[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
One could also adjust the scripts to stop. Again, from the man page: A common system administration error is to delete the links with the thought that this will "disable" the service, i.e., that this will prevent the service from being started. However, if all links have been deleted then the next time the package is upgraded, the package’s postinst script will run update-rc.d again and this will reinstall links at their factory default locations. The correct way to disable services is to configure the service as stopped in all runlevels in which it is started by default. In the System V init system this means renaming the service’s symbolic links from S to K. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
There was nothing added to the package regarding startup. The user reports after using update-rc.d to manage when tomcat7 would start, when upgrading, they are added back. Note that the update-rc.d manpage states: "Please note that this program was designed for use in package maintainer scripts and, accordingly, has only the very limited functionality required by such scripts. System administrators are not encouraged to use update-rc.d to manage runlevels." This is arguably a problem in the tomcat7 packaging, not a problem with this security update. Looking at /var/lib/dpkg/info/tomcat7.postinst, dh_installinit will unconditionally add the files back. Often, server software is packaged such that the initscript will honor /etc/default/ /etc/default/tomcat7 does exist, but there is no setting in there to short circuit startup. As I understand the current tomcat7 packaging after looking at it for a few minutes, rather than using update-rc.d, the user should either edit settings in /etc/tomcat7 or add an 'exit 0' to /etc/init.d/tomcat7 if tomcat7 should be installed but not started. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
Jamie, There seems to be a problem with the updated package. See https://plus.google.com/112659624466139657672/posts/cMaEhQbcdGL I guess the precise package cause the problem. Was there anything added regarding startup? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
This bug was fixed in the package tomcat7 - 7.0.26-1ubuntu1.2 --- tomcat7 (7.0.26-1ubuntu1.2) precise-security; urgency=low [Christian Kuersteiner] * SECURITY UPDATE: Fix multiple vulnerabilities in Tomcat7 (LP: #1115053) - debian/patches/0013-CVE-2012-2733.patch: Fix for Apache Tomcat Denial of Service. Based on upstream patch. - CVE-2012-2733 - debian/patches/0014-CVE-2012-3546.patch: Fix for bypass of security constraints. Based on upstream patch. - CVE-2012-3546 - debian/patches/0015-CVE-2012-4431.patch: Fix for bypass of CSRF prevention filter. Based on upstream patch. - CVE-2012-4431 - debian/patches/0016-CVE-2012-4534.patch: Fix for CVE-2012-4534 Denial of Service Vulnerability. Based on upstream patch. - CVE-2012-4534 - debian/patches/CVE-2012-3439.patch: Fix for DIGEST authentication weaknesses. Based on upstream patch. - CVE-2012-3439, CVE-2012-5885, CVE-2012-5886, 2012-5887 [ Jamie Strandboge ] * allow for easily running the testsuite: - debian/control: add testsuite build-depends - debian/rules: + add 'testsuite' target + add ANT_TS_ARGS for use in the testsuite target + cleanup the testsuite - add debian/README.source for information on how to use the testsuite -- Christian KuersteinerTue, 19 Mar 2013 14:48:19 +0100 ** Changed in: tomcat7 (Ubuntu Precise) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
Thanks for your debdiff for Ubuntu 12.04. I verified it against upstream and it looks good. The build log looks fine and after several runs through the testsuite, I've noted the intermittent tests in QRT (this took a while and was a bit frustrating). Uploading to the security PPA now. While publish when it is done building. ** Changed in: tomcat7 (Ubuntu Precise) Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
This is the precise patch. Hopefully it goes smoother this time ;) Note that I got certificate errors when I run the testsuite (in TestClientCert.BIO.txt, TestClientCert.NIO.txt, TestCustomSSL.BIO.txt, TestCustomSSL.NIO.txt, TestSSL.BIO.txt and TestSSL.NIO.txt). However I got the exact same errors/failures already before my changes applied. ** Patch added: "lp1115053-precise.debdiff" https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+attachment/3586475/+files/lp1115053-precise.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
Unsubscribing ubuntu-security-sponsors for now. Please resubscribe after a precise debdiff has been attached. Thanks! -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
