Please backport tomcat7 7.0.42 (main) from saucy/debian to precise [and tomcat-native] to fix serious CVE reports

Bug #1073159 reported by H.-Dirk Schmitt on 2012-10-30
72
This bug affects 15 people
Affects Status Importance Assigned to Milestone
Precise Backports
Undecided
Unassigned
tomcat7 (Ubuntu)
High
Unassigned

Bug Description

Please backport tomcat7 7.0.30-0ubuntu1 (main) from raring to precise.

Reason for the backport:
========================
Currently tomcat7 on precise is 7.0.26 (see linked CVE)
quantal is providing 7.0.30 (see some of the linked CVE)
raring is providing 7.0.34

In my opinion it would be good to have the most current tomcat7 version also in precise-backports.
The goal should be providing the latest tomcat7 stable release also via backports in the LTS release of ubuntu.
In addition the old version if affected by some security issues.

The number of fixes is still impressing :-)
https://tomcat.apache.org/tomcat-7.0-doc/changelog.html

NOTE: In tomcat 7.0.34 has the APR library has changed. For satisfying the runtime dependency tomcat-native should also backported

Testing:
========
Mark off items in the checklist [X] as you test them, but please leave the checklist so that backporters can quickly evaluate the state of testing.

You can test-build the backport in your PPA with backportpackage:
$ backportpackage -u ppa:<lp username>/<ppa name> -s raring -d precise tomcat7

--> see ppa:dirk-computer42/c42-backport

* precise:
[X] Package builds without modification
[X] tomcat7-common installs cleanly and runs
[X] libservlet3.0-java installs cleanly and runs
[X] tomcat7-docs installs cleanly and runs
[X] libservlet3.0-java-doc installs cleanly and runs
[X] tomcat7 installs cleanly and runs
[X] libtomcat7-java installs cleanly and runs
[X] tomcat7-user installs cleanly and runs
[X] tomcat7-admin installs cleanly and runs
[X] tomcat7-examples installs cleanly and runs

Reverse dependencies:
=====================
The following reverse-dependencies need to be tested against the new version of tomcat7. For reverse-build-dependencies (-Indep), please test that the package still builds against the new tomcat7. For reverse-dependencies, please test that the version of the package currently in the release still works with the new tomcat7 installed. Reverse- Recommends, Suggests, and Enhances don't need to be tested, and are listed for completeness-sake.

tomcat7-common
--------------

libservlet3.0-java
------------------
* libjtharness-java
  [ ] precise (Reverse-Depends)
* jtharness
  [ ] precise (Reverse-Build-Depends-Indep)

tomcat7-docs
------------

libservlet3.0-java-doc
----------------------

tomcat7
-------

libtomcat7-java
---------------

tomcat7-user
------------

tomcat7-admin
-------------

tomcat7-examples
----------------

Tomcat7 is a java application with isolated dependencies. So there shouldn't be any real changes needed to adopt the quantal/roaring packages to precise.

tags: added: precise
Logan Rosen (logan) on 2012-10-30
summary: - tomcat7 7.0.30 (or newer) should be backported to precise
+ Please backport tomcat7 7.0.30-0ubuntu1 (main) from raring
description: updated
affects: tomcat7 (Ubuntu) → precise-backports
tags: removed: precise

Please perform the testing requested in the description and let us know if the reverse dependencies still work/build and the binaries install.

summary: - Please backport tomcat7 7.0.30-0ubuntu1 (main) from raring
+ Please backport tomcat7 7.0.30-0ubuntu1 (main) from quantal

I tried the test scenario above and create a new ppa.
The backport command is failing on a secondary problem:

Successfully signed dsc and changes files
Please check tomcat7 7.0.30-0ubuntu1~precise1~ppa1 in file:///tmp/backportpackage-H8xedr carefully!
Do you want to upload the package to ppa:dirk-computer42/edge [Y|n]? y
Traceback (most recent call last):
  File "/usr/bin/backportpackage", line 322, in <module>
    sys.exit(main(sys.argv))
  File "/usr/bin/backportpackage", line 314, in main
    opts.prompt)
  File "/usr/bin/backportpackage", line 269, in do_backport
    upload, prompt)
  File "/usr/bin/backportpackage", line 233, in do_upload
    check_call(['dput', upload, changes], cwd=workdir)
  File "/usr/bin/backportpackage", line 49, in check_call
    ret = subprocess.call(cmd, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/ubuntutools/subprocess.py", line 59, in call
    return Popen(*popenargs, **kwargs).wait()
  File "/usr/lib/python2.7/dist-packages/ubuntutools/subprocess.py", line 44, in __init__
    subprocess.Popen.__init__(self, *args, **kwargs)
  File "/usr/lib/python2.7/subprocess.py", line 679, in __init__
    errread, errwrite)
  File "/usr/lib/python2.7/subprocess.py", line 1249, in _execute_child
    raise child_exception
OSError: [Errno 2] No such file or directory

backport available in ppa:dirk-computer42/c42-backport

description: updated
tags: added: precise
tags: added: backport
Changed in precise-backports:
status: New → Confirmed

Due to the following security problems the current 7.0.34 should be backported.

* CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter (fixed > 7.0.31, affects quantal and precise)
* CVE-2012-3546 Apache Tomcat Bypass of security constraints (fixed > 7.0.29, affects precise)
* CVE-2012-4534 Apache Tomcat denial of service (fixed > 7.0.28, affects precise)

summary: - Please backport tomcat7 7.0.30-0ubuntu1 (main) from quantal
+ Please backport tomcat7 7.0.34 (main) from raring to precise (and
+ quantal)
tags: added: quantal

A backport is again available in

It works - but the APR has been changed:

> An incompatible version 1.1.22 of the APR based Apache Tomcat Native library is installed, while Tomcat requires version 1.1.24

So in addition also tomcat-native should be backported

summary: Please backport tomcat7 7.0.34 (main) from raring to precise (and
- quantal)
+ quantal) [and tomcat-native]
description: updated
summary: Please backport tomcat7 7.0.34 (main) from raring to precise (and
- quantal) [and tomcat-native]
+ quantal) [and tomcat-native] to fix serious CVE reports
Changed in quantal-backports:
status: New → Confirmed
Changed in tomcat7 (Ubuntu):
status: New → Confirmed
importance: Undecided → High

As a workaround my backport in ppa:dirk-computer42/c42-backport may be used.

The bug report is some days old now - so I updated the goal to 7.0.40.
See also https://bugs.launchpad.net/ubuntu/precise/+source/tomcat7/+bug/1178645
and for libtomcat7-native https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1092548 .

A "no change backport" from debian [7.0.40-2] to precise was build in https://launchpad.net/~dirk-computer42/+archive/c42-edge-server and is distributed in https://launchpad.net/~dirk-computer42/+archive/c42-backport.

For my installations it works without any known problem.

summary: - Please backport tomcat7 7.0.34 (main) from raring to precise (and
+ Please backport tomcat7 7.0.40 (main) from debian to precise (and
quantal) [and tomcat-native] to fix serious CVE reports
summary: - Please backport tomcat7 7.0.40 (main) from debian to precise (and
+ Please backport tomcat7 7.0.40 (main) from saucy/debian to precise (and
quantal) [and tomcat-native] to fix serious CVE reports

Due to https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1092548 I have changed the goal to 7.0.42.

As before a "no change backport" is in was build in https://launchpad.net/~dirk-computer42/+archive/c42-edge-server and is distributed in https://launchpad.net/~dirk-computer42/+archive/c42-backport.

---
Ubuntu Bug Squad volunteer triager
http://wiki.ubuntu.com/BugSquad

summary: - Please backport tomcat7 7.0.40 (main) from saucy/debian to precise (and
+ Please backport tomcat7 7.0.42 (main) from saucy/debian to precise (and
quantal) [and tomcat-native] to fix serious CVE reports
Hendy Irawan (ceefour) wrote :

Thanks for proposing the backports, hopefully it'd be accepted.

As of now tomcat7 with APR connector is unusable in Ubuntu 12.10 due to bug #1088687 / #1092548.

Hendy Irawan (ceefour) wrote :

Addition to above: bug #1092548

Mathew Hodson (mhodson) on 2018-06-30
tags: removed: quantal
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Mathew Hodson (mhodson) on 2018-06-30
affects: raring-backports → ubuntu
Changed in ubuntu:
status: New → Confirmed
Mathew Hodson (mhodson) on 2018-06-30
no longer affects: ubuntu
affects: quantal-backports → ubuntu
no longer affects: ubuntu
summary: - Please backport tomcat7 7.0.42 (main) from saucy/debian to precise (and
- quantal) [and tomcat-native] to fix serious CVE reports
+ Please backport tomcat7 7.0.42 (main) from saucy/debian to precise [and
+ tomcat-native] to fix serious CVE reports
Andreas Hasenack (ahasenack) wrote :

Thank you for reporting this bug to Ubuntu.

Ubuntu 12.04 (precise) reached end-of-life on April 28, 2017.

See this document for currently supported Ubuntu releases:
https://wiki.ubuntu.com/Releases

We appreciate that this bug may be old and you might not be interested in discussing it any more. But if you are then please upgrade to the latest Ubuntu version and re-test. If you then find the bug is still present in the newer Ubuntu version, please add a comment here telling us which new version it is in and change the bug status to Confirmed.

Changed in tomcat7 (Ubuntu):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers