 714994 tomcat8-docs_8.5.8-2_all.deb 74b037d0817f2e14d20ca64c97c474bb1633de787d8be89c2f47316fcb0f2067 187274 tomcat8-examples_8.5.8-2_all.deb 895e34e12f49d6bc204e9b5af0a894d58434554647519cc4be8f9c04326067a2 37524 tomcat8-user_8.5.8-2_all.deb 8098d6df3c3179f98be93ecbbe6f447f89b889b3fa98fbe5030bd4fe89af054a 49712 tomcat8_8.5.8-2_all.deb e907d926af2687ac6a883124aa759a2ff75de063f0a772404ac1b6dfe6ced67c 12383 tomcat8_8.5.8-2_amd64.buildinfo Files: 4dd761d1267de9bed906d6b9029f88f0 2930 java optional tomcat8_8.5.8-2.dsc d408cb39066cd2df0bd9def6b34ce937 40980 java optional tomcat8_8.5.8-2.debian.tar.xz fee006037870888a998d8b8316e458c6 240680 doc optional libservlet3.1-java-doc_8.5.8-2_all.deb 645e5d60470e45e7b791b5935f8bb9b7 391618 java optional libservlet3.1-java_8.5.8-2_all.deb fb139ce768e4092900a3630313f27134 3831334 java optional libtomcat8-embed-java_8.5.8-2_all.deb b064fe7990fc79ac25ac6d84f4d64aea 4773086 java optional libtomcat8-java_8.5.8-2_all.deb 6465f43fae9b3aee94b59446fe466027 35414 java optional tomcat8-admin_8.5.8-2_all.deb 3e282c0f91fc403c6486991742c0510c 60942 java optional tomcat8-common_8.5.8-2_all.deb 86c28dd1f8e7c05fca6ce4aae3e792c6 714994 doc optional tomcat8-docs_8.5.8-2_all.deb 846dc7b74e1aeeaf11806da65dfb658b 187274 java optional tomcat8-examples_8.5.8-2_all.deb 92721323ea40fba9c86bece597b649f5 37524 java optional tomcat8-user_8.5.8-2_all.deb 9d603d0185b9cd8f3490bb669944eb8e 49712 java optional tomcat8_8.5.8-2_all.deb 51e7bf0de8daa8291e5fc39e77b644d8 12383 java optional tomcat8_8.5.8-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlhAYUQACgkQ9RPEGeS5 0KyLxQ/8C6yhVXyy0BMb2Iu2Vl6mS47FCgCDs+6GJ5ZLWQtgxwq1IZ2enECqBVSd zuzlk1rwFJRtd7oskDcQYS/ptIjsbp98Tu1Blw65aF2afzfJwF28/cfL1j4rghp0 U+GYWuZbMK3v6mK8W7J08iKg26e31ox9IF9RxFqVNWXtHBg9igfwOtJrGtITttkc Rbh/DBFXDQ9WJnBUgl1FyHQp5gPVIyEL63noga857aTKfljkOkM4CT/59mR5sxbM C/JAR87AJ0fU9xPwTGa+Po8yeJkmgJX6sy6XYfvQ5H9s7SV9zBqhu/JXPYhDSP/X 5mN6rocfGbwn8f3Kn1dF3fDTu3uEhQd/bkNe28/xsIM2peppWHfnjKRS2Ip94MwT 9q5v+uKoUK0eDcdkR7hkcVaAQjrOWC7yK6W08eErUx8j4+Zy5hyDs+UFYi6EoqYQ 9ES//VCC9tm7kmp0u2kqU8mIGyGG2Len2TvgMTG2EEf+xmvPo4D5yTU73cbl8r9w hB1/R0p9hIYdHZagbKAxQrKVt7toSvuXSUaJRTX1ySCSQsWLE35hPigcd96Wj7c/ Px37s74481pyBq7BNAbDUF2ZkCGLB6Zb1gHjksdsCYmmSpZqpL5RwfRYFIQKeJUX ujUt4lqNOIheYkiqoORjEzqGIX7yTvfqUCdLgdbRHAmL82HKXYs= =3l4e -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
