mirabilos · Emmanuel Bourg · mirabilos · Emmanuel Bourg · mirabilos · Emmanuel Bourg
--- a/debian/changelog
+++ b/debian/changelog
+tomcat9 (9.0.16-4) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Emmanuel Bourg ]
+  * Fixed CVE-2019-0221: The SSI printenv command echoes user provided data
+    without escaping and is, therefore, vulnerable to XSS. SSI is disabled
+    by default (Closes: #929895)
+
+  [ Thorsten Glaser ]
+  * Remove -XX:+UseG1GC from standard JAVA_OPTS; the JRE chooses
+    a suitable GC automatically anyway (Closes: #925928)
+  * Correct the ownership and permissions on the log directory:
+    group adm and setgid (Closes: #925929)
+  * Make the startup script honour the (renamed) $SECURITY_MANAGER
+  * debian/libexec/tomcat-locate-java.sh: Remove shebang and make
+    not executable as this is only ever sourced (makes no sense otherwise)
+
+  [ Christian Hänsel ]
+  * Restored the variable expansion in /etc/default/tomcat9 (Closes: #926319)
+
+ -- Emmanuel Bourg <ebourg@apache.org>  Thu, 13 Jun 2019 23:26:12 +0200
+
 tomcat9 (9.0.16-3) unstable; urgency=medium

  * Removed read/write access to /var/lib/solr (Closes: #923299)

--- a/debian/default.template
+++ b/debian/default.template
@@ -3,9 +3,10 @@
 # OpenJDK and the Oracle JDK are tried.
 #JAVA_HOME=/usr/lib/jvm/java-8-openjdk

-# You may pass JVM startup parameters to Java here. If unset, the default
-# options will be: -Djava.awt.headless=true -XX:+UseG1GC
-JAVA_OPTS="-Djava.awt.headless=true -XX:+UseG1GC"
+# You may pass JVM startup parameters to Java here. If you run Tomcat with
+# Java 8 instead of 9 or newer, add "-XX:+UseG1GC" to select a suitable GC.
+# If unset, the default options will be: -Djava.awt.headless=true
+JAVA_OPTS="-Djava.awt.headless=true"

 # To enable remote debugging uncomment the following line.
 # You will then be able to use a Java debugger on port 8000.

--- a/debian/libexec/tomcat-locate-java.sh
+++ b/debian/libexec/tomcat-locate-java.sh
-#!/bin/sh
 #
 # Script looking for a Java runtime suitable for running Tomcat
 #

--- a/debian/libexec/tomcat-start.sh
+++ b/debian/libexec/tomcat-start.sh
@@ -5,6 +5,9 @@

 set -e

+# Load the service settings
+. /etc/default/tomcat9
+
 # Find the Java runtime and set JAVA_HOME
 . /usr/libexec/tomcat9/tomcat-locate-java.sh

@@ -15,7 +18,7 @@ export JAVA_OPTS

 # Enable the Java security manager?
 SECURITY=""
-[ "$TOMCAT_SECURITY" = "yes" ] && SECURITY="-security"
+[ "$SECURITY_MANAGER" = "true" ] && SECURITY="-security"


 # Start Tomcat

--- a/debian/patches/CVE-2019-0221.patch
+++ b/debian/patches/CVE-2019-0221.patch
+Description: Fixes CVE-2019-0221: The SSI printenv command echoes user provided
+ data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by
+ default.
+Origin: upstream, https://github.com/apache/tomcat/commit/15fcd16
+--- a/java/org/apache/catalina/ssi/SSIPrintenv.java
+++ b/java/org/apache/catalina/ssi/SSIPrintenv.java
+@@ -41,8 +41,7 @@
+         } else {
+             Collection<String> variableNames = ssiMediator.getVariableNames();
+             for (String variableName : variableNames) {
+-                String variableValue = ssiMediator
+-                        .getVariableValue(variableName);
+                String variableValue = ssiMediator.getVariableValue(variableName, "entity");
+                 //This shouldn't happen, since all the variable names must
+                 // have values
+                 if (variableValue == null) {
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,4 @@
 0024-systemd-log-formatter.patch
 0025-invalid-configuration-exit-status.patch
 0026-easymock4-compatibility.patch
+CVE-2019-0221.patch
--- a/debian/setenv.sh
+++ b/debian/setenv.sh
@@ -8,5 +8,5 @@ CATALINA_HOME=/usr/share/tomcat9

 # Default Java options
 if [ -z "$JAVA_OPTS" ]; then
-	JAVA_OPTS="-Djava.awt.headless=true -XX:+UseG1GC"
+	JAVA_OPTS="-Djava.awt.headless=true"
 fi
--- a/debian/tomcat9.postinst
+++ b/debian/tomcat9.postinst
@@ -63,8 +63,10 @@ case "$1" in
 	chmod 775 /var/lib/tomcat9/webapps

 	# Grant read/write access to tomcat to the log and cache directories
-	chown -Rh $TOMCAT_USER:$TOMCAT_GROUP /var/log/tomcat9/ /var/cache/tomcat9/
-	chmod 750 /var/log/tomcat9/ /var/cache/tomcat9/
+	chown -Rh $TOMCAT_USER:adm /var/log/tomcat9/
+	chmod 2750 /var/log/tomcat9/
+	chown -Rh $TOMCAT_USER:$TOMCAT_GROUP /var/cache/tomcat9/
+	chmod 750 /var/cache/tomcat9/
    ;;
 esac


--- a/debian/tomcat9.service
+++ b/debian/tomcat9.service
@@ -14,7 +14,6 @@ Environment="CATALINA_HOME=/usr/share/tomcat9"
 Environment="CATALINA_BASE=/var/lib/tomcat9"
 Environment="CATALINA_TMPDIR=/tmp"
 Environment="JAVA_OPTS=-Djava.awt.headless=true"
-EnvironmentFile=-/etc/default/tomcat9

 # Lifecycle
 Type=simple
@@ -32,13 +31,13 @@ Group=tomcat
 PrivateTmp=yes
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 NoNewPrivileges=true
-LogsDirectory=tomcat9
-LogsDirectoryMode=750
 CacheDirectory=tomcat9
 CacheDirectoryMode=750
 ProtectSystem=strict
 ReadWritePaths=/etc/tomcat9/Catalina/
 ReadWritePaths=/var/lib/tomcat9/webapps/
+ReadWritePaths=/var/log/tomcat9/
+RequiresMountsFor=/var/log/tomcat9

 [Install]
 WantedBy=multi-user.target
--- a/debian/tomcat9.tmpfile
+++ b/debian/tomcat9.tmpfile
+# Tomcat log directory permissions
+
+# See tmpfiles.d(5) for details
+
+# Type Path        Mode UID    GID  Age Argument
+d /var/log/tomcat9 2750 tomcat adm  -