[tomcat7] 02/02: Fixed CVE-2016-9775: Privilege escalation when the package is purged

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Mon Dec 5 09:23:16 UTC 2016 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch jessie
in repository tomcat7.

commit 999a0c5998b4bbf4f3e64772d2a30b3765a681eb
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Mon Dec 5 10:18:30 2016 +0100

    Fixed CVE-2016-9775: Privilege escalation when the package is purged
---
 debian/changelog         | 2 ++
 debian/tomcat7.postrm.in | 3 ---
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 3f55ca0..4530d0b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ tomcat7 (7.0.56-3+deb8u6) UNRELEASED; urgency=medium
 
   * Fixed CVE-2016-9774: Potential privilege escalation when the tomcat7
     package is upgraded. Thanks to Paul Szabo for the report (see #845393)
+  * Fixed CVE-2016-9775: Potential privilege escalation when the tomcat7
+    package is purged. Thanks to Paul Szabo for the report (see #845385)
   * Backported a fix for a test failure in Test*NonLoginAndBasicAuthenticator
     with recent JREs
   * Refreshed the expired SSL certificates used by the tests
diff --git a/debian/tomcat7.postrm.in b/debian/tomcat7.postrm.in
index 293ffde..1f8f1ee 100644
--- a/debian/tomcat7.postrm.in
+++ b/debian/tomcat7.postrm.in
@@ -59,9 +59,6 @@ case "$1" in
           /etc/tomcat7/Catalina/localhost /etc/tomcat7/Catalina /etc/tomcat7
         # clean up /etc/authbind after conffiles have been removed
         rmdir --ignore-fail-on-non-empty /etc/authbind/byuid /etc/authbind
-        # Put all files owned by group tomcat7 back into root group before deleting
-        # the tomcat7 user and group
-        chown -Rhf root:root /etc/tomcat7/ || true
         # Remove user/group and log files (don't remove everything under
         # /var/lib/tomcat7 because there might be user-installed webapps)
         db_get tomcat7/username && TOMCAT7_USER="$RET" || TOMCAT7_USER="tomcat7"

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git

More information about the pkg-java-commits mailing list