Bug#840685: tomcat8: DSA-3670 incomplete

paul.szabo at sydney.edu.au paul.szabo at sydney.edu.au
Thu Oct 13 21:42:11 UTC 2016


Dear Markus,

>> [ I contacted team at security.debian.org about this, but no response ... ]
> ... Please send them to the security team
> first and not to a public mailing list.

I did. They did not reply within what seemed a reasonable timeframe.

>> Recently DSA-3670 was released, and /etc/init.d/tomcat8 modified so...
> No, we did not modify this part in /etc/init.d/tomcat8. ...

Whoops, sorry, you are right. Now checking, I do not see how I got
confused. This is a separate, maybe new issue.

> ... more information and a working proof
> of concept code are appreciated. ...

Maybe the security team will understand (recognize, accept) the issue
without a PoC. If they reply with such a need, then I will write one.

You or they might accept the suggested patch/fix: mkdir without -p,
chown with -h.

Cheers, Paul

Paul Szabo   psz at maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia



More information about the pkg-java-maintainers mailing list