CVE-2015-5345 patch issue on tomcat7

Bug #1609819 reported by Stephen Lynch on 2016-08-04
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tomcat7 (Ubuntu)
Marc Deslauriers

Bug Description

7.0.52-1ubuntu0.6 contains the patch for CVE-2015-5345. It adds mapperContextRootRedirectEnabled as a workaround to prevent breaking the current functionality. This fix cannot be used with the current ubuntu patches as it is missing the change to in revision (bz

Without it, the values specified in context.xml are not passed down to the on startup.

Setting mapperContextRootRedirectEnabled="true" in /etc/tomcat7/context.xml has no effect. Making the same change with 7.0.70 from works perfectly.

CVE References

Robie Basak (racb) on 2016-08-10
information type: Public → Public Security
Changed in tomcat7 (Ubuntu Trusty):
status: New → Confirmed
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in tomcat7 (Ubuntu):
status: New → Invalid
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat7 - 7.0.52-1ubuntu0.7

tomcat7 (7.0.52-1ubuntu0.7) trusty-security; urgency=medium

  * SECURITY UPDATE: privilege escalation via insecure init script
    - debian/tomcat7.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240
  * SECURITY REGRESSION: change in behaviour after security update
    (LP: #1609819)
    - debian/patches/CVE-2015-5345-2.patch: fix using the new
      mapperContextRootRedirectEnabled option in
      java/org/apache/catalina/connector/, change
      mapperContextRootRedirectEnabled default to true in
      webapps/docs/config/context.xml. This reverts the change in behaviour
      following the CVE-2015-5345 security update and was also done
      upstream in later releases.

 -- Marc Deslauriers <email address hidden> Fri, 16 Sep 2016 09:19:37 -0400

Changed in tomcat7 (Ubuntu Trusty):
status: Confirmed → Fix Released
Mathew Hodson (mhodson) on 2016-09-20
Changed in tomcat7 (Ubuntu):
status: Invalid → Fix Released
importance: Undecided → Medium
Changed in tomcat7 (Ubuntu Trusty):
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers