Precise Backports

Please backport tomcat7 7.0.42 (main) from saucy/debian to precise [and tomcat-native] to fix serious CVE reports

Bug #1073159 reported by H.-Dirk Schmitt
72
This bug affects 15 people
Affects Status Importance Assigned to Milestone
Precise Backports
Won't Fix
Undecided
Unassigned
tomcat7 (Ubuntu)
Won't Fix
High
Unassigned

Bug Description

Please backport tomcat7 7.0.30-0ubuntu1 (main) from raring to precise.

Reason for the backport:
========================
Currently tomcat7 on precise is 7.0.26 (see linked CVE)
quantal is providing 7.0.30 (see some of the linked CVE)
raring is providing 7.0.34

In my opinion it would be good to have the most current tomcat7 version also in precise-backports.
The goal should be providing the latest tomcat7 stable release also via backports in the LTS release of ubuntu.
In addition the old version if affected by some security issues.

The number of fixes is still impressing :-)
https://tomcat.apache.org/tomcat-7.0-doc/changelog.html

NOTE: In tomcat 7.0.34 has the APR library has changed. For satisfying the runtime dependency tomcat-native should also backported

Testing:
========
Mark off items in the checklist [X] as you test them, but please leave the checklist so that backporters can quickly evaluate the state of testing.

You can test-build the backport in your PPA with backportpackage:
$ backportpackage -u ppa:<lp username>/<ppa name> -s raring -d precise tomcat7

--> see ppa:dirk-computer42/c42-backport

* precise:
[X] Package builds without modification
[X] tomcat7-common installs cleanly and runs
[X] libservlet3.0-java installs cleanly and runs
[X] tomcat7-docs installs cleanly and runs
[X] libservlet3.0-java-doc installs cleanly and runs
[X] tomcat7 installs cleanly and runs
[X] libtomcat7-java installs cleanly and runs
[X] tomcat7-user installs cleanly and runs
[X] tomcat7-admin installs cleanly and runs
[X] tomcat7-examples installs cleanly and runs

Reverse dependencies:
=====================
The following reverse-dependencies need to be tested against the new version of tomcat7. For reverse-build-dependencies (-Indep), please test that the package still builds against the new tomcat7. For reverse-dependencies, please test that the version of the package currently in the release still works with the new tomcat7 installed. Reverse- Recommends, Suggests, and Enhances don't need to be tested, and are listed for completeness-sake.

tomcat7-common
--------------

libservlet3.0-java
------------------
* libjtharness-java
  [ ] precise (Reverse-Depends)
* jtharness
  [ ] precise (Reverse-Build-Depends-Indep)

tomcat7-docs
------------

libservlet3.0-java-doc
----------------------

tomcat7
-------

libtomcat7-java
---------------

tomcat7-user
------------

tomcat7-admin
-------------

tomcat7-examples
----------------

See original description
Revision history for this message
H.-Dirk Schmitt (dirk-computer42) wrote :

Tomcat7 is a java application with isolated dependencies. So there shouldn't be any real changes needed to adopt the quantal/roaring packages to precise.

H.-Dirk Schmitt (dirk-computer42)
tags: added: precise
Logan Rosen (logan)
summary: - tomcat7 7.0.30 (or newer) should be backported to precise
+ Please backport tomcat7 7.0.30-0ubuntu1 (main) from raring
description: updated
affects: tomcat7 (Ubuntu) → precise-backports
tags: removed: precise
Revision history for this message
Micah Gersten (micahg) wrote : Re: Please backport tomcat7 7.0.30-0ubuntu1 (main) from quantal

Please perform the testing requested in the description and let us know if the reverse dependencies still work/build and the binaries install.

summary: - Please backport tomcat7 7.0.30-0ubuntu1 (main) from raring
+ Please backport tomcat7 7.0.30-0ubuntu1 (main) from quantal
Revision history for this message
H.-Dirk Schmitt (dirk-computer42) wrote :

