Author: markt
Date: Sun Jan 6 03:43:46 2008
New Revision: 609294
URL: http://svn.apache.org/viewvc?rev=609294&view=rev
Log:
Fix CVE-2007-5342. Restrict JULI permissions.
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/conf/catalina.policy
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=609294&r1=609293&r2=609294&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Sun Jan 6 03:43:46 2008
@@ -31,12 +31,6 @@
+1: jfclere
-1: fhanik - Can we add the 'package' directive to make the package match
the dir structure
-* Fix CVE-2007-5342
- JULI permissions need to be restricted
- http://svn.apache.org/viewvc?rev=606594&view=rev
- +1: markt,funkman, pero, yoavs
- -1:
-
* Fix http://issues.apache.org/bugzilla/show_bug.cgi?id=43868
MBean methods getInvoke() and getSetter() were broken
http://svn.apache.org/viewvc?rev=607483&view=rev
Modified: tomcat/tc6.0.x/trunk/conf/catalina.policy
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/conf/catalina.policy?rev=609294&r1=609293&r2=609294&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/conf/catalina.policy (original)
+++ tomcat/tc6.0.x/trunk/conf/catalina.policy Sun Jan 6 03:43:46 2008
@@ -62,7 +62,19 @@
// These permissions apply to the logging API
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
- permission java.security.AllPermission;
+ permission java.util.PropertyPermission
"java.util.logging.config.class", "read";
+ permission java.util.PropertyPermission
"java.util.logging.config.file", "read";
+ permission java.lang.RuntimePermission "shutdownHooks";
+ permission java.io.FilePermission
"${catalina.base}${file.separator}conf${file.separator}logging.properties",
"read";
+ permission java.util.PropertyPermission "catalina.base", "read";
+ permission java.util.logging.LoggingPermission "control";
+ permission java.io.FilePermission
"${catalina.base}${file.separator}logs", "read, write";
+ permission java.io.FilePermission
"${catalina.base}${file.separator}logs${file.separator}*", "read, write";
+ permission java.lang.RuntimePermission "getClassLoader";
+ // To enable per context logging configuration, permit read access to
the appropriate file.
+ // Be sure that the logging configuration is secure before enabling
such access
+ // eg for the examples web application:
+ // permission java.io.FilePermission
"${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
"read";
};
// These permissions apply to the server startup code
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=609294&r1=609293&r2=609294&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sun Jan 6 03:43:46 2008
@@ -35,6 +35,9 @@
<section name="Tomcat 6.0.16 (remm)">
<subsection name="General">
<changelog>
+ <fix>
+ Fix CVE-2007-5342 by limiting permissions granted to JULI. (markt)
+ </fix>
<update>
Fix handling of CometEvent.close when called during BEGIN event
(fhanik)
</update>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
