Bug#268002: marked as done (tomcat4: server.xml is publically readable so any user can shutdown)
Debian Bug Tracking System
owner@bugs.debian.org
Wed Jan 5 17:54:02 2005
Your message dated Wed, 05 Jan 2005 19:32:15 -0500
with message-id <E1CmLZX-0005Nq-00@newraff.debian.org>
and subject line Bug#268002: fixed in tomcat4 4.1.31-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 25 Aug 2004 13:51:37 +0000
>From raz@raz.cx Wed Aug 25 06:51:37 2004
Return-path: <raz@raz.cx>
Received: from chiron.progsoc.uts.edu.au (chiron.raz.cx) [138.25.7.6]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BzyBd-0000yk-00; Wed, 25 Aug 2004 06:51:37 -0700
Received: from host81-154-60-224.range81-154.btcentralplus.com ([81.154.60.224] helo=raz.cx)
by chiron.raz.cx with smtp (Exim 3.35 #1 (Debian))
id 1BzyBb-0003ZI-00
for <submit@bugs.debian.org>; Wed, 25 Aug 2004 23:51:35 +1000
Received: (nullmailer pid 17550 invoked by uid 1000);
Wed, 25 Aug 2004 13:51:29 -0000
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Roland Turner <raz.qrovna.bet@raz.cx>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: tomcat4: server.xml is publically readable so any user can shutdown
X-Mailer: reportbug 2.63
Date: Wed, 25 Aug 2004 14:51:29 +0100
Message-Id: <1093441889.814777.17549.nullmailer@raz.cx>
X-RBL-Warning: (dnsbl.sorbs.net) Dynamic IP Address See: http://www.dnsbl.sorbs.net/lookup.shtml?81.154.60.224
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.1 required=4.0 tests=BAYES_44,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: tomcat4
Version: 4.1.30-6
Severity: wishlist
At present, /etc/tomcat4/server.xml is mode 644. This means that any
legitimate user or rogue process has access to the shutdown
string and can shut tomcat down. This is a minor DoS and something of
a corner case (it affects tomcat instances running on large multi-user
boxes and stymies hardening measures designed to allow a server to "play
hurt" (continue giving partial service when partially compromised)),
but still an interesting one. This could be overcome by creating a
tomcat4 group, running the tomcat instance with this group ID,
changing the group ownership of server.xml to tomcat4 and changing
the mode to 640. This provides both confidentiality of the
shutdown secret and prevents a compromised tomcat instance from
manipulating its own configuration (because while the tomcat4
group can read the file, only root can write it).
- Raz
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.6-1-686
Locale: LANG=C, LC_CTYPE=C
Versions of packages tomcat4 depends on:
ii adduser 3.59 Add and remove users and groups
ii apache-utils 1.3.31-3 Utility programs for webservers
ii eclipse-javac [java-compiler 2.1.3-4 Eclipse Java compiler and ant plug
ii j2re1.3 [java-virtual-machin 1.3.1.02b-2 Blackdown Java(TM) 2 Runtime Envir
ii j2re1.4 [java-virtual-machin 1.4.1-6 Blackdown Java(TM) 2 Runtime Envir
ii j2sdk1.3 [java-compiler] 1.3.1.02b-2 Blackdown Java(TM) 2 SDK, Standard
ii j2sdk1.4 [java-compiler] 1.4.1-6 Blackdown Java(TM) 2 SDK, Standard
pn libtomcat4-java Not found.
-- no debconf information
---------------------------------------
Received: (at 268002-close) by bugs.debian.org; 6 Jan 2005 00:38:01 +0000
>From katie@ftp-master.debian.org Wed Jan 05 16:38:01 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CmLf7-0008DX-00; Wed, 05 Jan 2005 16:38:01 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1CmLZX-0005Nq-00; Wed, 05 Jan 2005 19:32:15 -0500
From: Arnaud Vandyck <avdyk@debian.org>
To: 268002-close@bugs.debian.org
X-Katie: $Revision: 1.54 $
Subject: Bug#268002: fixed in tomcat4 4.1.31-1
Message-Id: <E1CmLZX-0005Nq-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Wed, 05 Jan 2005 19:32:15 -0500
Delivered-To: 268002-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: tomcat4
Source-Version: 4.1.31-1
We believe that the bug you reported is fixed in the latest version of
tomcat4, which is due to be installed in the Debian FTP archive:
libtomcat4-java_4.1.31-1_all.deb
to pool/contrib/t/tomcat4/libtomcat4-java_4.1.31-1_all.deb
tomcat4-admin_4.1.31-1_all.deb
to pool/contrib/t/tomcat4/tomcat4-admin_4.1.31-1_all.deb
tomcat4-webapps_4.1.31-1_all.deb
to pool/contrib/t/tomcat4/tomcat4-webapps_4.1.31-1_all.deb
tomcat4_4.1.31-1.diff.gz
to pool/contrib/t/tomcat4/tomcat4_4.1.31-1.diff.gz
tomcat4_4.1.31-1.dsc
to pool/contrib/t/tomcat4/tomcat4_4.1.31-1.dsc
tomcat4_4.1.31-1_all.deb
to pool/contrib/t/tomcat4/tomcat4_4.1.31-1_all.deb
tomcat4_4.1.31.orig.tar.gz
to pool/contrib/t/tomcat4/tomcat4_4.1.31.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 268002@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Arnaud Vandyck <avdyk@debian.org> (supplier of updated tomcat4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 6 Jan 2005 01:08:59 +0100
Source: tomcat4
Binary: tomcat4-admin tomcat4 tomcat4-webapps libtomcat4-java
Architecture: source all
Version: 4.1.31-1
Distribution: unstable
Urgency: low
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Arnaud Vandyck <avdyk@debian.org>
Description:
libtomcat4-java - Java Servlet engine -- core libraries
tomcat4 - Java Servlet 2.3 engine with JSP 1.2 support
tomcat4-admin - Java Servlet engine -- admin web interfaces
tomcat4-webapps - Java Servlet engine -- documentation and example web applications
Closes: 268002 280453
Changes:
tomcat4 (4.1.31-1) unstable; urgency=low
.
* New upstream release (closes: #280453)
* config file are no more publicly readable (closes: #268002)
* added myself as an uploader
Files:
a62c3ef76e626ae4f847e70b85cf8a5f 1081 contrib/web optional tomcat4_4.1.31-1.dsc
38d81167d50c656181a6a68ecd748e8e 2918717 contrib/web optional tomcat4_4.1.31.orig.tar.gz
1a2ec4e5dce5bbc34150079fac7e62c1 20303 contrib/web optional tomcat4_4.1.31-1.diff.gz
12ec6babce1c319e953825f6bf3862ea 66132 contrib/web optional tomcat4_4.1.31-1_all.deb
765aacf3cf16a168d2cc7907b2320da4 1658876 contrib/web optional libtomcat4-java_4.1.31-1_all.deb
22b7cf827261b3abd064570e8d93c964 1938650 contrib/web optional tomcat4-webapps_4.1.31-1_all.deb
b092e4a5eb386d38dd820a256b7963e9 324500 contrib/web optional tomcat4-admin_4.1.31-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB3ISA4vzFZu62tMIRAl+4AKCAABpkpvHRgxwvyp4Dpwxgs6Ak4gCghiiS
IYK1/7QIZLT9gxrKpbiEek0=
=9WUy
-----END PGP SIGNATURE-----