{"update": {"autokarma": true, "autotime": false, "stable_karma": 3, "stable_days": 0, "unstable_karma": -3, "require_bugs": true, "require_testcases": true, "display_name": "", "notes": "This updates includes a rebase from tomcat 8.0.36 up to 8.0.38 which resolves multiple CVEs and a problem that 8.0.37 introduces to freeipa:\n\n* rhbz#1375581 - CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header\n* rhbz#1390532 - CVE-2016-0762 CVE-2016-5018 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 tomcat: various flaws\n\nand includes two additional CVE fixes along with one bug fix:\n\n* rhbz#1383210 - CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service\n* rhbz#1383216 - CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation\n* rhbz#1370262 - catalina.out is no longer in use in the main package, but still gets rotated \n\n", "type": "security", "status": "stable", "request": null, "severity": "high", "suggest": "unspecified", "locked": false, "pushed": true, "critpath": false, "critpath_groups": null, "close_bugs": true, "date_submitted": "2016-10-24 00:11:26", "date_modified": "2016-11-01 12:40:14", "date_approved": null, "date_testing": "2016-10-26 20:34:54", "date_stable": "2016-11-12 18:43:09", "alias": "FEDORA-2016-c1b01b9278", "test_gating_status": null, "from_tag": null, "date_pushed": "2016-11-12 18:43:09", "meets_testing_requirements": false, "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2016-c1b01b9278", "title": "tomcat-8.0.38-1.fc24", "version_hash": "7e33b73cf4951f34d60c51fdaaa97e4409b55564", "release": {"name": "F24", "long_name": "Fedora 24", "version": "24", "id_prefix": "FEDORA", "branch": "f24", "dist_tag": "f24", "stable_tag": "f24-updates", "testing_tag": "f24-updates-testing", "candidate_tag": "f24-updates-candidate", "pending_signing_tag": "f24-signing-pending", "pending_testing_tag": "f24-updates-testing-pending", "pending_stable_tag": "f24-updates-pending", "override_tag": "f24-override", "mail_template": "fedora_errata_template", "state": "archived", "composed_by_bodhi": true, "create_automatic_updates": null, "package_manager": "dnf", "testing_repository": "updates-testing", "released_on": null, "eol": null, "critpath_mandatory_days_in_testing": 14, "mandatory_days_in_testing": 7, "critpath_min_karma": 2, "min_karma": 1, "setting_status": null}, "user": {"name": "csutherl", "email": "csutherl@redhat.com", "id": 2565, "avatar": "https://seccdn.libravatar.org/avatar/d44964302ea7dbc5b71ae38cf11aa7dc1d59882f834050d7411a36dec8d5a106?s=24&d=retro", "openid": "csutherl.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "diversity-team"}]}, "comments": [{"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for testing by csutherl. ", "timestamp": "2016-10-24 00:11:26", "update_id": 71124, "user_id": 91, "id": 511473, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to testing.", "timestamp": "2016-10-25 02:22:52", "update_id": 71124, "user_id": 91, "id": 511904, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": -1, "karma_critpath": 0, "text": "This update broke Dogtag PKI setup during FreeIPA server installation:\n\n Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds\n [1/25]: creating certificate server user\n [2/25]: configuring certificate server instance\n ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp9kNE80' returned non-zero exit status 1\n ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information:\n ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat\n [error] RuntimeError: CA configuration failed.\n Your system may be partly configured.\n Run /usr/sbin/ipa-server-install --uninstall to clean up.\n\n ipa.ipapython.install.cli.install_tool(Replica): ERROR CA configuration failed.\n ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information\n\nSee also the following cornucopia of stack traces in the pki-tomcat service journal log: https://paste.fedoraproject.org/460589/77394029\n\ngiving negative karma until the issue is fixed either on tomcat or dogtag side.