Re: On tomcat FTBFS.
Hi, So I reworked CVE-2017-5647, which involved 5 new commits related to non-blocking I/O (NIO2 and COMET). Stable build. Then I got upstream to renew their new certs that were expiring tomorrow (!) https://bz.apache.org/bugzilla/show_bug.cgi?id=63648 and had to fix-up the SSL client tests accordingly (new client DN). At last we have a working package that passes the testsuite. How would you smoke-test it? https://www.beuc.net/tmp/debian-lts/tomcat8/ (Now maybe I can start working on the actual CVEs :)) Cheers! Sylvain On 07/08/2019 12:29, Sylvain Beucler wrote: > Hi, > > It appears that the CVE-2017-5647 fix lacked this pre-requisite: > https://bz.apache.org/bugzilla/show_bug.cgi?id=57799 > https://svn.apache.org/viewvc?view=revision=1712081 > > The test case is not flacky anymore, I'm going to test full builds again. > > Cheers! > Sylvain > > On 07/08/2019 00:45, Sylvain Beucler wrote: >> Hi Markus, >> >> I'm investigating tomcat8's FTBFS and I confirm Abhijith's findings in a >> Jessie VM: >> >> - test catalina/connector/TestSendFile.java fails with nio2 connector >> but is not reliable and will report success ~1 out of 10 even with lots >> of exceptions; catalina.log will report header parsing error and return 400 >> >> - it passes reliably without CVE-2017-5647.patch >> >> - the test certificate did expire on 2019-02-27 but changing the date to >> 2019-01-01 and rebuilding does not impact these results >> (incidentally the test certs seems to depend on an external CA >> ca-test.tomcat.apache.org, fixing the certs will require switching to >> the new-style local CA in tomcat8 - if fixing the certs is needed) >> >> As you fixed CVE-2017-5647 as well as generated the last jessie upload, >> I would be interested in your take on this :) >> TestSendFile only got trivial changes, so I guess I'll look for a fix in >> later changes affecting files modified by CVE-2017-5647. >> Still, I'm surprised updates were built given this situation - did >> everybody got lucky with the flacky test or did I miss something? >> >> Cheers! >> Sylvain >> >> On 27/07/2019 20:30, Abhijith PA wrote: >>> Hi, >>> >>> >>> I don't think the link you gave on commit [fe932dd39d] is the reason for >>> FTBFS. I tried building on a VM that matches the certificate date and it >>> was successful. I also tried disabling all ssl related tests and was fine. >>> >>> While doing these all I found TestSendFile test is the culprit. In >>> CVE-2017-5647 security patch a good amount of changes is applied for >>> SendFile*.java and *Nio2*.java. These are mostly about conditions on how >>> long the socket of sendfile keep active and to take away from it. But I >>> couldn't see any those change in its test file. Please take a look on >>> the attached patch. :) >>> >>> >>> --abhijith
[SECURITY] [DLA 1873-1] proftpd-dfsg security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: proftpd-dfsg Version: 1.3.5e+r1.3.5-2+deb8u3 CVE ID : CVE-2019-12815 Debian Bug : 932453 Tobias Maedel discovered that the mod_copy module of ProFTPD, a FTP/SFTP/FTPS server, performed incomplete permission validation for the CPFR/CPTO commands. For Debian 8 "Jessie", this problem has been fixed in version 1.3.5e+r1.3.5-2+deb8u3. We recommend that you upgrade your proftpd-dfsg packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl1LNz1fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeRqVA//Vi1kzkGMl+sUU6VcVvyCGTPlk+sG50cMmg3KrmMygHt5lh5qzv/WgM0X +e7dXaxqvB8iYUxN3VhtY4ximhxfj9L7B5wMp8RB6dJ3tBJz+OMnmGNwniIhFcbJ NKrFXym+jU49GfIhAjl0FxFzby0K21JM+659pp27LeTZ5an/ZxfVTKCd2Aj0dkio jatECdaC3mMxVR0rLMQcGC/IB3WU77ORhV8NhZknEN0VBYPhM/vjCVsL4RPtv01R qhIIFiOGfH7PNc7ExBw/yLGDRCz3ZXDrmWXj/v2qBjn6FcngSVJtwc1ep7ruE47l ccabWYUgkafcRxgufbe83VJi1FJeq1E6anNw68BF26uJH2DIp++eGnSMHh+99Y1E d+s5qGAoWHYyunp8M8s2CyZGLhQwIoa4TWDORucHbkrDm0s4g+QzhKDMewl3es3G L6fMYYDH/UtxhG+Yf6ePl88kkrfL4F5sOD5SD5rKKK9dG5fH8r35eaYyGTAxBNvq 2mSwVi5IpTGteJ7IZGryF+Vjj42iX0Pmht5nydrGHhWgdqC2SETOwgNb6irCTRtT /ZMAZdrp8DVmQ+xjiG/0MGjx1e21g+3NGsnlxs7J+sqclltuUbYJKx+CoKWOlZxW +tF0g50xWIfAWoEFeG3IClM0/k0qg/cQqs7zQnGhjPu3OFuioI0= =xriD -END PGP SIGNATURE-
