Summary: | www-servers/tomcat 5.0.27-r1 ebuild does insecure installation | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tero Pelander <tpeland> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | axxo, java |
Priority: | High | Flags: | mholzer:
Assigned_To?
(java) |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Tero Pelander
2004-08-02 23:35:54 UTC
This effectively allow privilege escalation from tomcat group users to root. ebuild should be corrected so that init and conf files are owned by root. i believe this is fixed in tomcat-3.3.2-r2 tomcat-4.1.30-r4 tomcat-5.0.27-r3 Thanks axxo. Ready for a GLSA -- if we decide one is needed we need a GLSA on this one. local root exploit == bad. GLSA 200408-15 FYI, Tomcat was moved from net-www to www-servers a week ago. Best regards, Stu Fixed. Thx Stu |