\n\n\n", "timestamp": "2016-10-25 11:18:19", "update_id": 71124, "user_id": 1567, "id": 512140, "bug_feedback": [{"karma": 0, "comment_id": 512140, "bug_id": 1375581, "bug": {"bug_id": 1375581, "title": "CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header [fedora-all]", "security": true, "parent": false}}, {"karma": 0, "comment_id": 512140, "bug_id": 1383216, "bug": {"bug_id": 1383216, "title": "CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation [fedora-all]", "security": true, "parent": false}}, {"karma": 0, "comment_id": 512140, "bug_id": 1383210, "bug": {"bug_id": 1383210, "title": "CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service [fedora-all]", "security": true, "parent": false}}, {"karma": 0, "comment_id": 512140, "bug_id": 1370262, "bug": {"bug_id": 1370262, "title": "catalina.out is no longer in use in the main package, but still gets rotated", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "mbabinsk", "email": "mbabinsk@redhat.com", "id": 1567, "avatar": "https://seccdn.libravatar.org/avatar/abf8f97fed2d2d9cc024eb8a796b96500b124fbf8fdb541a9a189fa082adb6c1?s=24&d=retro", "openid": "mbabinsk.id.fedoraproject.org", "groups": []}}, {"karma": -1, "karma_critpath": 0, "text": "After upgrade a restart of FreeIPA fails. In catalina log I can see there is a missing java class that cannot be found:\n\n 25-Oct-2016 14:29:18.278 SEVERE [localhost-startStop-1] org.apache.jasper.security.SecurityClassLoad.securityClassLoad SecurityClassLoad\n java.lang.ClassNotFoundException: org.apache.jasper.runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper\n at java.net.URLClassLoader.findClass(URLClassLoader.java:381)\n at java.lang.ClassLoader.loadClass(ClassLoader.java:424)\n at java.lang.ClassLoader.loadClass(ClassLoader.java:357)\n at org.apache.jasper.security.SecurityClassLoad.securityClassLoad(SecurityClassLoad.java:47)\n at org.apache.jasper.servlet.JasperInitializer.(JasperInitializer.java:52)\n at java.lang.Class.forName0(Native Method)\n at java.lang.Class.forName(Class.java:348)\n at org.apache.catalina.startup.WebappServiceLoader.loadServices(WebappServiceLoader.java:186)\n at org.apache.catalina.startup.WebappServiceLoader.load(WebappServiceLoader.java:157)\n at org.apache.catalina.startup.ContextConfig.processServletContainerInitializers(ContextConfig.java:1631)\n at org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1140)\n at org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:783)\n at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:307)\n at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:95)\n at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)\n at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5213)\n at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)\n at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)\n at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131)\n at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153)\n at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143)\n at java.security.AccessController.doPrivileged(Native Method)\n at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699)\n at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)\n at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:587)\n at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1798)\n at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)\n at java.util.concurrent.FutureTask.run(FutureTask.java:266)\n at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\n at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)\n at java.lang.Thread.run(Thread.java:745)\n\n", "timestamp": "2016-10-25 11:35:54", "update_id": 71124, "user_id": 1242, "id": 512141, "bug_feedback": [{"karma": 0, "comment_id": 512141, "bug_id": 1375581, "bug": {"bug_id": 1375581, "title": "CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header [fedora-all]", "security": true, "parent": false}}, {"karma": 0, "comment_id": 512141, "bug_id": 1383216, "bug": {"bug_id": 1383216, "title": "CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation [fedora-all]", "security": true, "parent": false}}, {"karma": 0, "comment_id": 512141, "bug_id": 1383210, "bug": {"bug_id": 1383210, "title": "CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service [fedora-all]", "security": true, "parent": false}}, {"karma": 0, "comment_id": 512141, "bug_id": 1370262, "bug": {"bug_id": 1370262, "title": "catalina.out is no longer in use in the main package, but still gets rotated", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}, {"karma": 0, "karma_critpath": 0, "text": "Note that the only java packages upgraded were from tomcat:\n\n Running transaction check\n Transaction check succeeded.