Debian Bug report logs -
#695250
tomcat6: CVE-2012-4534 CVE-2012-4431 CVE-2012-3546
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Thu, 6 Dec 2012 07:48:01 UTC
Severity: grave
Tags: security
Fixed in version tomcat6/6.0.35-6
Done: tony mancill <tmancill@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#695250; Package tomcat6.
(Thu, 06 Dec 2012 07:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Thu, 06 Dec 2012 07:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: tomcat6
Severity: grave
Tags: security
Justification: user security hole
More Tomcat security issues have been disclosed:
http://tomcat.apache.org/security-6.html
The page contains links to the upstream fixes.
BTW, is there a specific reason why both tomcat6 and tomcat7 are present in Wheezy?
This will duplicate all efforts for security updates in Wheezy.
Cheers,
Moritz
Added tag(s) pending.
Request was from tony mancill <tmancill@debian.org>
to control@bugs.debian.org.
(Fri, 07 Dec 2012 06:15:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#695250; Package tomcat6.
(Fri, 07 Dec 2012 06:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to tony mancill <tmancill@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 07 Dec 2012 06:27:04 GMT) (full text, mbox, link).
Message #12 received at 695250@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 12/05/2012 11:43 PM, Moritz Muehlenhoff wrote:
> Package: tomcat6
> Severity: grave
> Tags: security
> Justification: user security hole
>
> More Tomcat security issues have been disclosed:
> http://tomcat.apache.org/security-6.html
>
> The page contains links to the upstream fixes.
>
> BTW, is there a specific reason why both tomcat6 and tomcat7 are present in Wheezy?
> This will duplicate all efforts for security updates in Wheezy.
Hi Moritz,
I have an updated package that includes the patches for these 3 CVEs and
am doing some smoke-testing now. But before I upload, I have a question
about what is permissible to include in the upload. I'd like to rename
the patches that were included in the 6.0.35-5+nmu1 upload so they
follow the same naming convention as the other patches in the package
and include the origin patch header. (As you point out, after all,
we'll be supporting this package for a long time to come.) Also, I'd
like to "quilt refresh" the patches in the package, as they're getting a
bit fuzzy. So, no substantive or real packaging changes, but the
interdiff will be a bit larger. Is that okay, or should I upload with
only the new patches for the CVEs applied?
Regarding tomcat6 and tomcat7, although they are certainly related, they
implement different versions of the servlet and JSP specifications [1],
and there are a number still organizations running applications
developed for/tested on tomcat6 in production. There is a migration
guide for going from 6.x to 7.x that must be taken into consideration [2].
But specifically for Debian, there are still a number of packages in
wheezy that depend explicitly on tomcat6 and/or libservlet2.5-java.
According to popcon, tomcat6 is about 5x more popular than tomcat7, and
libservlet2.5 is quite popular indeed [3,4].
Thank you,
tony
[1] http://tomcat.apache.org/whichversion.html
[2] http://tomcat.apache.org/migration-7.html
[3] http://qa.debian.org/popcon.php?package=tomcat6
[4] http://qa.debian.org/popcon.php?package=tomcat7
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#695250; Package tomcat6.
(Fri, 07 Dec 2012 08:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 07 Dec 2012 08:21:03 GMT) (full text, mbox, link).
Message #17 received at 695250@bugs.debian.org (full text, mbox, reply):
On Thu, Dec 06, 2012 at 10:23:17PM -0800, tony mancill wrote:
> On 12/05/2012 11:43 PM, Moritz Muehlenhoff wrote:
> > Package: tomcat6
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > More Tomcat security issues have been disclosed:
> > http://tomcat.apache.org/security-6.html
> >
> > The page contains links to the upstream fixes.
> >
> > BTW, is there a specific reason why both tomcat6 and tomcat7 are present in Wheezy?
> > This will duplicate all efforts for security updates in Wheezy.
>
> Hi Moritz,
>
> I have an updated package that includes the patches for these 3 CVEs and
> am doing some smoke-testing now. But before I upload, I have a question
> about what is permissible to include in the upload. I'd like to rename
> the patches that were included in the 6.0.35-5+nmu1 upload so they
> follow the same naming convention as the other patches in the package
> and include the origin patch header. (As you point out, after all,
> we'll be supporting this package for a long time to come.) Also, I'd
> like to "quilt refresh" the patches in the package, as they're getting a
> bit fuzzy. So, no substantive or real packaging changes, but the
> interdiff will be a bit larger. Is that okay, or should I upload with
> only the new patches for the CVEs applied?
Release managers are busy enough already, so please keep it as minimal
as possible.
> Regarding tomcat6 and tomcat7, although they are certainly related, they
> implement different versions of the servlet and JSP specifications [1],
> and there are a number still organizations running applications
> developed for/tested on tomcat6 in production. There is a migration
> guide for going from 6.x to 7.x that must be taken into consideration [2].
