You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2008/01/06 23:38:15 UTC
svn commit: r609451 - in /tomcat/container/tc5.5.x:
catalina/src/conf/catalina.policy webapps/docs/changelog.xml
Author: markt
Date: Sun Jan 6 14:38:14 2008
New Revision: 609451
URL: http://svn.apache.org/viewvc?rev=609451&view=rev
Log:
Fix CVE-2007-5342 by limiting permissions granted to JULI.
Modified:
tomcat/container/tc5.5.x/catalina/src/conf/catalina.policy
tomcat/container/tc5.5.x/webapps/docs/changelog.xml
Modified: tomcat/container/tc5.5.x/catalina/src/conf/catalina.policy
URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/conf/catalina.policy?rev=609451&r1=609450&r2=609451&view=diff
==============================================================================
--- tomcat/container/tc5.5.x/catalina/src/conf/catalina.policy (original)
+++ tomcat/container/tc5.5.x/catalina/src/conf/catalina.policy Sun Jan 6 14:38:14 2008
@@ -82,7 +82,19 @@
// These permissions apply to JULI
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
- permission java.security.AllPermission;
+ permission java.util.PropertyPermission "java.util.logging.config.class", "read";
+ permission java.util.PropertyPermission "java.util.logging.config.file", "read";
+ permission java.lang.RuntimePermission "shutdownHooks";
+ permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
+ permission java.util.PropertyPermission "catalina.base", "read";
+ permission java.util.logging.LoggingPermission "control";
+ permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
+ permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
+ permission java.lang.RuntimePermission "getClassLoader";
+ // To enable per context logging configuration, permit read access to the appropriate file.
+ // Be sure that the logging configuration is secure before enabling such access
+ // eg for the examples web application:
+ // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
};
// These permissions apply to the servlet API classes
Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/changelog.xml?rev=609451&r1=609450&r2=609451&view=diff
==============================================================================
--- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Sun Jan 6 14:38:14 2008
@@ -41,6 +41,9 @@
<bug>43594</bug>: Use setenv from CATALINA_BASE (if set) in preference
to the one in CATALINA_HOME. Patch provided by Shaddy Baddah. (markt)
</fix>
+ <fix>
+ Fix CVE-2007-5342 by limiting permissions granted to JULI. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Catalina">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org