|

»

Debian Security

Re: [SECURITY] [DSA 1447-1] New tomcat5.5 packages fix several vulnerabilities

View: New views

9 Messages — Rating Filter: Alert me

	Re: [SECURITY] [DSA 1447-1] New tomcat5.5 packages fix several vulnerabilities by Nihil-2 :: Rate this Message: \| View Threaded \| Show Only this Message On Don, 2008-01-03 at 22:54 +0100, Moritz Muehlenhoff wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - ------------------------------------------------------------------------ > Debian Security Advisory DSA-1447-1 security@... > http://www.debian.org/security/ Moritz Muehlenhoff > January 03, 2008 http://www.debian.org/security/faq > - ------------------------------------------------------------------------ > > Package : tomcat5.5 > Vulnerability : several > Problem type : remote > Debian-specific: no > CVE Id(s) : CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 CVE-2007-5342 CVE-2007-5461 > installing the update breaks webapps with the following error org.apache.commons.logging.LogConfigurationException: java.security.AccessControlException: access denied (java.io.FilePermission /home/nihil/www/java/WEB-INF/classes/logging.properties read) (Caused by java.security.AccessControlException: access denied (java.io.FilePermission /home/nihil/www/java/WEB-INF/classes/logging.properties read)) (it worked before the update and permission are set correctly, i double checked) this is also the case for tomcat5.5-webapps packages which doesnt work anymore. best regards, michael -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: [SECURITY] [DSA 1447-1] New tomcat5.5 packages fix several vulnerabilities by Florian Weimer :: Rate this Message: \| View Threaded \| Show Only this Message > installing the update breaks webapps > > with the following error > org.apache.commons.logging.LogConfigurationException: java.security.AccessControlException: access denied (java.io.FilePermission /home/nihil/www/java/WEB-INF/classes/logging.properties read) (Caused by java.security.AccessControlException: access denied (java.io.FilePermission /home/nihil/www/java/WEB-INF/classes/logging.properties read)) > (it worked before the update and permission are set correctly, i double checked) This is odd. Does it work again if you downgrade to the version before the security update? -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: [SECURITY] [DSA 1447-1] New tomcat5.5 packages fix several vulnerabilities by Bernd Eckenfels :: Rate this Message: \| View Threaded \| Show Only this Message In article <1199525586.8906.7.camel@localhost> you wrote: > (java.io.FilePermission > /home/nihil/www/java/WEB-INF/classes/logging.properties read) > (it worked before the update and permission are set correctly, i double checked) This is a java security policy violation, not related to OS file permissions. Maybe you started it with security policy and did not before? Gruss Bernd -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: [SECURITY] [DSA 1447-1] New tomcat5.5 packages fix several vulnerabilities by Nihil-2 :: Rate this Message: \| View Threaded \| Show Only this Message On Son, 2008-01-06 at 20:14 +0100, Bernd Eckenfels wrote: > In article <1199525586.8906.7.camel@localhost> you wrote: > > (java.io.FilePermission > > /home/nihil/www/java/WEB-INF/classes/logging.properties read) > > > (it worked before the update and permission are set correctly, i double checked) > > This is a java security policy violation, not related to OS file > permissions. Maybe you started it with security policy and did not before? > > Gruss > Bernd > > no init.d script always starts with security manager enabled. and I am sure because I had to write java policy for access e.g. my database. -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: [SECURITY] [DSA 1447-1] New tomcat5.5 packages fix several vulnerabilities by Nihil-2 :: Rate this Message: \| View Threaded \| Show Only this Message On Son, 2008-01-06 at 19:54 +0100, Florian Weimer wrote: > > installing the update breaks webapps > > > > with the following error > > org.apache.commons.logging.LogConfigurationException: java.security.AccessControlException: access denied (java.io.FilePermission /home/nihil/www/java/WEB-INF/classes/logging.properties read) (Caused by java.security.AccessControlException: access denied (java.io.FilePermission /home/nihil/www/java/WEB-INF/classes/logging.properties read)) > > (it worked before the update and permission are set correctly, i double checked) > > This is odd. Does it work again if you downgrade to the version before > the security update? > > yeah it works if I downgrad. The error also occurs if i use the tomcat5.5-webapps packages (the new one) i provide you the catalina output on link http://michael.nanihil.com/tomcatlog.txt -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: [SECURITY] [DSA 1447-1] New tomcat5.5 packages fix several vulnerabilities by Livo :: Rate this Message: \| View Threaded \| Show Only this Message After upgrading to 5.5.25, I also got: Caused by: java.security.AccessControlException: access denied (java.io.FilePermission ...webapps/.../WEB-INF/classes/logging.properties read) I found that it was because the file didn't exist (5.5.20 worked without it). Hope this helps you solve the problem. ps: I tried creating an empty logging.properties file (not knowing if this would break logging). It got me further, but I don't think it is the right thing to do.
	Re: [DSA 1447-1] New tomcat5.5 packages fix several vulnerabilities by Christian d'Heureuse :: Rate this Message: \| View Threaded \| Show Only this Message > AccessControlException: access denied ... logging.properties read This is a consequence of the patch of /etc/tomcat5.5/policy.d/ 03catalina.policy for CVE-2007-5342 (http://cve.mitre.org/cgi-bin/ cvename.cgi?name=CVE-2007-5342). One possible solution is to undo the patch by adding "permission java.security.AllPermission;" to the permissions of "tomcat-juli.jar" in 03catalina.policy. -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: [DSA 1447-1] New tomcat5.5 packages fix several vulnerabilities by Moritz Mühlenhoff :: Rate this Message: \| View Threaded \| Show Only this Message <chdh@...> wrote: >> AccessControlException: access denied ... logging.properties read > > This is a consequence of the patch of /etc/tomcat5.5/policy.d/ > 03catalina.policy for CVE-2007-5342 (http://cve.mitre.org/cgi-bin/ > cvename.cgi?name=CVE-2007-5342). Indeed. The tomcat5.5-webapps package hasn't been adapted, since it's for examples and documentation and not for production use. There were also some other security problems found in these example apps, which weren't addressed either. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: [DSA 1447-1] New tomcat5.5 packages fix several vulnerabilities by Nihil-2 :: Rate this Message: \| View Threaded \| Show Only this Message On Son, 2008-01-13 at 13:10 -0800, chdh wrote: > > AccessControlException: access denied ... logging.properties read > > This is a consequence of the patch of /etc/tomcat5.5/policy.d/ > 03catalina.policy for CVE-2007-5342 (http://cve.mitre.org/cgi-bin/ > cvename.cgi?name=CVE-2007-5342). > > One possible solution is to undo the patch by adding "permission > java.security.AllPermission;" to the permissions of "tomcat-juli.jar" > in 03catalina.policy. > > well reverting the security update isn't the way I want to go. Is there either to go without the logging at all or a way to specifiy logging without granting permissions all -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...