Skip to content
Commits on Source (7)
tomcat9 (9.0.16-4) unstable; urgency=medium
* Team upload.
[ Emmanuel Bourg ]
* Fixed CVE-2019-0221: The SSI printenv command echoes user provided data
without escaping and is, therefore, vulnerable to XSS. SSI is disabled
by default (Closes: #929895)
[ Thorsten Glaser ]
* Remove -XX:+UseG1GC from standard JAVA_OPTS; the JRE chooses
a suitable GC automatically anyway (Closes: #925928)
* Correct the ownership and permissions on the log directory:
group adm and setgid (Closes: #925929)
* Make the startup script honour the (renamed) $SECURITY_MANAGER
* debian/libexec/tomcat-locate-java.sh: Remove shebang and make
not executable as this is only ever sourced (makes no sense otherwise)
[ Christian Hänsel ]
* Restored the variable expansion in /etc/default/tomcat9 (Closes: #926319)
-- Emmanuel Bourg <ebourg@apache.org> Thu, 13 Jun 2019 23:26:12 +0200
tomcat9 (9.0.16-3) unstable; urgency=medium
* Removed read/write access to /var/lib/solr (Closes: #923299)
......
......@@ -3,9 +3,10 @@
# OpenJDK and the Oracle JDK are tried.
#JAVA_HOME=/usr/lib/jvm/java-8-openjdk
# You may pass JVM startup parameters to Java here. If unset, the default
# options will be: -Djava.awt.headless=true -XX:+UseG1GC
JAVA_OPTS="-Djava.awt.headless=true -XX:+UseG1GC"
# You may pass JVM startup parameters to Java here. If you run Tomcat with
# Java 8 instead of 9 or newer, add "-XX:+UseG1GC" to select a suitable GC.
# If unset, the default options will be: -Djava.awt.headless=true
JAVA_OPTS="-Djava.awt.headless=true"
# To enable remote debugging uncomment the following line.
# You will then be able to use a Java debugger on port 8000.
......
#!/bin/sh
#
# Script looking for a Java runtime suitable for running Tomcat
#
......
......@@ -5,6 +5,9 @@
set -e
# Load the service settings
. /etc/default/tomcat9
# Find the Java runtime and set JAVA_HOME
. /usr/libexec/tomcat9/tomcat-locate-java.sh
......@@ -15,7 +18,7 @@ export JAVA_OPTS
# Enable the Java security manager?
SECURITY=""
[ "$TOMCAT_SECURITY" = "yes" ] && SECURITY="-security"
[ "$SECURITY_MANAGER" = "true" ] && SECURITY="-security"
# Start Tomcat
......
Description: Fixes CVE-2019-0221: The SSI printenv command echoes user provided
data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by
default.
Origin: upstream, https://github.com/apache/tomcat/commit/15fcd16
--- a/java/org/apache/catalina/ssi/SSIPrintenv.java
+++ b/java/org/apache/catalina/ssi/SSIPrintenv.java
@@ -41,8 +41,7 @@
} else {
Collection<String> variableNames = ssiMediator.getVariableNames();
for (String variableName : variableNames) {
- String variableValue = ssiMediator
- .getVariableValue(variableName);
+ String variableValue = ssiMediator.getVariableValue(variableName, "entity");
//This shouldn't happen, since all the variable names must
// have values
if (variableValue == null) {
......@@ -11,3 +11,4 @@
0024-systemd-log-formatter.patch
0025-invalid-configuration-exit-status.patch
0026-easymock4-compatibility.patch
CVE-2019-0221.patch
......@@ -8,5 +8,5 @@ CATALINA_HOME=/usr/share/tomcat9
# Default Java options
if [ -z "$JAVA_OPTS" ]; then
JAVA_OPTS="-Djava.awt.headless=true -XX:+UseG1GC"
JAVA_OPTS="-Djava.awt.headless=true"
fi
......@@ -63,8 +63,10 @@ case "$1" in
chmod 775 /var/lib/tomcat9/webapps
# Grant read/write access to tomcat to the log and cache directories
chown -Rh $TOMCAT_USER:$TOMCAT_GROUP /var/log/tomcat9/ /var/cache/tomcat9/
chmod 750 /var/log/tomcat9/ /var/cache/tomcat9/
chown -Rh $TOMCAT_USER:adm /var/log/tomcat9/
chmod 2750 /var/log/tomcat9/
chown -Rh $TOMCAT_USER:$TOMCAT_GROUP /var/cache/tomcat9/
chmod 750 /var/cache/tomcat9/
;;
esac
......
......@@ -14,7 +14,6 @@ Environment="CATALINA_HOME=/usr/share/tomcat9"
Environment="CATALINA_BASE=/var/lib/tomcat9"
Environment="CATALINA_TMPDIR=/tmp"
Environment="JAVA_OPTS=-Djava.awt.headless=true"
EnvironmentFile=-/etc/default/tomcat9
# Lifecycle
Type=simple
......@@ -32,13 +31,13 @@ Group=tomcat
PrivateTmp=yes
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
LogsDirectory=tomcat9
LogsDirectoryMode=750
CacheDirectory=tomcat9
CacheDirectoryMode=750
ProtectSystem=strict
ReadWritePaths=/etc/tomcat9/Catalina/
ReadWritePaths=/var/lib/tomcat9/webapps/
ReadWritePaths=/var/log/tomcat9/
RequiresMountsFor=/var/log/tomcat9
[Install]
WantedBy=multi-user.target
# Tomcat log directory permissions
# See tmpfiles.d(5) for details
# Type Path Mode UID GID Age Argument
d /var/log/tomcat9 2750 tomcat adm -