TEMP-0840685-CEF76B

NameTEMP-0840685-CEF76B
DescriptionTOCTOU race condition in initscript on chown'ing JVM_TMP temporary directory
SourceAutomatically generated temporary name. Not for external reference.
Debian Bugs840685, 841655

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat6 (PTS)wheezy6.0.45+dfsg-1~deb7u1fixed
wheezy (security)6.0.45+dfsg-1~deb7u5fixed
jessie (security), jessie6.0.45+dfsg-1~deb8u1fixed
tomcat7 (PTS)wheezy7.0.28-4+deb7u4vulnerable
wheezy (security)7.0.28-4+deb7u17fixed
jessie (security), jessie7.0.56-3+deb8u11fixed
stretch7.0.75-1fixed
buster, sid7.0.78-1fixed
tomcat8 (PTS)jessie (security), jessie8.0.14-1+deb8u11fixed
stretch (security), stretch8.5.14-1+deb9u2fixed
buster, sid8.5.24-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat6source(unstable)6.0.41-3
tomcat7source(unstable)7.0.72-3841655
tomcat7sourcejessie7.0.56-3+deb8u5
tomcat7sourcewheezy7.0.28-4+deb7u7
tomcat8source(unstable)8.0.38-1840685
tomcat8sourcejessie8.0.14-1+deb8u4

Notes

Workaround entry for DSA-3720-1 since no CVE assinged
Workaround entry for DSA-3721-1 since no CVE assinged
Since 7.0.72-3, src:tomcat7 only builds the Servlet API
Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie

Search for package or bug name: Reporting problems