Bug#881162: tomcat7: Server reports 404 on any request, even /

2017-11-09 Thread Felix Knecht 
I can also confirm that 7.0.28-4+deb7u17 works on our server again.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#881162: tomcat7: Server reports 404 on any request, even /

2017-11-09 Thread Russell Jackson 
On 11/09/2017 05:47 AM, Markus Koschany wrote:
> updated packages for testing are available at:
> 
> https://people.debian.org/~roberto/
> 
> Any feedback is appreciated. 

I can confirm that the u17 revision packages resolve the 404 issue
for us. I haven't tested it beyond seeing if the context loads and
serves up the initial page.

Many thanks.

-- 
Russell A Jackson
Information Security and Emerging Technologies
California State University, San Bernardino

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#881162: tomcat7: Server reports 404 on any request, even /

2017-11-09 Thread Markus Koschany 
Hello,

updated packages for testing are available at:

https://people.debian.org/~roberto/

Any feedback is appreciated. Roberto's analysis of the problem can be
found at:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881162#41
Thanks

Markus



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#881162: tomcat7: Server reports 404 on any request, even /

2017-11-08 Thread Roberto C . Sánchez 
On Wed, Nov 08, 2017 at 03:03:06PM +0100, Markus Koschany wrote:
> Thank you for the report. There was a recent security update of Tomcat 7
> which is the likely cause for this issue.
> 
> Roberto can you take a look please?
> 
Hi Markus & others,

I was able to identify the cause of the regression that I introduced.

There are updated packages here: https://people.debian.org/~roberto/

My testing this time around was more thorough and I believe that this
update properly addresses the CVE without introducing a regression.  If
some intrepid souls could test these packages and give a thumbs up, I
will upload the packages in the next 12-18 hours and then release an
updated advisory.

Here is my proposed advisory text:



The update for tomcat7 issued as DLA-1166-1 caused a regressions whereby every
request, including for the root document (/), returned HTTP status 404. Updated
packages are now available to address this problem. For reference, the original
advisory text follows.

When HTTP PUT was enabled (e.g., via setting the readonly initialization
parameter of the Default servlet to false) it was possible to upload a JSP
file to the server via a specially crafted request. This JSP could then be
requested and any code it contained would be executed by the server.

For Debian 7 "Wheezy", these problems have been fixed in version
7.0.28-4+deb7u17.



For those who are interested, the regression resulted from a combination
of two factors.

 - When incorporating one of the upstream change sets, an unclean patch
   application produced a .rej rejection file which I overlooked
 - When incorporating another upstream changeset, my attempt to
   integrate the minimal change was too minimal and left out an
   important additional change

These problems did not manifest themselves in my initial testing of the
7.0.28-4+deb7u16 packages because of browser caching.

I offer my apologies for causing this problem and my thanks for your
help in resolving it.

Regards,

-Roberto

-- 
Roberto C. Sánchez


signature.asc
Description: PGP signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#881162: tomcat7: Server reports 404 on any request, even /

2017-11-08 Thread Russell Jackson 
Just adding a me too.

Update took out our entire app cluster last night.

Rolling back to previous version resolved outage.

-- 
Russell A Jackson
Information Security and Emerging Technologies
California State University, San Bernardino

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#881162: tomcat7: Server reports 404 on any request, even /

2017-11-08 Thread Roberto C . Sánchez 
On Wed, Nov 08, 2017 at 03:03:06PM +0100, Markus Koschany wrote:
> Thank you for the report. There was a recent security update of Tomcat 7
> which is the likely cause for this issue.
> 
> Roberto can you take a look please?
> 
Hi Markus,

I also received a direct email from another user this morning who was
experiencing a similar issue.  I will definitely take a look. 

Regards,

-Roberto

-- 
Roberto C. Sánchez

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#881162: tomcat7: Server reports 404 on any request, even /

2017-11-08 Thread Markus Koschany 
Thank you for the report. There was a recent security update of Tomcat 7
which is the likely cause for this issue.

Roberto can you take a look please?

Regards,

Markus



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#881162: tomcat7: Server reports 404 on any request, even /

2017-11-08 Thread Schöke 
We have also this problem.
It's only when use the secure mode
TOMCAT7_SECURITY=yes



__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#881162: tomcat7: Server reports 404 on any request, even /

2017-11-08 Thread Santiago Garcia Mantinan 
Package: tomcat7
Version: 7.0.28-4+deb7u16
Severity: important

Dear Maintainer,

   * What led up to the situation?

