Bug#425836: [CVE-2007-1860] A double encoded .. in a URL can be used to access URLs on the AJP backend
Package: libapache2-mod-jk Version: 1:1.2.22-1 Severity: grave Tags: security As stated at http://tomcat.apache.org/connectors-doc/ the 1.2.22 version of jk connector is affected from CVE-2007-1860 Please provide the 1.2.23 version. Regards -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (990, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.18-4-686 (SMP w/2 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- - |Marco Nenciarini| Debian/GNU Linux Developer - Plug Member | | [EMAIL PROTECTED] | http://www.prato.linux.it/~mnencia | - Key fingerprint = FED9 69C7 9E67 21F5 7D95 5270 6864 730D F095 E5E4 signature.asc Description: Digital signature ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Bug#425871: tomcat5.5-admin: admin servlet fails to start; throws an Allocate exception
Package: tomcat5.5-admin
Version: 5.5.20-2
Severity: grave
Justification: renders package unusable
The Tomcat admin webapp fails with the following error in the admin
log file:
May 22, 2007 6:22:20 PM org.apache.catalina.core.ApplicationDispatcher invoke
SEVERE: Allocate exception for servlet action
javax.servlet.UnavailableException: org/apache/commons/digester/Digester
I've strace'd tomcat and it successfully finds and open()'s the .jar file:
% grep digester strace.log
[pid 17233]
lstat(/usr/share/tomcat5.5/server/webapps/admin/WEB-INF/lib/commons-digester.jar,
{st_mode=S_IFLNK|0777, st_size=43, ...}) = 0
[pid 17233]
readlink(/usr/share/tomcat5.5/server/webapps/admin/WEB-INF/lib/commons-digester.jar,
../../../../../../java/commons-digester.jar, 4096) = 43
[pid 17233] lstat(/usr/share/java/commons-digester.jar,
{st_mode=S_IFLNK|0777, st_size=24, ...}) = 0
[pid 17233] readlink(/usr/share/java/commons-digester.jar,
commons-digester-1.7.jar, 4096) = 24
[pid 17233] lstat(/usr/share/java/commons-digester-1.7.jar,
{st_mode=S_IFREG|0644, st_size=170806, ...}) = 0
[pid 17233]
stat(/usr/share/tomcat5.5/server/webapps/admin/WEB-INF/lib/commons-digester.jar,
{st_mode=S_IFREG|0644, st_size=170806, ...}) = 0
[pid 17233]
open(/usr/share/tomcat5.5/server/webapps/admin/WEB-INF/lib/commons-digester.jar,
O_RDONLY) = 27
[pid 17233] stat(/tmp/org/apache/commons/digester/RuleSet.class, 0x424dd3c0)
= -1 ENOENT (No such file or directory)
[pid 17233] lstat(/usr/share/java/commons-digester-1.7.jar,
{st_mode=S_IFREG|0644, st_size=170806, ...}) = 0
[pid 17233] stat(/usr/share/java/commons-digester-1.7.jar,
{st_mode=S_IFREG|0644, st_size=170806, ...}) = 0
[pid 17233]
stat(/usr/share/tomcat5.5/server/webapps/admin/WEB-INF/lib/commons-digester.jar,
{st_mode=S_IFREG|0644, st_size=170806, ...}) = 0
[pid 17233]
stat(/usr/share/tomcat5.5/server/webapps/admin/WEB-INF/lib/commons-digester.jar,
{st_mode=S_IFREG|0644, st_size=170806, ...}) = 0
[pid 17233] stat(/tmp/org/apache/commons/digester/Digester.class, 0x424dd1d0)
= -1 ENOENT (No such file or directory)
[pid 17233] stat(/tmp/org/apache/commons/digester/Digester.class, 0x424dd0d0)
= -1 ENOENT (No such file or directory)
[pid 17233]
stat(/usr/share/tomcat5.5/common/classes/org/apache/commons/digester/Digester.class,
0x424dd1d0) = -1 ENOENT (No such file or directory)
[pid 17233]
stat(/usr/share/tomcat5.5/server/classes/org/apache/commons/digester/Digester.class,
0x424dd250) = -1 ENOENT (No such file or directory)
The .jar file seems to be intact.
