oss-security - Re: Cve request: tomcat world-readable logdir

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Fri, 22 Feb 2013 22:47:47 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Agostino Sarubbo <ago@...too.org>
Subject: Re: Cve request: tomcat world-readable logdir

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/22/2013 05:59 AM, Agostino Sarubbo wrote:
> Hello,
> 
> Tomcat 7 have a world readable log/logdir:
> 
> drwxr-xr-x 2 ago  ago  4096 Feb 22 13:50 .
>  drwxr-xr-x 8 root root 4096 Feb 22 13:50 ..
>  -rw-r--r-- 1 ago  ago  5919 Feb 22 13:51 catalina.2013-02-22.log
>  -rw-r--r-- 1 ago  ago     0 Feb 22 13:50
> host-manager.2013-02-22.log
>  -rw-r--r-- 1 ago  ago     0 Feb 22 13:50 localhost.2013-02-22.log
>  -rw-r--r-- 1 ago  ago     0 Feb 22 13:50
> localhost_access_log.2013-02-22.txt
>  -rw-r--r-- 1 ago  ago     0 Feb 22 13:50 manager.2013-02-22.log
> 
> I'd like to have a confirm on what is the behavior on the other
> distros because it could be gentoo-related.

Please use CVE-2013-0346 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRKFgDAAoJEBYNRVNeJnmTNCoP/i9b4pJnVxGFxGyotDh/m8jy
/gCFHhLudK7w+i/5uDhYIPafANXU3NEZRPJqGF5E2NZOpSltXo+MgvxI33szlOGC
nVEPWtrm71vLnFaPoTTvMBQJM/XKX2SzSoh4jiHZpYto4bPmcqX0T22Nl3xKVsK5
LD1YhnzlPiM8CJ26V3SN0ms6mRA841LvFK/pa4YxQ6bMs6hXYKVSdL3ouyxbBu36
5BPpaRCnVOc1GLgCDvwhyml4AkA0vabyvV7iXZX35tfDCiV/8PpQhOnb6mA0xRDN
SP3NK+h0f5TiyBvztBZGNT0TD/NN8kZleXup3k4NBopQ0GOwSyuFGevX7Bxht2Qy
XCQv/8W2HtIx/GTzF3TDzD7l3xYS/Xj+0cSkikw3te9Rkov4YtVwJ06DA3pRwmqm
rCK63Ig8tSTNTQhjEz/ch1Y7ohSq2TL3NcPpGnZcaluwF06acPVmYmfakEJwCnur
VocgcMRqyQBnYse1/IKUQdzcRvfNtSO/ucJkqyLNhxXqONacViNf+HtIsfOaSelh
qmTdaHbO6HntZXJXSTeV6ZASnUgQAIWsn108ZQwuuVlE91khPN8HzbJm8xsjl8tM
YV3bGBrDe0fbQ3LaVlIFmooR94MUsr/9feCOoWFOgh58knE/RU2qffBsro5fCEM8
fRYBuVzcB7fH9MeyW2Xq
=mL9N
-----END PGP SIGNATURE-----

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.