Bug#532284: tomcat6: more files should be owned by group adm
Package: tomcat6 Version: 6.0.18-3 Severity: normal Various directories that used to have group adm in tomcat5.5 are now either root-only or onwer root, group tomcat6. So you need to be root to add webapps or configure Tomcat (or be in group tomcat6, but that does not look like a good idea). It should suffice to be in group adm. The following should have owner tomcat6.adm: /etc/tomcat6 /var/lib/tomcat6/webapps together with the files contained therein. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.29.4-melech (SMP w/2 CPU cores; PREEMPT) Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages tomcat6 depends on: ii adduser 3.110 add and remove users and groups pn jsvc none (no description available) ii tomcat6-common6.0.20-1 Servlet and JSP engine -- common f tomcat6 recommends no packages. Versions of packages tomcat6 suggests: pn tomcat6-admin none (no description available) pn tomcat6-docs none (no description available) pn tomcat6-examples none (no description available) ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Bug#525310: pdfsam-console won't start (missing required file)
On Fri, Jun 05, 2009 at 11:14:35PM +0200, Torsten Werner wrote: I am closing this bug report now because I did not get any feedback. Please reopen it with more information if necessary. Apologies for the delay. I have just checked and indeed 1.1.2-1 has fixed this problem. Also I did not realise that the package was not in stable (I have a mixed sources.list) - whoops! ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
xml-im-exporter REMOVED from testing
FYI: The status of the xml-im-exporter source package in Debian's testing distribution has changed. Previous version: 1.1-3 Current version: (not in testing) Hint: Package not in unstable The script that generates this mail tries to extract removal reasons from comments in the britney hint files. Those comments were not originally meant to be machine readable, so if the reason for removing your package seems to be nonsense, it is probably the reporting script that got confused. Please check the actual hints file before you complain about meaningless removals. -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See http://release.debian.org/testing-watch/ for more information. ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Bug#532362: CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2009-0781: Apache Tomcat 6 Multiple Vulnerabilities
Package: tomcat6 Version: 6.0.16-1 6.0.18-dfsg1-1 Severity: serious Tags: security patch -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) ids were published for tomcat6. CVE-2009-0033[0]: | Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 | through 6.0.18, when the Java AJP connector and mod_jk load balancing | are used, allows remote attackers to cause a denial of service | (application outage) via a crafted request with invalid headers, | related to temporary blocking of connectors that have encountered | errors, as demonstrated by an error involving a malformed HTTP Host | header. CVE-2009-0580[1]: | Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 | through 6.0.18, when FORM authentication is used, allows remote | attackers to enumerate valid usernames via requests to | /j_security_check with malformed URL encoding of passwords, related to | improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, | and (3) JDBCRealm authentication realms, as demonstrated by a % | (percent) value for the j_password parameter. CVE-2009-0783[2]: | Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 | through 6.0.18 permits web applications to replace an XML parser used | for other web applications, which allows local users to read or modify | the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web | applications via a crafted application that is loaded earlier than the | target application. CVE-2009-0781[3]: | Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the | calendar application in the examples web application in Apache Tomcat | 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 | allows remote attackers to inject arbitrary web script or HTML via the | time parameter, related to invalid HTML. These are already fixed in debian unstable (6.0.20-1). Please coordinate with the security team (t...@security.debian.org) to prepare packages for the stable releases. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033 http://security-tracker.debian.net/tracker/CVE-2009-0033 Patch: http://svn.apache.org/viewvc?rev=742915view=rev [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580 http://security-tracker.debian.net/tracker/CVE-2009-0580 Patch: http://svn.apache.org/viewvc?rev=747840view=rev [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783 http://security-tracker.debian.net/tracker/CVE-2009-0783 Patch: http://svn.apache.org/viewvc?rev=652592view=rev http://svn.apache.org/viewvc?rev=739522view=rev [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781 http://security-tracker.debian.net/tracker/CVE-2009-0781 Patch: http://svn.apache.org/viewvc?rev=750924view=rev -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkotdbwACgkQNxpp46476aqNMgCeJKI5of2DuyyPIT/m7Ux0Uwxi f0wAn3L1SyaQvA0I+ii/ityAqzfDeNJR =WojC -END PGP SIGNATURE- ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Bug#532363: CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2009-0781: Apache Tomcat 5 Multiple Vulnerabilities