>
> But specifically for Debian, there are still a number of packages in
> wheezy that depend explicitly on tomcat6 and/or libservlet2.5-java.
> According to popcon, tomcat6 is about 5x more popular than tomcat7, and
> libservlet2.5 is quite popular indeed [3,4].
Ok, but tomcat6 should be removed for jessie, then.
Cheers,
Moritz
Reply sent
to tony mancill <tmancill@debian.org>:
You have taken responsibility.
(Sat, 08 Dec 2012 04:51:10 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Sat, 08 Dec 2012 04:51:10 GMT) (full text, mbox, link).
Message #22 received at 695250-close@bugs.debian.org (full text, mbox, reply):
Source: tomcat6
Source-Version: 6.0.35-6
We believe that the bug you reported is fixed in the latest version of
tomcat6, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 695250@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated tomcat6 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 06 Dec 2012 21:10:11 -0800
Source: tomcat6
Binary: tomcat6-common tomcat6 tomcat6-user libtomcat6-java libservlet2.4-java libservlet2.5-java libservlet2.5-java-doc tomcat6-admin tomcat6-examples tomcat6-docs tomcat6-extras
Architecture: source all
Version: 6.0.35-6
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Description:
libservlet2.4-java - Transitional package for libservlet2.5-java
libservlet2.5-java - Servlet 2.5 and JSP 2.1 Java API classes
libservlet2.5-java-doc - Servlet 2.5 and JSP 2.1 Java API documentation
libtomcat6-java - Servlet and JSP engine -- core libraries
tomcat6 - Servlet and JSP engine
tomcat6-admin - Servlet and JSP engine -- admin web applications
tomcat6-common - Servlet and JSP engine -- common files
tomcat6-docs - Servlet and JSP engine -- documentation
tomcat6-examples - Servlet and JSP engine -- example web applications
tomcat6-extras - Servlet and JSP engine -- additional components
tomcat6-user - Servlet and JSP engine -- tools to create user instances
Closes: 692440 695250
Changes:
tomcat6 (6.0.35-6) unstable; urgency=high
.
* Acknowledge NMU: 6.0.35-5+nmu1 (Closes: #692440)
- Thank you to Michael Gilbert.
* Add patches for the following security issues: (Closes: #695250)
- CVE-2012-4534, CVE-2012-4431, CVE-2012-3546
Checksums-Sha1:
c13aaa9b0bc2823883f6be29eb088787ff666853 2692 tomcat6_6.0.35-6.dsc
2222d5b0b9e3c4c3ff3d650ad9c2aad799b543d0 51688 tomcat6_6.0.35-6.debian.tar.gz
3913062050c58ec4b1db35cc6a07c7ea61a60fc6 52826 tomcat6-common_6.0.35-6_all.deb
3c514f20440986efe49f40c25245fae06d0ca907 40544 tomcat6_6.0.35-6_all.deb
858f2a90abca9511bf13047e701d25274a9f640a 31430 tomcat6-user_6.0.35-6_all.deb
b91497e4e1cc024f258d18175c5fb4835027440c 3101344 libtomcat6-java_6.0.35-6_all.deb
d83c76425fa7024d980f7280844ef347cc773cf9 13374 libservlet2.4-java_6.0.35-6_all.deb
f632dbab7eee663a4fceebd08df90b3c55bbd215 196142 libservlet2.5-java_6.0.35-6_all.deb
3ed9687f059915ed75f7eb54adcb1f6b7301f55b 255404 libservlet2.5-java-doc_6.0.35-6_all.deb
fd6c6cc55b42bae060874a38f6838af1f44a9b12 48368 tomcat6-admin_6.0.35-6_all.deb
8835355230d330579e66d9b4ed35e0f4b26ceda7 163418 tomcat6-examples_6.0.35-6_all.deb
6cb15c2203f41051e88a7a7b46112ac60ed823e2 567894 tomcat6-docs_6.0.35-6_all.deb
2b091dd877165b197710d5244903ff4991a63401 13578 tomcat6-extras_6.0.35-6_all.deb
Checksums-Sha256:
87ec4d49d7998a99f22434d1a6f858f0ea0808d3668a7058e75f3eb2fec9bc5a 2692 tomcat6_6.0.35-6.dsc
