[Bug 1166649] Re: Multiple open vulnerabilities in tomcat6 in quantal and raring
Sitting too long on this patch for quantal and could not really enable the testsuite I thought I just drop it here. Even with some hints from jamespage I could not run the built in tests and didn't really had enough time to look further in it. The changes are all done as in upstream and it builds and installs fine. Didn't see any problems from basic testing. ** Patch added: lp1166649-quantal.debdiff https://bugs.launchpad.net/ubuntu/+source/tomcat6/+bug/1166649/+attachment/3682137/+files/lp1166649-quantal.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat6 in Ubuntu. https://bugs.launchpad.net/bugs/1166649 Title: Multiple open vulnerabilities in tomcat6 in quantal and raring To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat6/+bug/1166649/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1166649] [NEW] Multiple open vulnerabilities in tomcat6 in quantal and raring
*** This bug is a security vulnerability *** Public security bug reported: Tomcat6 on quantal and raring include multiple vulnerabilities. See http://people.canonical.com/~ubuntu-security/cve/pkg/tomcat6.html ** Affects: tomcat6 (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-2733 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3546 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-4431 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-4534 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-5885 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-5886 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-5887 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat6 in Ubuntu. https://bugs.launchpad.net/bugs/1166649 Title: Multiple open vulnerabilities in tomcat6 in quantal and raring To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat6/+bug/1166649/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1166649] Re: Multiple open vulnerabilities in tomcat6 in quantal and raring
I prepared a patch but want to test it first. Is there a testsuite available in tomcat6 and is it enabled? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat6 in Ubuntu. https://bugs.launchpad.net/bugs/1166649 Title: Multiple open vulnerabilities in tomcat6 in quantal and raring To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat6/+bug/1166649/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
Jamie, There seems to be a problem with the updated package. See https://plus.google.com/112659624466139657672/posts/cMaEhQbcdGL I guess the precise package cause the problem. Was there anything added regarding startup? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
This is the precise patch. Hopefully it goes smoother this time ;) Note that I got certificate errors when I run the testsuite (in TestClientCert.BIO.txt, TestClientCert.NIO.txt, TestCustomSSL.BIO.txt, TestCustomSSL.NIO.txt, TestSSL.BIO.txt and TestSSL.NIO.txt). However I got the exact same errors/failures already before my changes applied. ** Patch added: lp1115053-precise.debdiff https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+attachment/3586475/+files/lp1115053-precise.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
I rewrote the description on CVE-2012-3439.patch and fixed the whitespace changes in CVE-2012-0022.patch as far as I saw them. CVE-2012-3439 gave me quite some headache since the testcases upstream changed already before a lot and it was hard to adopt to the oneiric version. Either I would have to try to backport all the changes from upstream which might mean to change more or less the whole TesterDigestAuthenticatorPerformance.java and cause some further errors because of some changes done somewhere else. Or I leave the testcases as they are and just adopt the needed changes made in the methods in DigestAuthenticator.java. I went with the second option since the actual security bug was patched in DigestAuthenticator.java. This let me omit the inclusion of ConcurrentMessageDigest.java since this class is just used in the updated testcases. I think it was the rigth decision but let me know if you think different. This just as an additional information to the DEP-3 description in CVE-2012-3439.patch. ** Patch added: lp1115053-oneiric-5.debdiff https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+attachment/3571362/+files/lp1115053-oneiric-5.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
Finally the tests run without any errors. I hope everything is okay now with the patch. Thanks for your patience anyway. ** Patch added: lp1115053-oneiric-4.debdiff https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+attachment/3557794/+files/lp1115053-oneiric-4.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
I updated the DEP-3 comments according to your input. I hope it's easier now to understand the patches I made. For some patches I didn't find the according upstream bugs so I left them out. As far as I see is the Bug- field optional. The testsuite additions are now included. I got one error (failure in TestAsyncContextImpl) when I run the tests. However I could not determine the error to any changes of my patch. I ran the tests in a VM and wondering if that might cause the problem. Let me know if there are some further problems. Thanks. ** Patch added: lp1115053-oneiric-3.debdiff https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+attachment/3549166/+files/lp1115053-oneiric-3.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
I see. Thanks for the further comments. I will see that I can fix this and prepare a new debdiff. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
Jamie, Thanks for the info. There is a fix for CVE-2012-2733 for tomcat7 from upstream (see http://svn.apache.org/viewvc?view=revisionrevision=1350301). Did you see the new debdiff for oneiric in comment #5? All the fixes for the CVEs I am aware of should be in it (as well CVE-2012-2733). Please let me know if the changelog is okay like that and of course if there are any other improvements/changes I should make. As soon as that one is approved I will upload the precise debdiff. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Parameter Handling Denial of Service in Oneiric
Here is an updated debdiff with all the fixes. Please note: CVE-2011-4858 is resolved through patch for CVE-2012-0022. CVE-2012-5568 is seen as a non-issue for tomcat (see http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat) Is the formating of the changelog okay like this? ** Patch added: lp1115053-oneiric-2.debdiff https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+attachment/3523657/+files/lp1115053-oneiric-2.debdiff ** Changed in: tomcat7 (Ubuntu) Status: Incomplete = New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Parameter Handling Denial of Service in Oneiric To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Parameter Handling Denial of Service in Oneiric
From CVE-2012-2733 on Precise is affected too. Should I create a new bug for it or add a future debdiff here? As well some CVEs affect as well tomcat6. Same question: new bug or add here? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Parameter Handling Denial of Service in Oneiric To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Parameter Handling Denial of Service in Oneiric
Yeah, I will look that I can prepare one debdiff with all the fixes. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Parameter Handling Denial of Service in Oneiric To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] [NEW] Parameter Handling Denial of Service in Oneiric
*** This bug is a security vulnerability *** Public security bug reported: Oneiric tomcat7 (version 7.0.21-1) has the following vulnerability: Apache Tomcat is prone to a denial-of-service vulnerability. Attacker may leverage this issue to consume an excessive amount of CPU resources, causing a denial-of-service condition. See: http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.23 This vulnerability effects just oneiric. ** Affects: tomcat7 (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-0022 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Parameter Handling Denial of Service in Oneiric To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Parameter Handling Denial of Service in Oneiric
** Patch added: lp1115053-oneiric.debdiff https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+attachment/3514213/+files/lp1115053-oneiric.debdiff ** Changed in: tomcat7 (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Parameter Handling Denial of Service in Oneiric To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs