Sync tomcat8 8.0.36-3 (main) from Debian unstable (main)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tomcat8 (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
Please sync tomcat8 8.0.36-3 (main) from Debian unstable (main)
Explanation of the Ubuntu delta and why it can be dropped:
* SECURITY UPDATE: privilege escalation via insecure init script
- debian/
catalina.out file.
- CVE-2016-1240
Fixed in Debian
Changelog entries since current yakkety version 8.0.36-2ubuntu1:
tomcat8 (8.0.36-3) unstable; urgency=high
* Team upload.
* Fixed CVE-2016-1240: A flaw in the init.d startup script allows local
attackers who have gained access to the server in the context of the
tomcat user through a vulnerability in a web application to replace
the catalina.out file with a symlink to an arbitrary file on the system,
potentially leading to a root privilege escalation.
Thanks to Dawid Golunski for the report.
* Removed the default 128M heap limit (LP: #568823)
* Depend on taglibs-standard instead of jakarta-
-- Emmanuel Bourg <email address hidden> Wed, 14 Sep 2016 10:20:28 +0200
Changed in tomcat8 (Ubuntu): | |
importance: | Undecided → Wishlist |
Changed in tomcat8 (Ubuntu): | |
status: | Incomplete → Fix Released |
Hi Locutus, taglibs- standard"
thanks for the report, but this would include this change:
"Depend on taglibs-standard instead of jakarta-
That is: 8.0.36/ debian/ control 2016-09-14 09:48:48.000000000 +0200 8.0.36/ debian/ control 2016-08-02 10:50:42.000000000 +0200
libeasymock- java (>= 3.0),
libecj- java (>= 3.11.0),
libhamcrest- java (>= 1.3), standard- spec-java, standard- impl-java, taglibs- standard- java,
libobjenesis- java,
lsb-release,
maven- repo-helper
--- tomcat8-
+++ old/tomcat8-
@@ -17,8 +17,8 @@
- libtaglibs-
- libtaglibs-
+ libjakarta-
+ libjstl1.1-java,
@@ -124,8 +124,8 @@
Package: tomcat8-examples standard- spec-java, standard- impl-java, taglibs- standard- java,
tomcat8- common (>= ${source:Version}),
${misc: Depends}
Architecture: all
-Depends: libtaglibs-
- libtaglibs-
+Depends: libjakarta-
+ libjstl1.1-java,
Description: Apache Tomcat 8 - Servlet and JSP engine -- example web applications
But the former are in main and the new ones only in universe so far: /launchpad. net/ubuntu/ +source/ jakarta- taglibs- standard /launchpad. net/ubuntu/ +source/ taglibs- standard/
https:/
https:/
I think that kills the current sync request.
Has to be made as delta I think.