Bug#769682: (no subject)
Subject: jenkins-tomcat: Secure and HttpOnly flags are not set for cookies with Jenkins on Tomcat Package: jenkins-tomcat Version: 1.565.3-2.1 Severity: grave Tags: security Dear Maintainer, The Jenkins currently shipped with Debian doesn't correctly set the HttpOnly and Secure options on session cookies. The first option prohibits the cookies to be read by scripts, thus preventing XSS scripts vulnerabilities from stealing sessions. The second option prohibits the session cookie to be sent over clear HTTP connection, thus preventing malvolent users to steal session cookie while redirecting users to HTTP access. There is already an upstream bug for this problem located at this url: https://issues.jenkins-ci.org/browse/JENKINS-25019 with a proposed fix that only adresses the HttpOnly issue for Tomcat. The problem is reported in Tomcat log with the following lines: WARNING: Failed to set secure cookie flag java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at jenkins.model.JenkinsLocationConfiguration.updateSecureSessionFlag(JenkinsLocationConfiguration.java:123) at jenkins.model.JenkinsLocationConfiguration.load(JenkinsLocationConfiguration.java:71) at jenkins.model.JenkinsLocationConfiguration.init(JenkinsLocationConfiguration.java:46) at jenkins.model.JenkinsLocationConfiguration$$FastClassByGuice$$a6785528.newInstance(generated) at net.sf.cglib.reflect.FastConstructor.newInstance(FastConstructor.java:40) at com.google.inject.internal.DefaultConstructionProxyFactory$1.newInstance(DefaultConstructionProxyFactory.java:61) at hudson.ExtensionFinder$GuiceFinder$FaultTolerantScope$1.get(ExtensionFinder.java:429) [...] at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:222) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1566) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1523) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.IllegalStateException: Property HttpOnly can not be added to SessionCookieConfig for context /jenkins as the context has been initialised at org.apache.catalina.core.ApplicationSessionCookieConfig.setHttpOnly(ApplicationSessionCookieConfig.java:107) ... 90 more Thanks in advance for your help on this issue. Yann Rouillard -- System Information: Debian Release: jessie/sid APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages jenkins-tomcat depends on: ii jenkins-common 1.565.3-2 ii tomcat8 8.0.14-1 jenkins-tomcat recommends no packages. jenkins-tomcat suggests no packages. -- Configuration Files: /etc/jenkins/jenkins-tomcat.xml changed [not included] -- no debconf information __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#425899: tomcat5.5: Tomcat5.5.20-2 fails to install in Debian etch
Package: tomcat5.5 Version: 5.5.20-2 Severity: grave Justification: renders package unusable Unable to install tomcat5.5 in Debian etch system. This section of 'aptitude install tomcat5.5' shows error: Setting up libservlet2.4-java (5.0.30-3) ... Setting up libcommons-el-java (1.0-3) ... Setting up libcommons-launcher-java (1.1-3) ... Setting up liblog4j1.2-java (1.2.13-2) ... Setting up libmx4j-java (2.1.1-4) ... Setting up libcommons-modeler-java (1.1-8) ... Setting up libtomcat5.5-java (5.5.20-2) ... Setting up tomcat5.5 (5.5.20-2) ... Adding system user `tomcat55' (UID 110) ... Adding new user `tomcat55' (UID 110) with group `nogroup' ... Not creating home directory `/usr/share/tomcat5.5'. Installing /var/lib/tomcat5.5/conf/tomcat-users.xml. Starting Tomcat servlet engine: tomcat5.5invoke-rc.d: initscript tomcat5.5, action start failed. dpkg: error processing tomcat5.5 (--configure): subprocess post-installation script returned error exit status 1 Setting up libgcj7-dev (4.1.1-20) ... Setting up gcj-4.1 (4.1.1-20) ... Setting up java-gcj-compat-dev (1.0.65-10) ... Setting up libgcj7-src (4.1.1-20) ... Errors were encountered while processing: tomcat5.5 E: Sub-process /usr/bin/dpkg returned an error code (1) A package failed to install. Trying to recover: Setting up tomcat5.5 (5.5.20-2) ... Starting Tomcat servlet engine: tomcat5.5invoke-rc.d: initscript tomcat5.5, action start failed. dpkg: error processing tomcat5.5 (--configure): subprocess post-installation script returned error exit status 1 Errors were encountered while processing: tomcat5.5 cn2:~/mysql_backup# This may be related to bug 418826, because it seems to involve the init.d/ script. reportbug resports that there is an updated version of tomcat5.5-20-5 in unstable, but I'd prefer to stay with the stable etch distribution if I can. Thanks for looking into this problem. -Kevin Zembower -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (990, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-4-686 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages tomcat5.5 depends on: ii adduser 3.102 Add and remove users and groups ii apache2-utils 2.2.3-4utility programs for webservers ii apache2.2-common 2.2.3-4Next generation, scalable, extenda ii ecj-bootstrap 3.2.1-3bootstrap version of the Eclipse J ii gij-4.1 [java2-runtime] 4.1.1-20 The GNU Java bytecode interpreter ii java-gcj-compat-dev 1.0.65-10 Java runtime environment with GCJ ii libtomcat5.5-java 5.5.20-2 Java Servlet engine -- core librar tomcat5.5 recommends no packages. -- no debconf information ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
I remove my name from the book of failure
Choice Neighborhood Ministries Let all evil competitors stumble and fall, I send confusion into the camp of all evil counselors planning against my progress, By the power in the name of Jesus I remove my name from the book of failure and demonic side-track, Lord give me power to make use of - divine opportunities presented to me - Possess more wisdom than my competitors - Drink from the well of salvation - Make my path unknown to the enemies - Always be ahead of my competitors in terms of favour IN THE MIGHTY NAME OF JESUS Dear Jesus let all the adversaries of my breakthrough be put to shame, I claim the power to overcome and excel amongst all my competitors, I command all human woes to find me untouchable, Let any decision by any panel to be favourable unto me, Let the anointing of the overcomer fall upon my life, I receive wisdom knowledge and understanding to subdue all competitors IN THE MIGHTY NAME OF JESUS Let every negative word and pronouncement against my success be be completely nullified, All competitors against me in the areas of business and ministry will find me impossible to defeat, I claim supernatural wisdom to answer all questions in a way that will advance my cause, Jesus let every Achan depart from my camp, I receive the anointing for supernatural breakthrough in this matter IN THE MIGHTY NAME OF JESUS. Ministering Soji Oladipo 234 1 8726006 [EMAIL PROTECTED] http://www.cnmin.co.uk Title of this week message: River That Makes Glad Click or copy the link and paste in browser www.cnmin.co.uk/sermon.html This week praises by: Samuel Crossman 1624 84 Click or copy the link and paste in browser http://www.cnmin.co.uk/praise.html For Prayer Request: click the link http://www.cnmin.co.uk/request.html Add Families and Friends emails to our list: click or copy the link and paste in browser http://www.cnmin.co.uk/mailinglist.html ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