** Branch linked: lp:~ubuntu-branches/ubuntu/oneiric/tomcat7/oneiric- security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
This bug was fixed in the package tomcat7 - 7.0.21-1ubuntu0.1 --- tomcat7 (7.0.21-1ubuntu0.1) oneiric-security; urgency=low [Christian Kuersteiner] * SECURITY UPDATE: Fix multiple vulnerabilities in Tomcat7 (LP: #1115053) - debian/patches/CVE-2012-0022.patch: Fix for Denial of service. Based on upstream patch. - CVE-2012-0022, CVE-2011-4858 - debian/patches/CVE-2011-3375.patch: Fix for information disclosure. Based on upstream patch. - CVE-2011-3375 - debian/patches/CVE-2011-3376.patch: Fix for privilege escalation. Based on upstream patch. - CVE-2011-3376 - debian/patches/CVE-2012-2733.patch: Fix for Apache Tomcat Denial of Service. Based on upstream patch. - CVE-2012-2733 - debian/patches/CVE-2012-3546.patch: Fix for bypass of security constraints. Based on upstream patch. - CVE-2012-3546 - debian/patches/CVE-2012-4431.patch: Fix for bypass of CSRF prevention filter. Based on upstream patch. - CVE-2012-4431 - debian/patches/CVE-2012-4534.patch: Fix for CVE-2012-4534 Denial of Service Vulnerability. Based on upstream patch. - CVE-2012-4534 - debian/patches/CVE-2012-3439.patch: Fix for DIGEST authentication weaknesses. Based on upstream patch. - CVE-2012-3439, CVE-2012-5885, CVE-2012-5886, 2012-5887 [ Jamie Strandboge ] * allow for easily running the testsuite: - debian/control: add testsuite build-depends - debian/rules: + add 'testsuite' target + add ANT_TS_ARGS for use in the testsuite target + cleanup the testsuite - add debian/README.source for information on how to use the testsuite -- Christian KuersteinerFri, 15 Mar 2013 15:40:27 -0700 ** Changed in: tomcat7 (Ubuntu Oneiric) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
Thanks Christian. I updated the timestamp in the changelog, otherwise looked good to me. Thanks, this was a beast. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
I rewrote the description on CVE-2012-3439.patch and fixed the whitespace changes in CVE-2012-0022.patch as far as I saw them. CVE-2012-3439 gave me quite some headache since the testcases upstream changed already before a lot and it was hard to adopt to the oneiric version. Either I would have to try to backport all the changes from upstream which might mean to change more or less the whole TesterDigestAuthenticatorPerformance.java and cause some further errors because of some changes done somewhere else. Or I leave the testcases as they are and just adopt the needed changes made in the methods in DigestAuthenticator.java. I went with the second option since the actual security bug was patched in DigestAuthenticator.java. This let me omit the inclusion of ConcurrentMessageDigest.java since this class is just used in the updated testcases. I think it was the rigth decision but let me know if you think different. This just as an additional information to the DEP-3 description in CVE-2012-3439.patch. ** Patch added: "lp1115053-oneiric-5.debdiff" https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+attachment/3571362/+files/lp1115053-oneiric-5.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
Unsubscribing ubuntu-security-sponsors for now. Please resubscribe after commenting/resbumitting. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
Thanks for reworking this. This is quite the patch set! :) I can confirm that it run the testsuite with no added failures or errors. Comparing the buildlogs also looks good. In reviewing these: CVE-2011-3375.patch - ACK CVE-2011-3376.patch - ACK CVE-2012-0022.patch - ACK (had some whitespace changes, but ok) CVE-2012-2733.patch - ACK CVE-2012-3439.patch - not all commits are mentioned in the patch CVE-2012-3546.patch - ACK CVE-2012-4431.patch - ACK CVE-2012-4534.patch - ACK Can you comment more on CVE-2012-3439.patch? I compared it to upstream's http://svn.apache.org/viewvc?view=rev&rev=1377807 as per your DEP-3 comments, but there were quite a few changes. You mentioned that you "Cherrypicked changes in TesterDigestAuthenticatorPerformance.java to adapt to the changes made in the other files since test cases for 7.0.30 are completely different to the one in 7.0.21", which is fine, but those cherrypicked commits should also be listed. Thanks for all your hard work on this. We're close! :) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
Finally the tests run without any errors. I hope everything is okay now with the patch. Thanks for your patience anyway. ** Patch added: "lp1115053-oneiric-4.debdiff" https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+attachment/3557794/+files/lp1115053-oneiric-4.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
Thanks for the updated debdiff. Unfortunately, I am also getting the following additional test suite failure: output/build/logs/TEST-org.apache.catalina.core.TestAsyncContextImpl.BIO.txt: Tests run: 32, Failures: 1, Errors: 0, Time elapsed: 75.853 sec This definitely needs to be tracked down before we can ACK the debdiff and upload it to Oneiric to make sure we do not regress our users. I am unsubscribing ubuntu-security-sponsors for now. Please re-subscribe the group once the regression has been tracked down and a corrected debdiff has been attached. Thanks. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
I updated the DEP-3 comments according to your input. I hope it's easier now to understand the patches I made. For some patches I didn't find the according upstream bugs so I left them out. As far as I see is the Bug- field optional. The testsuite additions are now included. I got one error (failure in TestAsyncContextImpl) when I run the tests. However I could not determine the error to any changes of my patch. I ran the tests in a VM and wondering if that might cause the problem. Let me know if there are some further problems. Thanks. ** Patch added: "lp1115053-oneiric-3.debdiff" https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+attachment/3549166/+files/lp1115053-oneiric-3.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
I see. Thanks for the further comments. I will see that I can fix this and prepare a new debdiff. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
When you submit your new debdiffs, please include my testsuite additions for future use (the testsuite is enabled in the build and shouldn't change the build in any way-- it just adds a new target to make testing easier). Thanks! ** Changed in: tomcat7 (Ubuntu Oneiric) Status: Triaged => In Progress ** Changed in: tomcat7 (Ubuntu Oneiric) Assignee: (unassigned) => Christian Kuersteiner (ckuerste) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
** Patch added: "add testsuite to precise packaging" https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+attachment/3530843/+files/tomcat7_7.0.26-1ubuntu1.2.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
** Patch added: "add testsuite to oneiric packaging" https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+attachment/3530842/+files/tomcat7_7.0.21-1ubuntu0.1.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
Thanks for your work on this! I have some comments though: * the patches have DEP-3 comments (great!) but they point to a web page. I think it would be much better to include that URL in the description, then use an Origin stanza for the commits, and 'Bug: '. If you are backporting patches, you should use 'Origin: backport, ' and the description should discuss your backporting. This will greatly speed up sponsoring, especially for non-trivial patchsets like this one * looking at the patch commits most of them seem fine, but could you explain CVE-2012-0022.patch and CVE-2012-3439.patch a bit more? You also didn't note the testing performed. I recalled that tomcat7 has a testsuite but that it wasn't enabled in the build in Ubuntu 11.10 and 12.04 LTS. After applying your patches, I ran the testsuite and it fails with: test-compile: [mkdir] Created dir: /home/jamie/ubuntu/sbuild/tomcat7/oneiric/fix/tomcat7-7.0.21/output/testclasses [javac] Compiling 152 source files to /home/jamie/ubuntu/sbuild/tomcat7/oneiric/fix/tomcat7-7.0.21/output/testclasses [javac] /home/jamie/ubuntu/sbuild/tomcat7/oneiric/fix/tomcat7-7.0.21/test/org/apache/catalina/authenticator/TesterDigestAuthenticatorPerformance.java:263: cannot find symbol [javac] symbol : method setCnonceCacheSize(int) [javac] location: class org.apache.catalina.authenticator.DigestAuthenticator [javac] authenticator.setCnonceCacheSize(100); [javac] ^ [javac] Note: Some input files use or override a deprecated API. [javac] Note: Recompile with -Xlint:deprecation for details. [javac] 1 error BUILD FAILED In an effort to make this easier to test going forward, I have created debdiffs for oneiric and precise (attached) that add a 'testsuite' target. In essence, you would: 1. apply your patches 2. as root in a chroot: # apt-get build-dep tomcat7 # apt-get install junit4 libjstl1.1-java libjakarta-taglibs-standard-java 3. as a normal user in the same chroot: $ debian/rules testsuite See debian/README.source in my attached debdiff for details (and a known testsuite failure). NAK until the testsuite failures are addressed. As per our sponsoring procedures, I am assigning you to the bug and unsubscribing ubuntu- security-sponsors. Please resubscribe when you have updated debdiffs that pass the testsuite. Thanks again for your work on this! ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3439 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
Oh yes, you are of course right. I was thinking of CVE-2012-5568. Reviewing oneiric now. Thanks! -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
Jamie, Thanks for the info. There is a fix for CVE-2012-2733 for tomcat7 from upstream (see http://svn.apache.org/viewvc?view=revision&revision=1350301). Did you see the new debdiff for oneiric in comment #5? All the fixes for the CVEs I am aware of should be in it (as well CVE-2012-2733). Please let me know if the changelog is okay like that and of course if there are any other improvements/changes I should make. As soon as that one is approved I will upload the precise debdiff. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1115053] Re: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
Unsubscribing ubuntu-security-sponsors for now-- please resubscribe when you resubmit. Thanks again for your work on this! :) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat7 in Ubuntu. https://bugs.launchpad.net/bugs/1115053 Title: Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs