Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hi, This is a pre-upload request to unblock tomcat9/9.0.16-4. This update fixes: - a minor security issue (CVE-2019-0221, see #929895) - a startup failure on the architectures supporting only the Zero VM (#925928) - the variable enabling the security manager that wasn't properly renamed in the startup script - a couple of regressions compared to the old tomcat8 package that were caused by the transition to systemd (variable expansion no longer working in /etc/default/tomcat9, wrong permissions on the log directory) This update doesn't implement the sysvinit script that was discussed in #925473, this may be reconsidered in a later point release after sufficient testing in unstable. Thank you, Emmanuel Bourg unblock tomcat9/9.0.16-4 diff -Nru tomcat9-9.0.16/debian/changelog tomcat9-9.0.16/debian/changelog --- tomcat9-9.0.16/debian/changelog 2019-02-26 09:31:13.000000000 +0100 +++ tomcat9-9.0.16/debian/changelog 2019-06-03 00:44:27.000000000 +0200 @@ -1,3 +1,26 @@ +tomcat9 (9.0.16-4) unstable; urgency=medium + + * Team upload. + + [ Emmanuel Bourg ] + * Fixed CVE-2019-0221: The SSI printenv command echoes user provided data + without escaping and is, therefore, vulnerable to XSS. SSI is disabled + by default (Closes: #929895) + + [ Thorsten Glaser ] + * Remove -XX:+UseG1GC from standard JAVA_OPTS; the JRE chooses + a suitable GC automatically anyway (Closes: #925928) + * Correct the ownership and permissions on the log directory: + group adm and setgid (Closes: #925929) + * Make the startup script honour the (renamed) $SECURITY_MANAGER + * debian/libexec/tomcat-locate-java.sh: Remove shebang and make + not executable as this is only ever sourced (makes no sense otherwise) + + [ Christian Hänsel ] + * Restored the variable expansion in /etc/default/tomcat9 (Closes: #926319) + + -- Emmanuel Bourg <ebo...@apache.org> Mon, 03 Jun 2019 00:44:27 +0200 + tomcat9 (9.0.16-3) unstable; urgency=medium * Removed read/write access to /var/lib/solr (Closes: #923299) diff -Nru tomcat9-9.0.16/debian/default.template tomcat9-9.0.16/debian/default.template --- tomcat9-9.0.16/debian/default.template 2019-02-05 10:11:13.000000000 +0100 +++ tomcat9-9.0.16/debian/default.template 2019-06-02 23:05:39.000000000 +0200 @@ -3,9 +3,10 @@ # OpenJDK and the Oracle JDK are tried. #JAVA_HOME=/usr/lib/jvm/java-8-openjdk -# You may pass JVM startup parameters to Java here. If unset, the default -# options will be: -Djava.awt.headless=true -XX:+UseG1GC -JAVA_OPTS="-Djava.awt.headless=true -XX:+UseG1GC" +# You may pass JVM startup parameters to Java here. If you run Tomcat with +# Java 8 instead of 9 or newer, add "-XX:+UseG1GC" to select a suitable GC. +# If unset, the default options will be: -Djava.awt.headless=true +JAVA_OPTS="-Djava.awt.headless=true" # To enable remote debugging uncomment the following line. # You will then be able to use a Java debugger on port 8000. diff -Nru tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh --- tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh 2019-02-05 10:11:13.000000000 +0100 +++ tomcat9-9.0.16/debian/libexec/tomcat-locate-java.sh 2019-06-03 00:44:27.000000000 +0200 @@ -1,4 +1,3 @@ -#!/bin/sh # # Script looking for a Java runtime suitable for running Tomcat # diff -Nru tomcat9-9.0.16/debian/libexec/tomcat-start.sh tomcat9-9.0.16/debian/libexec/tomcat-start.sh --- tomcat9-9.0.16/debian/libexec/tomcat-start.sh 2019-02-05 10:11:13.000000000 +0100 +++ tomcat9-9.0.16/debian/libexec/tomcat-start.sh 2019-06-03 00:44:27.000000000 +0200 @@ -5,6 +5,9 @@ set -e +# Load the service settings +. /etc/default/tomcat9 + # Find the Java runtime and set JAVA_HOME . /usr/libexec/tomcat9/tomcat-locate-java.sh @@ -15,7 +18,7 @@ # Enable the Java security manager? SECURITY="" -[ "$TOMCAT_SECURITY" = "yes" ] && SECURITY="-security" +[ "$SECURITY_MANAGER" = "true" ] && SECURITY="-security" # Start Tomcat diff -Nru tomcat9-9.0.16/debian/patches/CVE-2019-0221.patch tomcat9-9.0.16/debian/patches/CVE-2019-0221.patch --- tomcat9-9.0.16/debian/patches/CVE-2019-0221.patch 1970-01-01 01:00:00.000000000 +0100 +++ tomcat9-9.0.16/debian/patches/CVE-2019-0221.patch 2019-06-03 00:44:27.000000000 +0200 @@ -0,0 +1,16 @@ +Description: Fixes CVE-2019-0221: The SSI printenv command echoes user provided + data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by + default. +Origin: upstream, https://github.com/apache/tomcat/commit/15fcd16 +--- a/java/org/apache/catalina/ssi/SSIPrintenv.java ++++ b/java/org/apache/catalina/ssi/SSIPrintenv.java +@@ -41,8 +41,7 @@ + } else { + Collection<String> variableNames = ssiMediator.getVariableNames(); + for (String variableName : variableNames) { +- String variableValue = ssiMediator +- .getVariableValue(variableName); ++ String variableValue = ssiMediator.getVariableValue(variableName, "entity"); + //This shouldn't happen, since all the variable names must + // have values + if (variableValue == null) { diff -Nru tomcat9-9.0.16/debian/patches/series tomcat9-9.0.16/debian/patches/series --- tomcat9-9.0.16/debian/patches/series 2019-02-05 10:11:13.000000000 +0100 +++ tomcat9-9.0.16/debian/patches/series 2019-06-03 00:44:27.000000000 +0200 @@ -11,3 +11,4 @@ 0024-systemd-log-formatter.patch 0025-invalid-configuration-exit-status.patch 0026-easymock4-compatibility.patch +CVE-2019-0221.patch diff -Nru tomcat9-9.0.16/debian/setenv.sh tomcat9-9.0.16/debian/setenv.sh --- tomcat9-9.0.16/debian/setenv.sh 2019-02-05 10:11:13.000000000 +0100 +++ tomcat9-9.0.16/debian/setenv.sh 2019-06-02 23:05:39.000000000 +0200 @@ -8,5 +8,5 @@ # Default Java options if [ -z "$JAVA_OPTS" ]; then - JAVA_OPTS="-Djava.awt.headless=true -XX:+UseG1GC" + JAVA_OPTS="-Djava.awt.headless=true" fi diff -Nru tomcat9-9.0.16/debian/tomcat9.postinst tomcat9-9.0.16/debian/tomcat9.postinst --- tomcat9-9.0.16/debian/tomcat9.postinst 2019-02-05 10:11:13.000000000 +0100 +++ tomcat9-9.0.16/debian/tomcat9.postinst 2019-06-03 00:44:27.000000000 +0200 @@ -63,8 +63,10 @@ chmod 775 /var/lib/tomcat9/webapps # Grant read/write access to tomcat to the log and cache directories - chown -Rh $TOMCAT_USER:$TOMCAT_GROUP /var/log/tomcat9/ /var/cache/tomcat9/ - chmod 750 /var/log/tomcat9/ /var/cache/tomcat9/ + chown -Rh $TOMCAT_USER:adm /var/log/tomcat9/ + chmod 2750 /var/log/tomcat9/ + chown -Rh $TOMCAT_USER:$TOMCAT_GROUP /var/cache/tomcat9/ + chmod 750 /var/cache/tomcat9/ ;; esac diff -Nru tomcat9-9.0.16/debian/tomcat9.service tomcat9-9.0.16/debian/tomcat9.service --- tomcat9-9.0.16/debian/tomcat9.service 2019-02-26 09:30:59.000000000 +0100 +++ tomcat9-9.0.16/debian/tomcat9.service 2019-06-03 00:44:27.000000000 +0200 @@ -14,7 +14,6 @@ Environment="CATALINA_BASE=/var/lib/tomcat9" Environment="CATALINA_TMPDIR=/tmp" Environment="JAVA_OPTS=-Djava.awt.headless=true" -EnvironmentFile=-/etc/default/tomcat9 # Lifecycle Type=simple @@ -32,13 +31,13 @@ PrivateTmp=yes AmbientCapabilities=CAP_NET_BIND_SERVICE NoNewPrivileges=true -LogsDirectory=tomcat9 -LogsDirectoryMode=750 CacheDirectory=tomcat9 CacheDirectoryMode=750 ProtectSystem=strict ReadWritePaths=/etc/tomcat9/Catalina/ ReadWritePaths=/var/lib/tomcat9/webapps/ +ReadWritePaths=/var/log/tomcat9/ +RequiresMountsFor=/var/log/tomcat9 [Install] WantedBy=multi-user.target diff -Nru tomcat9-9.0.16/debian/tomcat9.tmpfile tomcat9-9.0.16/debian/tomcat9.tmpfile --- tomcat9-9.0.16/debian/tomcat9.tmpfile 1970-01-01 01:00:00.000000000 +0100 +++ tomcat9-9.0.16/debian/tomcat9.tmpfile 2019-06-03 00:44:27.000000000 +0200 @@ -0,0 +1,6 @@ +# Tomcat log directory permissions + +# See tmpfiles.d(5) for details + +# Type Path Mode UID GID Age Argument +d /var/log/tomcat9 2750 tomcat adm -