Bug#840685: tomcat8: DSA-3670 incomplete
paul.szabo at sydney.edu.au
paul.szabo at sydney.edu.au
Thu Oct 13 21:42:11 UTC 2016
Dear Markus,
>> [ I contacted team at security.debian.org about this, but no response ... ]
> ... Please send them to the security team
> first and not to a public mailing list.
I did. They did not reply within what seemed a reasonable timeframe.
>> Recently DSA-3670 was released, and /etc/init.d/tomcat8 modified so...
> No, we did not modify this part in /etc/init.d/tomcat8. ...
Whoops, sorry, you are right. Now checking, I do not see how I got
confused. This is a separate, maybe new issue.
> ... more information and a working proof
> of concept code are appreciated. ...
Maybe the security team will understand (recognize, accept) the issue
without a PoC. If they reply with such a need, then I will write one.
You or they might accept the suggested patch/fix: mkdir without -p,
chown with -h.
Cheers, Paul
Paul Szabo psz at maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
More information about the pkg-java-maintainers
mailing list