Bugzilla – Bug 715656
VUL-0: jakarta-commons-daemon: allows remote attackers to bypass read permissions for
Last modified: 2011-10-04 09:07:11 UTC
Hi. There is a security bug in package 'tomcat5'. This bug is public. There is no coordinated release date (CRD) set. CVE number: CVE-2011-2729 CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729 CVSS v2 Base Score: 5.8 (important) (AV:N/AC:M/Au:N/C:P/I:P/A:N) Permissions, Privileges, and Access Control (CWE-264) Original posting: files CVE-ID: CVE-2011-2729 URL: native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application. Reference: CONFIRM: https://issues.apache.org/jira/browse/DAEMON-214 Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=730400 Reference: XF: http://xforce.iss.net/xforce/xfdb/69161 Reference: BID: http://www.securityfocus.com/bid/49143 Reference: CONFIRM: http://tomcat.apache.org/security-7.html Reference: CONFIRM: http://tomcat.apache.org/security-6.html Reference: CONFIRM: http://tomcat.apache.org/security-5.html Reference: CONFIRM: http://svn.apache.org/viewvc?view=revision&revision=1153824 Reference: CONFIRM: http://svn.apache.org/viewvc?view=revision&revision=1153379 Reference: CONFIRM: http://svn.apache.org/viewvc?view=revision&revision=1152701 Reference: SECTRACK: http://securitytracker.com/id?1025925 Reference: CONFIRM: http://people.apache.org/~markt/patches/2011-08-12-cve2011-2729-tc5.patch Reference: MLIST: http://mail-archives.apache.org/mod_mbox/tomcat-announce/201108.mbox/%3C4E45221D.1020306@apache.org%3E Reference: MLIST: http://mail-archives.apache.org/mod_mbox/commons-dev/201108.mbox/%3C4E451B2B.9090108@apache.org%3E
The SWAMPID for this issue is 43033. This issue was rated as important. Please submit fixed packages until 2011-09-12. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
jakarta-commons-daemon 1.0.1 used in all SLESes and openSUSE 11.3 is not vulnerable, as this version do not use CAP_DAC_OVERRIDE removed by patch [1]. This version try to setup the CAP_NET_BIND_SERVICE and optionally CAP_SETGID and CAP_SETGID - see [2] line 108 for definitions and linuxset_user_group on line 142 for usage. Thus only 11.4 and Factory has to be fixed ... [1] http://svn.apache.org/viewvc/commons/proper/daemon/trunk/src/native/unix/native/jsvc-unix.c?r1=1152701&r2=1152700&pathrev=1152701 [2] http://svn.apache.org/viewvc/commons/proper/daemon/tags/daemon-1_0_1/src/native/unix/native/jsvc-unix.c?revision=560660&view=markup
Sent 1.0.7 to Factory by request 81091 Fix 1.0.4 in 11.4 by request 81092
This is an autogenerated message for OBS integration: This bug (715656) was mentioned in https://build.opensuse.org/request/show/81091 Factory / jakarta-commons-daemon
The SWAMPID for this issue is 43226. This issue was rated as important. Please submit fixed packages until 2011-09-23. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Update released for: jakarta-commons-daemon, jakarta-commons-daemon-debuginfo, jakarta-commons-daemon-debugsource, jakarta-commons-daemon-java, jakarta-commons-daemon-javadoc Products: openSUSE 11.4 (debug, i586, x86_64)
updates released