I tried the test scenario above and create a new ppa.
The backport command is failing on a secondary problem:

Successfully signed dsc and changes files
Please check tomcat7 7.0.30-0ubuntu1~precise1~ppa1 in file:///tmp/backportpackage-H8xedr carefully!
Do you want to upload the package to ppa:dirk-computer42/edge [Y|n]? y
Traceback (most recent call last):
  File "/usr/bin/backportpackage", line 322, in <module>
    sys.exit(main(sys.argv))
  File "/usr/bin/backportpackage", line 314, in main
    opts.prompt)
  File "/usr/bin/backportpackage", line 269, in do_backport
    upload, prompt)
  File "/usr/bin/backportpackage", line 233, in do_upload
    check_call(['dput', upload, changes], cwd=workdir)
  File "/usr/bin/backportpackage", line 49, in check_call
    ret = subprocess.call(cmd, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/ubuntutools/subprocess.py", line 59, in call
    return Popen(*popenargs, **kwargs).wait()
  File "/usr/lib/python2.7/dist-packages/ubuntutools/subprocess.py", line 44, in __init__
    subprocess.Popen.__init__(self, *args, **kwargs)
  File "/usr/lib/python2.7/subprocess.py", line 679, in __init__
    errread, errwrite)
  File "/usr/lib/python2.7/subprocess.py", line 1249, in _execute_child
    raise child_exception
OSError: [Errno 2] No such file or directory

Revision history for this message
H.-Dirk Schmitt (dirk-computer42) wrote :

problem of #3 is described in https://bugs.launchpad.net/ubuntu/+source/ubuntu-dev-tools/+bug/1086342

Revision history for this message
H.-Dirk Schmitt (dirk-computer42) wrote :

backport available in ppa:dirk-computer42/c42-backport

description: updated
tags: added: precise
tags: added: backport
H.-Dirk Schmitt (dirk-computer42)
Changed in precise-backports:
status: New → Confirmed
Revision history for this message
H.-Dirk Schmitt (dirk-computer42) wrote : Re: Please backport tomcat7 7.0.34 (main) from raring to precise (and quantal)

Due to the following security problems the current 7.0.34 should be backported.

* CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter (fixed > 7.0.31, affects quantal and precise)
* CVE-2012-3546 Apache Tomcat Bypass of security constraints (fixed > 7.0.29, affects precise)
* CVE-2012-4534 Apache Tomcat denial of service (fixed > 7.0.28, affects precise)

summary: - Please backport tomcat7 7.0.30-0ubuntu1 (main) from quantal
+ Please backport tomcat7 7.0.34 (main) from raring to precise (and
+ quantal)
H.-Dirk Schmitt (dirk-computer42)
tags: added: quantal
Revision history for this message
H.-Dirk Schmitt (dirk-computer42) wrote :

A backport is again available in

It works - but the APR has been changed:

> An incompatible version 1.1.22 of the APR based Apache Tomcat Native library is installed, while Tomcat requires version 1.1.24

So in addition also tomcat-native should be backported

summary: Please backport tomcat7 7.0.34 (main) from raring to precise (and
- quantal)
+ quantal) [and tomcat-native]
H.-Dirk Schmitt (dirk-computer42)
description: updated
summary: Please backport tomcat7 7.0.34 (main) from raring to precise (and
- quantal) [and tomcat-native]
+ quantal) [and tomcat-native] to fix serious CVE reports
Yolanda Robla (yolanda.robla)
Changed in quantal-backports:
status: New → Confirmed
Changed in tomcat7 (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Revision history for this message
John Eikenberry (jae) wrote : Re: Please backport tomcat7 7.0.34 (main) from raring to precise (and quantal) [and tomcat-native] to fix serious CVE reports

Shouldn't this also be backported to Oneric? It is still a supported version.