Package: tomcat5 Version: 5.0.30-12etch1 Severity: serious Tags: security patch -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) ids were published for tomcat5. CVE-2009-0033[0]: | Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 | through 6.0.18, when the Java AJP connector and mod_jk load balancing | are used, allows remote attackers to cause a denial of service | (application outage) via a crafted request with invalid headers, | related to temporary blocking of connectors that have encountered | errors, as demonstrated by an error involving a malformed HTTP Host | header. CVE-2009-0580[1]: | Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 | through 6.0.18, when FORM authentication is used, allows remote | attackers to enumerate valid usernames via requests to | /j_security_check with malformed URL encoding of passwords, related to | improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, | and (3) JDBCRealm authentication realms, as demonstrated by a % | (percent) value for the j_password parameter. CVE-2009-0783[2]: | Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 | through 6.0.18 permits web applications to replace an XML parser used | for other web applications, which allows local users to read or modify | the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web | applications via a crafted application that is loaded earlier than the | target application. CVE-2009-0781[3]: | Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the | calendar application in the examples web application in Apache Tomcat | 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 | allows remote attackers to inject arbitrary web script or HTML via the | time parameter, related to invalid HTML. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033 http://security-tracker.debian.net/tracker/CVE-2009-0033 Patch: http://svn.apache.org/viewvc?rev=742915view=rev [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580 http://security-tracker.debian.net/tracker/CVE-2009-0580 Patch: http://svn.apache.org/viewvc?rev=747840view=rev [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783 http://security-tracker.debian.net/tracker/CVE-2009-0783 Patch: http://svn.apache.org/viewvc?rev=652592view=rev http://svn.apache.org/viewvc?rev=739522view=rev [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781 http://security-tracker.debian.net/tracker/CVE-2009-0781 Patch: http://svn.apache.org/viewvc?rev=750924view=rev -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkotdlIACgkQNxpp46476arHcgCeILT38XMFImu8JUg4AoWgfwCJ Xm4AoILxBkpWM3ElwWUyK73qupIPp2UU =CgXU -END PGP SIGNATURE- ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Processed: fixed 532362 in 6.0.20-1
Processing commands for cont...@bugs.debian.org: fixed 532362 6.0.20-1 Bug#532362: CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2009-0781: Apache Tomcat 6 Multiple Vulnerabilities Bug marked as fixed in version 6.0.20-1. End of message, stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
cloning 532363, reassign -1 to tomcat5.5
clone 532363 -1 reassign -1 tomcat5.5 ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Processed: cloning 532363, reassign -1 to tomcat5.5
Processing commands for cont...@bugs.debian.org: clone 532363 -1 Bug#532363: CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2009-0781: Apache Tomcat 5 Multiple Vulnerabilities Bug 532363 cloned as bug 532366. reassign -1 tomcat5.5 Bug#532366: CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2009-0781: Apache Tomcat 5 Multiple Vulnerabilities Bug reassigned from package `tomcat5' to `tomcat5.5'. End of message, stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Bug#485708: ITP: ant-contrib -- Additional libraries for use with the ant build tool
Hi, I started to package ant-contrib. The current results can be found in the pkg-java SVN repository. The ivy stuff does not yet work (check the commit message or try to build yourself). Any help is appreciated. Hope we can fix the build to finally update cdk. http://svn.debian.org/wsvn/pkg-java/trunk/ant-contrib/#_trunk_ant-contrib_ Regards, Daniel ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Bug#532378: Please move back to main
Package: libjgrapht-java Version: 0.6.0-5 Severity: important -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 With having openjdk and even the workarounds provided in http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/2009-February/019549.html can libjgrapht-java please be moved back to main? Otherwise e.g. cdk has to be moved to contrib too for no reason. This is currently blocking http://bugs.debian.org/517348. Regards, Daniel - -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (850, 'unstable'), (700, 'testing'), (550, 'stable'), (110, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.29-2-686 (SMP w/1 CPU core) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libjgrapht-java depends on: pn libjgrapht0.6-javanone (no description available) libjgrapht-java recommends no packages. libjgrapht-java suggests no packages. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkotjxoACgkQm0bx+wiPa4z/AwCggkeU0WHlvz73w3UkfXIg+NWm 6QQAn1WAMQirm9wLPWqKoP9kSDm/zfEI =EdtF -END PGP SIGNATURE- ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Processed: block 517348 with 532378
Processing commands for cont...@bugs.debian.org: block 517348 with 532378 Bug#532378: Please move back to main Bug#517348: cdk: Build-Depends on libjgrapht-java from contrib Was not blocked by any bugs. Blocking bugs of 517348 added: 532378 End of message, stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers