Bug#692439: tomcat6: CVE-2012-2733 CVE-2012-3439
Package: tomcat6 Severity: grave Tags: security Justification: user security hole Please see http://tomcat.apache.org/security-6.html Since Wheezy is frozen, please apply isolated security fixes and do not update to a new upstream release. BTW, is it really necessary to have both tomcat6 and tomcat7 in Wheezy? Shouldn't tomcat6 be dropped in favour of tomcat7? Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692440: tomcat7: CVE-2012-2733 CVE-2012-3439
Package: tomcat7 Severity: grave Tags: security Justification: user security hole Please see http://tomcat.apache.org/security-7.html Since Wheezy is frozen, please apply isolated security fixes instead of updating to a new upstream release. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: CVE-2012-5783: Insecure certificate validation
Package: commons-httpclient Severity: important Tags: security Please see Section 7.5 of this paper: http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf This has been assigned CVE-2012-5783. I'm not sure if we can backport more correct certificate validation to 3.x, but independent of that it might make sense to introduce the 4.x codebase to the archive? Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Processed: Re: jspwiki does depend on tomcat6
Processing control commands: notfound -1 2.8.0-5 Bug #656153 [jspwiki] jspwiki: postinst failure: chown: invalid user: `tomcat6' No longer marked as found in versions jspwiki/2.8.0-5. fixed -1 2.8.0-5 Bug #656153 [jspwiki] jspwiki: postinst failure: chown: invalid user: `tomcat6' Marked as fixed in versions jspwiki/2.8.0-5. close -1 Bug #656153 [jspwiki] jspwiki: postinst failure: chown: invalid user: `tomcat6' Marked Bug as done -- 656153: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656153 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692455: jspwiki: modifies conffiles (policy 10.7.3): /etc/jspwiki/jspwiki.properties
Package: jspwiki Version: 2.8.0-5 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package modifies conffiles. This is forbidden by the policy, see http://www.debian.org/doc/debian-policy/ch-files.html#s-config-files 10.7.3: [...] The easy way to achieve this behavior is to make the configuration file a conffile. [...] This implies that the default version will be part of the package distribution, and must not be modified by the maintainer scripts during installation (or at any other time). Note that once a package ships a modified version of that conffile, dpkg will prompt the user for an action how to handle the upgrade of this modified conffile (that was not modified by the user). Further in 10.7.3: [...] must not ask unnecessary questions (particularly during upgrades) [...] If a configuration file is customized by a maintainer script after having asked some debconf questions, it may not be marked as a conffile. Instead a template could be installed in /usr/share and used by the postinst script to fill in the custom values and create (or update) the configuration file (preserving any user modifications!). This file must be removed during postrm purge. ucf(1) may help with these tasks. See also http://wiki.debian.org/DpkgConffileHandling In https://lists.debian.org/debian-devel/2012/09/msg00412.html and followups it has been agreed that these bugs are to be filed with severity serious. debsums reports modification of the following files, from the attached log (scroll to the bottom...): /etc/jspwiki/jspwiki.properties cheers, Andreas jspwiki_2.8.0-5.log.gz Description: GNU Zip compressed data __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
