[Bug 1624632] Re: Sync tomcat8 8.0.36-3 (main) from Debian unstable (main)
ChristianEhrhardt
1624632 at bugs.launchpad.net
Mon Sep 19 16:56:02 UTC 2016
Hi Locutus,
thanks for the report, but this would include this change:
"Depend on taglibs-standard instead of jakarta-taglibs-standard"
That is:
--- tomcat8-8.0.36/debian/control 2016-09-14 09:48:48.000000000 +0200
+++ old/tomcat8-8.0.36/debian/control 2016-08-02 10:50:42.000000000 +0200
@@ -17,8 +17,8 @@
libeasymock-java (>= 3.0),
libecj-java (>= 3.11.0),
libhamcrest-java (>= 1.3),
- libtaglibs-standard-spec-java,
- libtaglibs-standard-impl-java,
+ libjakarta-taglibs-standard-java,
+ libjstl1.1-java,
libobjenesis-java,
lsb-release,
maven-repo-helper
@@ -124,8 +124,8 @@
Package: tomcat8-examples
Architecture: all
-Depends: libtaglibs-standard-spec-java,
- libtaglibs-standard-impl-java,
+Depends: libjakarta-taglibs-standard-java,
+ libjstl1.1-java,
tomcat8-common (>= ${source:Version}),
${misc:Depends}
Description: Apache Tomcat 8 - Servlet and JSP engine -- example web applications
But the former are in main and the new ones only in universe so far:
https://launchpad.net/ubuntu/+source/jakarta-taglibs-standard
https://launchpad.net/ubuntu/+source/taglibs-standard/
I think that kills the current sync request.
Has to be made as delta I think.
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1624632
Title:
Sync tomcat8 8.0.36-3 (main) from Debian unstable (main)
Status in tomcat8 package in Ubuntu:
New
Bug description:
Please sync tomcat8 8.0.36-3 (main) from Debian unstable (main)
Explanation of the Ubuntu delta and why it can be dropped:
* SECURITY UPDATE: privilege escalation via insecure init script
- debian/tomcat8.init: don't follow symlinks when handling the
catalina.out file.
- CVE-2016-1240
Fixed in Debian
Changelog entries since current yakkety version 8.0.36-2ubuntu1:
tomcat8 (8.0.36-3) unstable; urgency=high
* Team upload.
* Fixed CVE-2016-1240: A flaw in the init.d startup script allows local
attackers who have gained access to the server in the context of the
tomcat user through a vulnerability in a web application to replace
the catalina.out file with a symlink to an arbitrary file on the system,
potentially leading to a root privilege escalation.
Thanks to Dawid Golunski for the report.
* Removed the default 128M heap limit (LP: #568823)
* Depend on taglibs-standard instead of jakarta-taglibs-standard
-- Emmanuel Bourg <ebourg at apache.org> Wed, 14 Sep 2016 10:20:28
+0200
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1624632/+subscriptions
More information about the Ubuntu-sponsors
mailing list