I've attached the tomcat logs. Is there anything else that I can provide?
Thanks!
Diab
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (990, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages tomcat5.5-admin depends on:
ii libcommons-beanutils-java 1.7.0-4utility for manipulating JavaBeans
ii libcommons-fileupload-java1.0-14 File upload capability to your ser
ii libstruts1.2-java 1.2.9-1Java Framework for MVC web applica
ii tomcat5.5 5.5.20-2 Java Servlet 2.4 engine with JSP 2
tomcat5.5-admin recommends no packages.
-- no debconf information
logs.tgz
Description: Binary data
___
pkg-java-maintainers mailing list
pkg-java-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Bug#425899: tomcat5.5: Tomcat5.5.20-2 fails to install in Debian etch
Package: tomcat5.5 Version: 5.5.20-2 Severity: grave Justification: renders package unusable Unable to install tomcat5.5 in Debian etch system. This section of 'aptitude install tomcat5.5' shows error: Setting up libservlet2.4-java (5.0.30-3) ... Setting up libcommons-el-java (1.0-3) ... Setting up libcommons-launcher-java (1.1-3) ... Setting up liblog4j1.2-java (1.2.13-2) ... Setting up libmx4j-java (2.1.1-4) ... Setting up libcommons-modeler-java (1.1-8) ... Setting up libtomcat5.5-java (5.5.20-2) ... Setting up tomcat5.5 (5.5.20-2) ... Adding system user `tomcat55' (UID 110) ... Adding new user `tomcat55' (UID 110) with group `nogroup' ... Not creating home directory `/usr/share/tomcat5.5'. Installing /var/lib/tomcat5.5/conf/tomcat-users.xml. Starting Tomcat servlet engine: tomcat5.5invoke-rc.d: initscript tomcat5.5, action start failed. dpkg: error processing tomcat5.5 (--configure): subprocess post-installation script returned error exit status 1 Setting up libgcj7-dev (4.1.1-20) ... Setting up gcj-4.1 (4.1.1-20) ... Setting up java-gcj-compat-dev (1.0.65-10) ... Setting up libgcj7-src (4.1.1-20) ... Errors were encountered while processing: tomcat5.5 E: Sub-process /usr/bin/dpkg returned an error code (1) A package failed to install. Trying to recover: Setting up tomcat5.5 (5.5.20-2) ... Starting Tomcat servlet engine: tomcat5.5invoke-rc.d: initscript tomcat5.5, action start failed. dpkg: error processing tomcat5.5 (--configure): subprocess post-installation script returned error exit status 1 Errors were encountered while processing: tomcat5.5 cn2:~/mysql_backup# This may be related to bug 418826, because it seems to involve the init.d/ script. reportbug resports that there is an updated version of tomcat5.5-20-5 in unstable, but I'd prefer to stay with the stable etch distribution if I can. Thanks for looking into this problem. -Kevin Zembower -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (990, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-4-686 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages tomcat5.5 depends on: ii adduser 3.102 Add and remove users and groups ii apache2-utils 2.2.3-4utility programs for webservers ii apache2.2-common 2.2.3-4Next generation, scalable, extenda ii ecj-bootstrap 3.2.1-3bootstrap version of the Eclipse J ii gij-4.1 [java2-runtime] 4.1.1-20 The GNU Java bytecode interpreter ii java-gcj-compat-dev 1.0.65-10 Java runtime environment with GCJ ii libtomcat5.5-java 5.5.20-2 Java Servlet engine -- core librar tomcat5.5 recommends no packages. -- no debconf information ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