Revision history for this message
H.-Dirk Schmitt (dirk-computer42) wrote :

As a workaround my backport in ppa:dirk-computer42/c42-backport may be used.

Revision history for this message
H.-Dirk Schmitt (dirk-computer42) wrote : Re: Please backport tomcat7 7.0.40 (main) from debian to precise (and quantal) [and tomcat-native] to fix serious CVE reports

The bug report is some days old now - so I updated the goal to 7.0.40.
See also https://bugs.launchpad.net/ubuntu/precise/+source/tomcat7/+bug/1178645
and for libtomcat7-native https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1092548 .

A "no change backport" from debian [7.0.40-2] to precise was build in https://launchpad.net/~dirk-computer42/+archive/c42-edge-server and is distributed in https://launchpad.net/~dirk-computer42/+archive/c42-backport.

For my installations it works without any known problem.

summary: - Please backport tomcat7 7.0.34 (main) from raring to precise (and
+ Please backport tomcat7 7.0.40 (main) from debian to precise (and
quantal) [and tomcat-native] to fix serious CVE reports
summary: - Please backport tomcat7 7.0.40 (main) from debian to precise (and
+ Please backport tomcat7 7.0.40 (main) from saucy/debian to precise (and
quantal) [and tomcat-native] to fix serious CVE reports
Revision history for this message
H.-Dirk Schmitt (dirk-computer42) wrote : Re: Please backport tomcat7 7.0.40 (main) from saucy/debian to precise (and quantal) [and tomcat-native] to fix serious CVE reports

7.0.40 fix also CVE-2013-2071

Revision history for this message
H.-Dirk Schmitt (dirk-computer42) wrote : Re: Please backport tomcat7 7.0.42 (main) from saucy/debian to precise (and quantal) [and tomcat-native] to fix serious CVE reports

Due to https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1092548 I have changed the goal to 7.0.42.

As before a "no change backport" is in was build in https://launchpad.net/~dirk-computer42/+archive/c42-edge-server and is distributed in https://launchpad.net/~dirk-computer42/+archive/c42-backport.

---
Ubuntu Bug Squad volunteer triager
http://wiki.ubuntu.com/BugSquad

summary: - Please backport tomcat7 7.0.40 (main) from saucy/debian to precise (and
+ Please backport tomcat7 7.0.42 (main) from saucy/debian to precise (and
quantal) [and tomcat-native] to fix serious CVE reports
Revision history for this message
Hendy Irawan (ceefour) wrote :

Thanks for proposing the backports, hopefully it'd be accepted.

As of now tomcat7 with APR connector is unusable in Ubuntu 12.10 due to bug #1088687 / #1092548.

Revision history for this message
Hendy Irawan (ceefour) wrote :

Addition to above: bug #1092548

Mathew Hodson (mhodson)
tags: removed: quantal
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubuntu:
status: New → Confirmed
Mathew Hodson (mhodson)
affects: raring-backports → ubuntu
no longer affects: ubuntu
affects: quantal-backports → ubuntu
no longer affects: ubuntu
summary: - Please backport tomcat7 7.0.42 (main) from saucy/debian to precise (and
- quantal) [and tomcat-native] to fix serious CVE reports
+ Please backport tomcat7 7.0.42 (main) from saucy/debian to precise [and
+ tomcat-native] to fix serious CVE reports
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thank you for reporting this bug to Ubuntu.

Ubuntu 12.04 (precise) reached end-of-life on April 28, 2017.

See this document for currently supported Ubuntu releases:
https://wiki.ubuntu.com/Releases

We appreciate that this bug may be old and you might not be interested in discussing it any more. But if you are then please upgrade to the latest Ubuntu version and re-test. If you then find the bug is still present in the newer Ubuntu version, please add a comment here telling us which new version it is in and change the bug status to Confirmed.

Changed in tomcat7 (Ubuntu):
status: Confirmed → Won't Fix
Dan Streetman (ddstreet)
Changed in precise-backports:
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.