Latest security update.

   * What exactly did you do (or not do) that was effective (or
 ineffective)?

Installing version 7.0.28-4+deb7u4 (the one that came with last wheezy
version) instead of 7.0.28-4+deb7u16 (the one from security) solves the
problem.

I found the problem on machines that were running 7.0.28-4+deb7u15 ok and
after upgrading to 7.0.28-4+deb7u16 they stopped working, they reply with
404 to any request.

I then rolled back tomcat7, tomcat7-common and libtomcat7-java to version
7.0.28-4+deb7u4 which solved the problem (libtomcat7-java was the one that
solved it).

To see if this was some specific config we were using on our machines I
installed a clean tomcat7 today on the machine I'm sending the report from
(this machine didn't have tomcat7 installed). This installed the following
packages:

ca-certificates-java default-jre-headless fontconfig-config java-common
libasyncns0 libavahi-client3 libavahi-common-data libavahi-common3
libcommons-dbcp-java libcommons-pool-java libcups2 libdbus-1-3 libecj-java
libflac8 libfontconfig1 libice6 libjpeg8 libjson0 liblcms2-2 libnspr4
libnss3 libogg0 libpcsclite1 libpulse0 libsctp1 libservlet3.0-java libsm6
libsndfile1 libtomcat7-java libvorbis0a libvorbisenc2 libx11-6 libx11-data
libx11-xcb1 libxau6 libxcb1 libxdmcp6 libxext6 libxi6 libxtst6
openjdk-7-jre-headless tomcat7 tomcat7-common ttf-dejavu-core tzdata-java
x11-common

Without touching anything, going to http://localhost:8080/ gives a 404
instead of the home page.

Regards.

-- System Information:
Debian Release: 7.11
  APT prefers oldoldstable
  APT policy: (500, 'oldoldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages tomcat7 depends on:
ii  adduser3.113+nmu3
ii  debconf [debconf-2.0]  1.5.49
ii  tomcat7-common 7.0.28-4+deb7u16
ii  ucf3.0025+nmu3

Versions of packages tomcat7 recommends:
pn  authbind  

Versions of packages tomcat7 suggests:
pn  libtcnative-1 
pn  tomcat7-admin 
pn  tomcat7-docs  
pn  tomcat7-examples  
pn  tomcat7-user  

-- Configuration Files:
/etc/tomcat7/catalina.properties [Errno 13] Permiso denegado: 
u'/etc/tomcat7/catalina.properties'
/etc/tomcat7/context.xml [Errno 13] Permiso denegado: 
u'/etc/tomcat7/context.xml'
/etc/tomcat7/logging.properties [Errno 13] Permiso denegado: 
u'/etc/tomcat7/logging.properties'
/etc/tomcat7/policy.d/01system.policy [Errno 13] Permiso denegado: 
u'/etc/tomcat7/policy.d/01system.policy'
/etc/tomcat7/policy.d/02debian.policy [Errno 13] Permiso denegado: 
u'/etc/tomcat7/policy.d/02debian.policy'
/etc/tomcat7/policy.d/03catalina.policy [Errno 13] Permiso denegado: 
u'/etc/tomcat7/policy.d/03catalina.policy'
/etc/tomcat7/policy.d/04webapps.policy [Errno 13] Permiso denegado: 
u'/etc/tomcat7/policy.d/04webapps.policy'
/etc/tomcat7/policy.d/50local.policy [Errno 13] Permiso denegado: 
u'/etc/tomcat7/policy.d/50local.policy'
/etc/tomcat7/server.xml [Errno 13] Permiso denegado: u'/etc/tomcat7/server.xml'
/etc/tomcat7/tomcat-users.xml [Errno 13] Permiso denegado: 
u'/etc/tomcat7/tomcat-users.xml'
/etc/tomcat7/web.xml [Errno 13] Permiso denegado: u'/etc/tomcat7/web.xml'

These errors are because I'm running reportbug as a normal user, but I
didn't touch any files at all.

-- debconf information:
  tomcat7/groupname: tomcat7
  tomcat7/username: tomcat7
  tomcat7/javaopts: -Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.