d99f35fbc6659d063b24d0601ec3554adbb6150ea31a9a832da83a38539d7b47 51688 tomcat6_6.0.35-6.debian.tar.gz
7ce8860323f667d4d342077c3d62553f8daf7f4232c8392b47483fb4634d71a8 52826 tomcat6-common_6.0.35-6_all.deb
556ec06b971b5a3fba8fb4d23d81fd0b12e23c3400d1a7eac42564708e8e3e39 40544 tomcat6_6.0.35-6_all.deb
b8e18faa318c30cf1dada1af09783557def0bac580792fcd36358e888f5fb918 31430 tomcat6-user_6.0.35-6_all.deb
226a1122498b46135342cfe50a39880d3c7462a88cbf782f400b497aaa7995c1 3101344 libtomcat6-java_6.0.35-6_all.deb
55d1541c7fb2db0611c456b869d95302d9754086ef036cb57a809803a8d132fb 13374 libservlet2.4-java_6.0.35-6_all.deb
18d397bf88811614b43a0c3ed15dae42b1287f3fbaf403275495c31ddd39f885 196142 libservlet2.5-java_6.0.35-6_all.deb
96858dc31a568d3a8433d626ef1f414f1c947135e23532cfc987594aefe47a1d 255404 libservlet2.5-java-doc_6.0.35-6_all.deb
2004c82c1389105def051dfbc2bdc204203de293422751b455d5e06d84d4ebe3 48368 tomcat6-admin_6.0.35-6_all.deb
69e73a88e0244a6de868d0eb0c8076995fa9be91d4d6c85ff55030d86d84c152 163418 tomcat6-examples_6.0.35-6_all.deb
673e0621326fef9078228bc8213c75b9761f9b53e6f3396954f48f67c8e40639 567894 tomcat6-docs_6.0.35-6_all.deb
e1afd373fdac9152f6926da9310c3e01aa1ea9f7a1e01474ebac9ca3d539cf14 13578 tomcat6-extras_6.0.35-6_all.deb
Files:
d51774e7b47a5c5b4453f125b6df4fb9 2692 java optional tomcat6_6.0.35-6.dsc
026def29b520e2a0fe0893b2796453ca 51688 java optional tomcat6_6.0.35-6.debian.tar.gz
ffc6ece9cbf33e763f49f86851c2c46e 52826 java optional tomcat6-common_6.0.35-6_all.deb
fc7e784e85c85538f8708f9b329b8a52 40544 java optional tomcat6_6.0.35-6_all.deb
9e94904b0481729d471c9ef299829e88 31430 java optional tomcat6-user_6.0.35-6_all.deb
a1ded865412bbb3d312daa3ea26fc623 3101344 java optional libtomcat6-java_6.0.35-6_all.deb
7b1d26e1cb3f964052b9a33b2477c297 13374 oldlibs extra libservlet2.4-java_6.0.35-6_all.deb
9aa7b95e1fe84acc99fb2c85e6b80d8f 196142 java optional libservlet2.5-java_6.0.35-6_all.deb
b4d85537c6eb89ed68d5eb8df6c6017d 255404 doc optional libservlet2.5-java-doc_6.0.35-6_all.deb
a31ea0aeb81abe08a53d6aa440ec6a49 48368 java optional tomcat6-admin_6.0.35-6_all.deb
656244c5670884d321c59b32947b7c30 163418 java optional tomcat6-examples_6.0.35-6_all.deb
c24cf41a2457de1db3b52ef32de4d107 567894 doc optional tomcat6-docs_6.0.35-6_all.deb
e317c1e046ef55b5f2b7d8bf8bd45b6f 13578 java optional tomcat6-extras_6.0.35-6_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJQwsOyAAoJECHSBYmXSz6WQQYP/23xYZnrFC9RlTF5z0wF+RjH
/ZPFqf5mkQSo1aCn2Xn9mbcwY5H2vVvzgJ4ZXF/QGUeF9WLJYTxXdyncMmfOBs/f
wWVxHVAhLLuQWZQlBkoYdUgp11AJZR0g0fXD5l8TAgg8mznJZ3yiYkrNCnT5HlCH
TmVR1Xz/KrbzscR6mssnFHzNJcoOBW9Yn88fUYUK35IXOCuACtBsSkLPKwClL6G0
ZtFSYWhmdmRhv7KZgcUHoCwADV3ZUkZwMp3lGCoATYu1CAeSxqtl9OLuso8g6CxD
lGo4V/imFmBcviLimDibHCmPEvJzfdWPyv89LYeCSvPE4ulMdjfJgHOqbwMG5pkN
ZV19XDdOm2TOD0dJc9OqPf82GyE2BTrdwUhxdzMVpO7CpC6kLxQh8e/C6Fkg+7OW
rQpnbByWfaTlcc9t2ELEfoOTsvIOFGeT0cBqFR30n/CIvFvI8X0LLnODB2RPu6gP
Yge0Sbcay7BDg7LQ6/YhQNrlN0Ak5MH19OJuq0bU3FL0HXOBUScNnkNImaSeZHow
ZFLjqd7g4q7h07o2JNC4m75QnDIsZZYFLwM+CVbIMNpqvvZqIwEuV4gUTjEcciw8
HHkFyFAB9h6WUDUBhWy7SShvZyfWHLpolA5UW2TGphFvw+5dLFB5R6iF0ER7F1Ak
U1JMcEjFJaYefoj/GXL8
=ilbe
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 07 Jan 2013 07:28:24 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:13:38 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon