Your message dated Fri, 23 Dec 2016 18:32:35 +0000 with message-id <e1ckudv-0007vg...@fasolo.debian.org> and subject line Bug#845393: fixed in tomcat8 8.0.14-1+deb8u5 has caused the Debian Bug report #845393, regarding CVE-2016-9774: privilege escalation via upgrade to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 845393: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845393 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: tomcat8 Version: 8.0.14-1+deb8u4 Severity: critical Tags: security Having installed tomcat8, the directory /etc/tomcat8/Catalina is set writable by group tomcat8, as per the postinst script. Then the tomcat8 user, in the situation envisaged in DSA-3670 and DSA-3720, see also http://seclists.org/fulldisclosure/2016/Oct/4 could use something like commands mv -i /etc/tomcat8/Catalina/localhost /etc/tomcat8/Catalina/localhost-OLD ln -s /etc/shadow /etc/tomcat8/Catalina/localhost to create a symlink: # ls -l /etc/tomcat8/Catalina/localhost lrwxrwxrwx 1 tomcat8 tomcat8 11 Nov 23 10:19 /etc/tomcat8/Catalina/localhost -> /etc/shadow Then when the tomcat8 package is upgraded (e.g. for the next DSA), the postinst script runs chmod 775 /etc/tomcat8/Catalina /etc/tomcat8/Catalina/localhost and that will make the /etc/shadow file world-readable (and group-writable). Other useful attacks might be to make the objects: /root/.Xauthority /etc/ssh/ssh_host_dsa_key world-readable; or make something (already owned by group tomcat8) group-writable (some "policy" setting maybe?). Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia
--- End Message ---
--- Begin Message ---Source: tomcat8 Source-Version: 8.0.14-1+deb8u5 We believe that the bug you reported is fixed in the latest version of tomcat8, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 845...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebo...@apache.org> (supplier of updated tomcat8 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 17 Dec 2016 09:19:36 +0100 Source: tomcat8 Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs Architecture: source all Version: 8.0.14-1+deb8u5 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Description: libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries tomcat8 - Apache Tomcat 8 - Servlet and JSP engine tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user Closes: 845385 845393 Changes: tomcat8 (8.0.14-1+deb8u5) jessie-security; urgency=high . * Fixed CVE-2016-9774: Potential privilege escalation when the tomcat8 package is upgraded. Thanks to Paul Szabo for the report (Closes: #845393) * Fixed CVE-2016-9775: Potential privilege escalation when the tomcat8 package is purged. Thanks to Paul Szabo for the report (Closes: #845385) * Fixed CVE-2016-6816: The code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. * Fixed CVE-2016-8735: The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as important rather than critical due to the small number of installations using this listener and that it would be highly unusual for the JMX ports to be accessible to an attacker even when the listener is used. * Backported the fix for upstream bug 57377: Remove the restriction that prevented the use of SSL when specifying a bind address for the JMX/RMI server. Enable SSL to be configured for the registry as well as the server. * CVE-2016-5018 follow-up: Applied a missing modification fixing a ClassNotFoundException when the security manager is enabled (see #846298) * CVE-2016-6797 follow-up: Fixed a regression preventing some applications from accessing the global resources (see #845425) * CVE-2015-5345 follow-up: Applied a missing modification to DefaultServlet * Backported a fix for a test failure in Test*NonLoginAndBasicAuthenticator with recent JREs * Backported a fix disabling the broken SSLv3 tests * Refreshed the expired SSL certificates used by the tests * Set the locale when running the tests to prevent locale sensitive tests from failing * Added asm-all.jar to the test classpath to fix TestWebappServiceLoader * Fixed a test failure in the new TestNamingContext test added with the fix for CVE-2016-6797 * Test failures are no longer ignored and now stop the build Checksums-Sha1: 863b3c4d475bde4e869f4ebaebf67118dae4b9f9 2842 tomcat8_8.0.14-1+deb8u5.dsc 9ad63d0fddca86cfd97e8fca65563247e80a718b 70888 tomcat8_8.0.14-1+deb8u5.debian.tar.xz c983ffb5480273647fbc13c0dfcd845fd4cdaf38 57498 tomcat8-common_8.0.14-1+deb8u5_all.deb c758773f15b912d448024e4495125af61bb093a8 47000 tomcat8_8.0.14-1+deb8u5_all.deb b2c8c6de94ce645dcbafcfd4ea597293f063a78f 34530 tomcat8-user_8.0.14-1+deb8u5_all.deb feef6365326e829ebf29af02e6c9395a7294f824 4587212 libtomcat8-java_8.0.14-1+deb8u5_all.deb aaa54d72e7ecf58eb9c7e342771cfded676b1650 391938 libservlet3.1-java_8.0.14-1+deb8u5_all.deb 0e664137717a28a462964aef6effb4ccf88b0f74 247386 libservlet3.1-java-doc_8.0.14-1+deb8u5_all.deb 2e4b17b7870ded1623f89ee22bf61d7bcc835c5e 35942 tomcat8-admin_8.0.14-1+deb8u5_all.deb c7c874c57df41fdf45c8932136bfd86777716960 194150 tomcat8-examples_8.0.14-1+deb8u5_all.deb cc2e6a53b27dda1e2ad95d0a7abe92fc7eaed4d2 688960 tomcat8-docs_8.0.14-1+deb8u5_all.deb Checksums-Sha256: 03a05dc2b15e3241270a7e99c7f5a6afde2fc875dcda8461727970cf5f1b88c8 2842 tomcat8_8.0.14-1+deb8u5.dsc 2c56c1343672f97fd42b1b38b82716f92fd7a7d3f1006782de3b014973daa30d 70888 tomcat8_8.0.14-1+deb8u5.debian.tar.xz e83161efde88bb3f0fd8c146439df5c99be73f61280ed631095f13c98403d498 57498 tomcat8-common_8.0.14-1+deb8u5_all.deb dcd7534cf403f239ee8c570795d8d139bb4aaa7556c17a4859cd44fc365f4be6 47000 tomcat8_8.0.14-1+deb8u5_all.deb 77d611b6c3cc4623f2909fdd04a9ee956d234f5b79ea18fde2135e2e0e696ab4 34530 tomcat8-user_8.0.14-1+deb8u5_all.deb e0883845d2e042768363e1425ede323fdc60cbdd95c1d4bcf3323f7422466672 4587212 libtomcat8-java_8.0.14-1+deb8u5_all.deb d8c41a1aaecf1e0bab2b28158070e0d2750cf2f0434e917c23b63c7a5a1d5879 391938 libservlet3.1-java_8.0.14-1+deb8u5_all.deb f04d84a02294cdc9a6afa8c9dd6007b040bf26ab5b7dd248855bcb9bbc316479 247386 libservlet3.1-java-doc_8.0.14-1+deb8u5_all.deb 6c4cc9f3793df8702a17b62b55abd7e11e482928f755f00ac00b50b3411b1141 35942 tomcat8-admin_8.0.14-1+deb8u5_all.deb 9979fdb3802afad02db5a5645a269640e086eb07ecfa200c2b375bfbeadd4595 194150 tomcat8-examples_8.0.14-1+deb8u5_all.deb 4b85438c34275b10b62757ee5cbe618dce772551d75948a1243265a8bc48a7c7 688960 tomcat8-docs_8.0.14-1+deb8u5_all.deb Files: 25c13a968a8dc7daa066d594f05b0dcb 2842 java optional tomcat8_8.0.14-1+deb8u5.dsc 95e06df78dc1c9398884e55044a237ef 70888 java optional tomcat8_8.0.14-1+deb8u5.debian.tar.xz 1abdee40b2cde01e1e65cebff7ef7ee6 57498 java optional tomcat8-common_8.0.14-1+deb8u5_all.deb 2bae4143a2997470561ed1709586a26b 47000 java optional tomcat8_8.0.14-1+deb8u5_all.deb f626fcac4e1903ed3eda43968f4fc22f 34530 java optional tomcat8-user_8.0.14-1+deb8u5_all.deb 8d9fe2adfa73a4dcb4d8c80e0143d5ac 4587212 java optional libtomcat8-java_8.0.14-1+deb8u5_all.deb 8a457e5d67dc7609f7966af22d56ebea 391938 java optional libservlet3.1-java_8.0.14-1+deb8u5_all.deb 4192b6c66a1081ce709c37b33a5e6e9d 247386 doc optional libservlet3.1-java-doc_8.0.14-1+deb8u5_all.deb 9a72fe5cc3bc07a0286004313845381f 35942 java optional tomcat8-admin_8.0.14-1+deb8u5_all.deb 5e4adc0169686723ffcffc538458120d 194150 java optional tomcat8-examples_8.0.14-1+deb8u5_all.deb 30156d2df7f5b012bc9858114d16d394 688960 doc optional tomcat8-docs_8.0.14-1+deb8u5_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJYVUMMAAoJEPUTxBnkudCsKvkP/RNqmuIFBgz0PWVleUf1QVXm 7/LJO3Xoc+WAsWjeynEMcZV13+TqeDoPrc6CahstCG7dv5odZffpbelbDNSInxQ+ ka1okoxoUsQCC29109Rh6pLy1j2lX6BovlRzTYgJ7H/a3VcsD+UeJH3TFTqncgG1 GrSmrqi8cTf2Nr3YqEqhpEwGB0EkkHTEXp03GEH8DIKj84oC72ERa5vkkgFNATzp 2YFnzEQLIDCQkcY/gJgEL3k9jNZVI94QOzGmaXiAfhChTRAL39k7NCVgKguNpIdJ wX1h6nK0UlGfbfUvkQJO93zMVujbzrnFf1htM8uqdfskVcGxlogi0yRKi8ZHBa1t R7izOWOUTCxem/anWY1Zkt8p9hyXnFr3jalnHmPGRgIfXnM3inPu2FvuOh0bLAMv pkl1lWVFCYI2ea8X+tl1Mao1JJOJULijGot6QiWYDv1qadqxKkBSByt62vF3PBAn /udHpYmF+obFe1mAAzunQyhtafeUZyJNIWKthHPszL5pb2D2K7ZB3gtLfAEKG1vk gMyHsOTXhn51WrfEjcHer12SkUTbmZBNcCE9jjO8/62XPC2dATzMFRQEozjQ5Szr 4ggqqKMHPqDWx3PkjjEESxAjMlT1l+C2+GNvOrKhmIIsRL2vl9brka7ZLEdQ8TZY U32bDL1Spp1aHg9RzmfP =C3ZY -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
