| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 12 Aug 2011 13:52:45 +0100 From: Mark Thomas <markt@...che.org> To: Tomcat Users List <users@...cat.apache.org> CC: Tomcat Developers List <dev@...cat.apache.org>, Tomcat Announce List <announce@...cat.apache.org>, announce@...che.org, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: [SECURITY] CVE-2011-2729: Commons Daemon fails to drop capabilities (Apache Tomcat) CVE-2011-2729: Commons Daemon fails to drop capabilities (Apache Tomcat) Severity: Important Vendor: The Apache Software Foundation Versions Affected: Tomcat 7.0.0 to 7.0.19 Tomcat 6.0.30 to 6.0.32 Tomcat 5.5.32 to 5.5.33 Description: Due to a bug in the capabilities code, jsvc (the service wrapper for Linux that is part of the Commons Daemon project) does not drop capabilities allowing the application to access files and directories owned by superuser. This vulnerability only applies if: a) Tomcat is running on a Linux operating system b) jsvc was compiled with libcap c) -user parameter is used The Tomcat versions above shipped with source files for jsvc that included this vulnerability. Mitigation: Affected users of all versions can mitigate these vulnerabilities by taking any of the following actions: a) upgrade to jsvc 1.0.7 or later b) do not use -user parameter to switch user c) recompile the jsvc without libcap support Updated jsvc source is included in Apache Tomcat 7.0.20 and will be included in the next releases of Tomcat 6.0.x and 5.5.x. Updated source can be obtained from the Apache Commons Daemon project. Credit: This issue was identified by Wilfried Weissmann.
Powered by blists - more mailing lists