CVE-2011-2729

NameCVE-2011-2729
Descriptionnative/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
commons-daemon (PTS)bullseye1.0.15-8+deb11u1fixed
bookworm1.0.15-10fixed
trixie1.0.15-11fixed
forky, sid1.0.15-12fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
commons-daemonsourcesqueeze(not affected)
commons-daemonsource(unstable)1.0.7-1

Notes

[squeeze] - commons-daemon <not-affected> (Support for libcap was only added in 1.0.6)
According to http://tomcat.apache.org/security-7.html jsvc needs to be build againt libcap to be exploitable
Search for package or bug name: Reporting problems