Re: [SECURITY] [DSA 1447-1] New tomcat5.5 packages fix several vulnerabilities
After upgrading to 5.5.25, I also got: Caused by: java.security.AccessControlException: access denied (java.io.FilePermission ...webapps/.../WEB-INF/classes/logging.properties read) I found that it was because the file didn't exist (5.5.20 worked without it). Hope this helps you solve the problem. ps: I tried creating an empty logging.properties file (not knowing if this would break logging). It got me further, but I don't think it is the right thing to do. -- View this message in context: http://www.nabble.com/Re%3A--SECURITY---DSA-1447-1--New-tomcat5.5-packages-fix-several-vulnerabilities-tp14631519p14707946.html Sent from the Debian Security mailing list archive at Nabble.com. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1447-1] New tomcat5.5 packages fix several vulnerabilities
On Son, 2008-01-06 at 19:54 +0100, Florian Weimer wrote: > > installing the update breaks webapps > > > > with the following error > > org.apache.commons.logging.LogConfigurationException: > > java.security.AccessControlException: access denied (java.io.FilePermission > > /home/nihil/www/java/WEB-INF/classes/logging.properties read) (Caused by > > java.security.AccessControlException: access denied (java.io.FilePermission > > /home/nihil/www/java/WEB-INF/classes/logging.properties read)) > > (it worked before the update and permission are set correctly, i double > > checked) > > This is odd. Does it work again if you downgrade to the version before > the security update? > > yeah it works if I downgrad. The error also occurs if i use the tomcat5.5-webapps packages (the new one) i provide you the catalina output on link http://michael.nanihil.com/tomcatlog.txt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1447-1] New tomcat5.5 packages fix several vulnerabilities
On Son, 2008-01-06 at 20:14 +0100, Bernd Eckenfels wrote: > In article <[EMAIL PROTECTED]> you wrote: > > (java.io.FilePermission > > /home/nihil/www/java/WEB-INF/classes/logging.properties read) > > > (it worked before the update and permission are set correctly, i double > > checked) > > This is a java security policy violation, not related to OS file > permissions. Maybe you started it with security policy and did not before? > > Gruss > Bernd > > no init.d script always starts with security manager enabled. and I am sure because I had to write java policy for access e.g. my database. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1447-1] New tomcat5.5 packages fix several vulnerabilities
In article <[EMAIL PROTECTED]> you wrote: > (java.io.FilePermission > /home/nihil/www/java/WEB-INF/classes/logging.properties read) > (it worked before the update and permission are set correctly, i double > checked) This is a java security policy violation, not related to OS file permissions. Maybe you started it with security policy and did not before? Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1447-1] New tomcat5.5 packages fix several vulnerabilities
> installing the update breaks webapps > > with the following error > org.apache.commons.logging.LogConfigurationException: > java.security.AccessControlException: access denied (java.io.FilePermission > /home/nihil/www/java/WEB-INF/classes/logging.properties read) (Caused by > java.security.AccessControlException: access denied (java.io.FilePermission > /home/nihil/www/java/WEB-INF/classes/logging.properties read)) > (it worked before the update and permission are set correctly, i double > checked) This is odd. Does it work again if you downgrade to the version before the security update? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1447-1] New tomcat5.5 packages fix several vulnerabilities
On Don, 2008-01-03 at 22:54 +0100, Moritz Muehlenhoff wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - > Debian Security Advisory DSA-1447-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Moritz Muehlenhoff > January 03, 2008 http://www.debian.org/security/faq > - > > Package: tomcat5.5 > Vulnerability : several > Problem type : remote > Debian-specific: no > CVE Id(s) : CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 CVE-2007-5342 > CVE-2007-5461 > installing the update breaks webapps with the following error org.apache.commons.logging.LogConfigurationException: java.security.AccessControlException: access denied (java.io.FilePermission /home/nihil/www/java/WEB-INF/classes/logging.properties read) (Caused by java.security.AccessControlException: access denied (java.io.FilePermission /home/nihil/www/java/WEB-INF/classes/logging.properties read)) (it worked before the update and permission are set correctly, i double checked) this is also the case for tomcat5.5-webapps packages which doesnt work anymore. best regards, michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]