Accepted proftpd-dfsg 1.3.5e+r1.3.5-2+deb8u3 (source amd64 all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 07 Aug 2019 17:07:51 +0200 Source: proftpd-dfsg Binary: proftpd-basic proftpd-dev proftpd-doc proftpd-mod-mysql proftpd-mod-pgsql proftpd-mod-ldap proftpd-mod-odbc proftpd-mod-sqlite proftpd-mod-geoip Architecture: source amd64 all Version: 1.3.5e+r1.3.5-2+deb8u3 Distribution: jessie-security Urgency: high Maintainer: ProFTPD Maintainance Team Changed-By: Markus Koschany Description: proftpd-basic - Versatile, virtual-hosting FTP daemon - binaries proftpd-dev - Versatile, virtual-hosting FTP daemon - development files proftpd-doc - Versatile, virtual-hosting FTP daemon - documentation proftpd-mod-geoip - Versatile, virtual-hosting FTP daemon - GeoIP module proftpd-mod-ldap - Versatile, virtual-hosting FTP daemon - LDAP module proftpd-mod-mysql - Versatile, virtual-hosting FTP daemon - MySQL module proftpd-mod-odbc - Versatile, virtual-hosting FTP daemon - ODBC module proftpd-mod-pgsql - Versatile, virtual-hosting FTP daemon - PostgreSQL module proftpd-mod-sqlite - Versatile, virtual-hosting FTP daemon - SQLite3 module Changes: proftpd-dfsg (1.3.5e+r1.3.5-2+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2019-12815: Tobias Maedel discovered that the mod_copy module of ProFTPD, a FTP/SFTP/FTPS server, performed incomplete permission validation for the CPFR/CPTO commands. Checksums-Sha1: a40860f8b49f6e804f5944395f1614177a2ca9f6 2985 proftpd-dfsg_1.3.5e+r1.3.5-2+deb8u3.dsc 7b38338c619775dfd3c321eeac586669692e883b 96960 proftpd-dfsg_1.3.5e+r1.3.5-2+deb8u3.debian.tar.xz b8c47e08ce83537619b555251a3ac58670429615 2460658 proftpd-basic_1.3.5e+r1.3.5-2+deb8u3_amd64.deb 7079589d82ae552d9d7df805a41cae3d61be3118 961248 proftpd-dev_1.3.5e+r1.3.5-2+deb8u3_amd64.deb 9e29f33ed2f608343e881e8b23e5680dabab3001 476608 proftpd-mod-mysql_1.3.5e+r1.3.5-2+deb8u3_amd64.deb cc86e4f629b35cf32ef480d3f07a3ddc36e68bde 476292 proftpd-mod-pgsql_1.3.5e+r1.3.5-2+deb8u3_amd64.deb 51754cbf9ded6362937f5826292b31de7d9ad7a3 484454 proftpd-mod-ldap_1.3.5e+r1.3.5-2+deb8u3_amd64.deb ed0ba68f85a5c5f80bd5c8d5ce58017fdb002fd1 477588 proftpd-mod-odbc_1.3.5e+r1.3.5-2+deb8u3_amd64.deb ce48b74f7c116c4177ff8848bbc062b922caaa58 475684 proftpd-mod-sqlite_1.3.5e+r1.3.5-2+deb8u3_amd64.deb 1f12806aac5a024e1dcdc791908fea0e8af2 477296 proftpd-mod-geoip_1.3.5e+r1.3.5-2+deb8u3_amd64.deb b2f0516dd150d9fa6557603a5877f308d399def2 948774 proftpd-doc_1.3.5e+r1.3.5-2+deb8u3_all.deb Checksums-Sha256: e083e8f0b11b825ad7ef089553521ac86bb7058e29e67fb5af01799d862b67f4 2985 proftpd-dfsg_1.3.5e+r1.3.5-2+deb8u3.dsc 58fd61b0c49656d2eb28d4633f8838563c9d18503c646d0db746baa78c3e0436 96960 proftpd-dfsg_1.3.5e+r1.3.5-2+deb8u3.debian.tar.xz 7e99cfabb154c963deb1c2d08f9b786228b9fa6d4a1cc530a0f91d929964f442 2460658 proftpd-basic_1.3.5e+r1.3.5-2+deb8u3_amd64.deb cd3066e51df9c144e898b25a451c6786d8511de5d0fc397e22cff48a519f310e 961248 proftpd-dev_1.3.5e+r1.3.5-2+deb8u3_amd64.deb 704fa08812c478a581834228cb6e828e606d9fbdbd974aea6bde64fd275669d8 476608 proftpd-mod-mysql_1.3.5e+r1.3.5-2+deb8u3_amd64.deb 92a1e51a75e5703e075aa93ad51f0c12337bf15d7efc34c99215ca560211b5df 476292 proftpd-mod-pgsql_1.3.5e+r1.3.5-2+deb8u3_amd64.deb 59ce7b4e91b538f79d0cc46de1aa1ac686a09539767eb509f2344848ed8657f5 484454 proftpd-mod-ldap_1.3.5e+r1.3.5-2+deb8u3_amd64.deb 