[java-sig-commits] [Bug 730400] CVE-2011-2729 jakarta-commons-daemon: jsvc does not drop capabilities allowing access to files and directories owned by the superuser
bugzilla at redhat.com
bugzilla at redhat.com
Fri Aug 12 19:39:39 UTC 2011
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=730400
--- Comment #1 from Vincent Danen <vdanen at redhat.com> 2011-08-12 15:39:36 EDT ---
According to the tomcat reports, we are vulnerable based on the version, but
our tomcat packages include:
Requires: jakarta-commons-daemon >= 1.0.1
So we do not use the upstream-provided version, but our own. Which means that
this only affects us if we ship {apache,jakarta}-commons-daemon version 1.0.3
through 1.0.6. The only platform that does this is Fedora 15.
The Fedora spec does not explicitly call for a BuildRequires on libcap, however
the ./configure script will enable it if present and libcap will always be
present because rpm depends on it. Due to this, Fedora 15 and rawhide will
need to update to 1.0.7 or backport the fix.
Stano or Permaine, can you double-check the logic above to make sure that the
older jakarta-commons-daemon versions are indeed not vulnerable?
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the java-sig-commits
mailing list