92281 – www-servers/tomcat uses default shutdown password

Bug 92281 - www-servers/tomcat uses default shutdown password

Summary: www-servers/tomcat uses default shutdown password

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Default Configs (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-05-11 12:04 UTC by Christopher G. Stach II
Modified:	2005-05-15 08:57 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher G. Stach II 2005-05-11 12:04:34 UTC

The well known default shutdown password ("SHUTDOWN") should be randomized and stored in the server.xml configuration file in place of the default.  Anyone on localhost with knowledge of the password can cause a denial of service attack if the password is known.  Right now, the current tomcat 5 ebuild makes the file readable only by the tomcat user, which is correct.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-05-11 13:50:36 UTC

Java please advise.

Comment 2 Jan Brinkmann (RETIRED) gentoo-dev

2005-05-15 08:37:19 UTC

tomcat-5.0.27-r6 and tomcat-5.0.28-r3 now replace the default pw with a random one, sorry for the delay but havnt recognized this one earlier

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-05-15 08:57:45 UTC

Thx Jan.