[Bug 1624632] Re: Sync tomcat8 8.0.36-3 (main) from Debian unstable (main)

Mon Sep 19 16:56:02 UTC 2016

Hi Locutus,
thanks for the report, but this would include this change:
"Depend on taglibs-standard instead of jakarta-taglibs-standard"

That is:

--- tomcat8-8.0.36/debian/control       2016-09-14 09:48:48.000000000 +0200
+++ old/tomcat8-8.0.36/debian/control   2016-08-02 10:50:42.000000000 +0200
@@ -17,8 +17,8 @@
                      libeasymock-java (>= 3.0),
                      libecj-java (>= 3.11.0),
                      libhamcrest-java (>= 1.3),
-                     libtaglibs-standard-spec-java,
-                     libtaglibs-standard-impl-java,
+                     libjakarta-taglibs-standard-java,
+                     libjstl1.1-java,
                      libobjenesis-java,
                      lsb-release,
                      maven-repo-helper
@@ -124,8 +124,8 @@
 
 Package: tomcat8-examples
 Architecture: all
-Depends: libtaglibs-standard-spec-java,
-         libtaglibs-standard-impl-java,
+Depends: libjakarta-taglibs-standard-java,
+         libjstl1.1-java,
          tomcat8-common (>= ${source:Version}),
          ${misc:Depends}
 Description: Apache Tomcat 8 - Servlet and JSP engine -- example web applications


But the former are in main and the new ones only in universe so far:
https://launchpad.net/ubuntu/+source/jakarta-taglibs-standard
https://launchpad.net/ubuntu/+source/taglibs-standard/

I think that kills the current sync request.
Has to be made as delta I think.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1624632

Title:
  Sync tomcat8 8.0.36-3 (main) from Debian unstable (main)

Status in tomcat8 package in Ubuntu:
  New

Bug description:
  Please sync tomcat8 8.0.36-3 (main) from Debian unstable (main)

  Explanation of the Ubuntu delta and why it can be dropped:
    * SECURITY UPDATE: privilege escalation via insecure init script
      - debian/tomcat8.init: don't follow symlinks when handling the
        catalina.out file.
      - CVE-2016-1240

  Fixed in Debian

  Changelog entries since current yakkety version 8.0.36-2ubuntu1:

  tomcat8 (8.0.36-3) unstable; urgency=high

    * Team upload.
    * Fixed CVE-2016-1240: A flaw in the init.d startup script allows local
      attackers who have gained access to the server in the context of the
      tomcat user through a vulnerability in a web application to replace
      the catalina.out file with a symlink to an arbitrary file on the system,
      potentially leading to a root privilege escalation.
      Thanks to Dawid Golunski for the report.
    * Removed the default 128M heap limit (LP: #568823)
    * Depend on taglibs-standard instead of jakarta-taglibs-standard

   -- Emmanuel Bourg <ebourg at apache.org>  Wed, 14 Sep 2016 10:20:28
  +0200

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1624632/+subscriptions