5de7788890d6f65cf10c8baf6401bc170f0c4907b0d319a66d413aa5186eb628 477588 proftpd-mod-odbc_1.3.5e+r1.3.5-2+deb8u3_amd64.deb bfe968bb396c399c179ea8eeca56b19cef60abe0bbf7b3ea867a90c113de8ea0 475684 proftpd-mod-sqlite_1.3.5e+r1.3.5-2+deb8u3_amd64.deb 631fdf954e01028d5f27c90dac720f9254691d5dd8dd2005a6e5d5986f73bed1 477296 proftpd-mod-geoip_1.3.5e+r1.3.5-2+deb8u3_amd64.deb ff86f7bd06a9daab389d7a8feea0b24af2953ea4c7d7ba0f49cee0f555f223e7 948774 proftpd-doc_1.3.5e+r1.3.5-2+deb8u3_all.deb Files: fef40e244115f23dbe6a2bb97e44a460 2985 net optional proftpd-dfsg_1.3.5e+r1.3.5-2+deb8u3.dsc e3cf82662ac1ad320176523f60ebc59c 96960 net optional proftpd-dfsg_1.3.5e+r1.3.5-2+deb8u3.debian.tar.xz 149f6954844f67b89f0a7f595ad8bbb5 2460658 net optional proftpd-basic_1.3.5e+r1.3.5-2+deb8u3_amd64.deb 59d99d9156947be3b28b6b5dde84f556 961248 net optional proftpd-dev_1.3.5e+r1.3.5-2+deb8u3_amd64.deb c03d19783da28bde235579725224c118 476608 net optional proftpd-mod-mysql_1.3.5e+r1.3.5-2+deb8u3_amd64.deb 7ffabb5954e1c0804e7a91582d10e655 476292 net optional proftpd-mod-pgsql_1.3.5e+r1.3.5-2+deb8u3_amd64.deb bd5eadabcf9ec91e6a09273c7815a43e 484454 net optional proftpd-mod-ldap_1.3.5e+r1.3.5-2+deb8u3_amd64.deb 00234277d330bcc284bffa647b97a111 477588 net optional proftpd-mod-odbc_1.3.5e+r1.3.5-2+deb8u3_amd64.deb 312cd6caa3a50d4b66320b0dc6bb01ca 475684 net optional proftpd-mod-sqlite_1.3.5e+r1.3.5-2+deb8u3_amd64.deb 08e89ed770c3eec5c47eb4fe866aa73e 477296 net optional proftpd-mod-geoip_1.3.5e+r1.3.5-2+deb8u3_amd64.deb 91e1c4d3aa023ba8e047f0f6adfa430d 948774 doc optional
Re: On tomcat FTBFS.
Hi, It appears that the CVE-2017-5647 fix lacked this pre-requisite: https://bz.apache.org/bugzilla/show_bug.cgi?id=57799 https://svn.apache.org/viewvc?view=revision=1712081 The test case is not flacky anymore, I'm going to test full builds again. Cheers! Sylvain On 07/08/2019 00:45, Sylvain Beucler wrote: > Hi Markus, > > I'm investigating tomcat8's FTBFS and I confirm Abhijith's findings in a > Jessie VM: > > - test catalina/connector/TestSendFile.java fails with nio2 connector > but is not reliable and will report success ~1 out of 10 even with lots > of exceptions; catalina.log will report header parsing error and return 400 > > - it passes reliably without CVE-2017-5647.patch > > - the test certificate did expire on 2019-02-27 but changing the date to > 2019-01-01 and rebuilding does not impact these results > (incidentally the test certs seems to depend on an external CA > ca-test.tomcat.apache.org, fixing the certs will require switching to > the new-style local CA in tomcat8 - if fixing the certs is needed) > > As you fixed CVE-2017-5647 as well as generated the last jessie upload, > I would be interested in your take on this :) > TestSendFile only got trivial changes, so I guess I'll look for a fix in > later changes affecting files modified by CVE-2017-5647. > Still, I'm surprised updates were built given this situation - did > everybody got lucky with the flacky test or did I miss something? > > Cheers! > Sylvain > > On 27/07/2019 20:30, Abhijith PA wrote: >> Hi, >> >> >> I don't think the link you gave on commit [fe932dd39d] is the reason for >> FTBFS. I tried building on a VM that matches the certificate date and it >> was successful. I also tried disabling all ssl related tests and was fine. >> >> While doing these all I found TestSendFile test is the culprit. In >> CVE-2017-5647 security patch a good amount of changes is applied for >> SendFile*.java and *Nio2*.java. These are mostly about conditions on how >> long the socket of sendfile keep active and to take away from it. But I >> couldn't see any those change in its test file. Please take a look on >> the attached patch. :) >> >> >> --abhijith