\n Running transaction test\n Transaction test succeeded.\n Running transaction\n Upgrading : tomcat-servlet-3.1-api-1:8.0.37-3.fc24.noarch 1/12 \n Upgrading : tomcat-el-3.0-api-1:8.0.37-3.fc24.noarch 2/12 \n Upgrading : tomcat-jsp-2.3-api-1:8.0.37-3.fc24.noarch 3/12 \n Upgrading : tomcat-lib-1:8.0.37-3.fc24.noarch 4/12 \n Upgrading : tomcat-1:8.0.37-3.fc24.noarch 5/12 \n Upgrading : pcre-8.39-6.fc24.x86_64 6/12 \n Cleanup : tomcat-1:8.0.36-2.fc24.noarch 7/12 \n Cleanup : tomcat-lib-1:8.0.36-2.fc24.noarch 8/12 \n Cleanup : tomcat-jsp-2.3-api-1:8.0.36-2.fc24.noarch 9/12 \n Cleanup : tomcat-el-3.0-api-1:8.0.36-2.fc24.noarch 10/12 \n Cleanup : tomcat-servlet-3.1-api-1:8.0.36-2.fc24.noarch 11/12 \n Cleanup : pcre-8.39-5.fc24.x86_64 12/12 \n Verifying : pcre-8.39-6.fc24.x86_64 1/12 \n Verifying : tomcat-1:8.0.37-3.fc24.noarch 2/12 \n Verifying : tomcat-lib-1:8.0.37-3.fc24.noarch 3/12 \n Verifying : tomcat-el-3.0-api-1:8.0.37-3.fc24.noarch 4/12 \n Verifying : tomcat-jsp-2.3-api-1:8.0.37-3.fc24.noarch 5/12 \n Verifying : tomcat-servlet-3.1-api-1:8.0.37-3.fc24.noarch 6/12 \n Verifying : tomcat-servlet-3.1-api-1:8.0.36-2.fc24.noarch 7/12 \n Verifying : tomcat-1:8.0.36-2.fc24.noarch 8/12 \n Verifying : tomcat-el-3.0-api-1:8.0.36-2.fc24.noarch 9/12 \n Verifying : tomcat-jsp-2.3-api-1:8.0.36-2.fc24.noarch 10/12 \n Verifying : tomcat-lib-1:8.0.36-2.fc24.noarch 11/12 \n Verifying : pcre-8.39-5.fc24.x86_64 12/12 \n \n Upgraded:\n pcre.x86_64 8.39-6.fc24 tomcat.noarch 1:8.0.37-3.fc24 \n tomcat-el-3.0-api.noarch 1:8.0.37-3.fc24 tomcat-jsp-2.3-api.noarch 1:8.0.37-3.fc24 \n tomcat-lib.noarch 1:8.0.37-3.fc24 tomcat-servlet-3.1-api.noarch 1:8.0.37-3.fc24 \n \n Complete!\n [root@f24-master ~]# ipactl stop\n Stopping ipa-dnskeysyncd Service\n Stopping ipa-otpd Service\n Stopping winbind Service\n Stopping smb Service\n Stopping pki-tomcatd Service\n Stopping ntpd Service\n Stopping ipa-custodia Service\n Stopping httpd Service\n Stopping ipa_memcached Service\n Stopping named Service\n Stopping kadmin Service\n Stopping krb5kdc Service\n Stopping Directory Service\n ipa: INFO: The ipactl command was successful\n [root@f24-master ~]# ipactl start\n Starting Directory Service\n debugging enabled, suppressing output.\n Starting krb5kdc Service\n Starting kadmin Service\n Starting named Service\n Starting ipa_memcached Service\n Starting httpd Service\n Starting ipa-custodia Service\n Starting ntpd Service\n Starting pki-tomcatd Service\n Failed to start pki-tomcatd Service\n Shutting down\n Hint: You can use --ignore-service-failure option for forced start in case that a non-critical service failed\n Aborting ipactl\n ", "timestamp": "2016-10-25 11:38:21", "update_id": 71124, "user_id": 1242, "id": 512142, "bug_feedback": [{"karma": 0, "comment_id": 512142, "bug_id": 1375581, "bug": {"bug_id": 1375581, "title": "CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header [fedora-all]", "security": true, "parent": false}}, {"karma": 0, "comment_id": 512142, "bug_id": 1383216, "bug": {"bug_id": 1383216, "title": "CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation [fedora-all]", "security": true, "parent": false}}, {"karma": 0, "comment_id": 512142, "bug_id": 1383210, "bug": {"bug_id": 1383210, "title": "CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service [fedora-all]", "security": true, "parent": false}}, {"karma": 0, "comment_id": 512142, "bug_id": 1370262, "bug": {"bug_id": 1370262, "title": "catalina.out is no longer in use in the main package, but still gets rotated", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}, {"karma": 0, "karma_critpath": 0, "text": "Corresponding Apache bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=60101\n\nSo we need to get 8.0.38 packaged.", "timestamp": "2016-10-25 12:01:55", "update_id": 71124, "user_id": 1242, "id": 512176, "bug_feedback": [{"karma": 0, "comment_id": 512176, "bug_id": 1375581, "bug": {"bug_id": 1375581, "title": "CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header [fedora-all]", "security": true, "parent": false}}, {"karma": 0, "comment_id": 512176, "bug_id": 1383216, "bug": {"bug_id": 1383216, "title": "CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation [fedora-all]", "security": true, "parent": false}}, {"karma": 0, "comment_id": 512176, "bug_id": 1383210, "bug": {"bug_id": 1383210, "title": "CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service [fedora-all]", "security": true, "parent": false}}, {"karma": 0, "comment_id": 512176, "bug_id": 1370262, "bug": {"bug_id": 1370262, "title": "catalina.out is no longer in use in the main package, but still gets rotated", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}, {"karma": 0, "karma_critpath": 0, "text": "Thanks for pinning that down @abbra; I'll rebase to 8.0.38 asap.", "timestamp": "2016-10-25 12:12:54", "update_id": 71124, "user_id": 2565, "id": 512181, "bug_feedback": [{"karma": 0, "comment_id": 512181, "bug_id": 1375581, "bug": {"bug_id": 1375581, "title": "CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header [fedora-all]", "security": true, "parent": false}}, {"karma": 0, "comment_id": 512181, "bug_id": 1383216, "bug": {"bug_id": 1383216, "title": "CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation [fedora-all]", "security": true, "parent": false}}, {"karma": 0, "comment_id": 512181, "bug_id": 1383210, "bug": {"bug_id": 1383210, "title": "CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service [fedora-all]", "security": true, "parent": false}}, {"karma": 0, "comment_id": 512181, "bug_id": 1370262, "bug": {"bug_id": 1370262, "title": "catalina.out is no longer in use in the main package, but still gets rotated", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "csutherl", "email": "csutherl@redhat.com", "id": 2565, "avatar": "https://seccdn.libravatar.org/avatar/d44964302ea7dbc5b71ae38cf11aa7dc1d59882f834050d7411a36dec8d5a106?s=24&d=retro", "openid": "csutherl.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "diversity-team"}]}}, {"karma": 0, "karma_critpath": 0, "text": "csutherl edited this update.\n\nNew build(s):\n\n- tomcat-8.0.38-1.fc24\n\nRemoved build(s):\n\n- tomcat-8.0.37-3.fc24", "timestamp": "2016-10-25 15:38:21", "update_id": 71124, "user_id": 91, "id": 512239, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for testing by csutherl. ", "timestamp": "2016-10-25 15:38:31", "update_id": 71124, "user_id": 91, "id": 512240, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "Is it possible to remove the tomcat-8.0.37-3.fc24 package from updates-testing?", "timestamp": "2016-10-26 14:08:58", "update_id": 71124, "user_id": 2329, "id": 512733, "bug_feedback": [{"karma": 0, "comment_id": 512733, "bug_id": 1375581, "bug": {"bug_id": 1375581, "title": "CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header [fedora-all]", "security": true, "parent": false}}, {"karma": 0, "comment_id": 512733, "bug_id": 1383216, "bug": {"bug_id": 1383216, "title": "CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation [fedora-all]", "security": true, "parent": false}}, {"karma": 0, "comment_id": 512733, "bug_id": 1383210, "bug": {"bug_id": 1383210, "title": "CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service [fedora-all]", "security": true, "parent": false}}, {"karma": 0, "comment_id": 512733, "bug_id": 1370262, "bug": {"bug_id": 1370262, "title": "catalina.out is no longer in use in the main package, but still gets rotated", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "mkubik", "email": "mkubik@redhat.com", "id": 2329, "avatar": "https://seccdn.libravatar.org/avatar/e86ba69535a9375a864b04fefe0fdf646291f87ff8f4e54da24c682ac01f94e5?s=24&d=retro", "openid": "mkubik.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "I was under the impression that adding a new build would remove the old one, but maybe that isn't the case. I do see that this update is pending the push to testing, so maybe when that happens the old build will be removed. I'm going to wait and see what happens when this update is pushed to testing. If it doesn't resolve it, I'll try untagging the 8.0.37-3 build.", "timestamp": "2016-10-26 14:47:40", "update_id": 71124, "user_id": 2565, "id": 512755, "bug_feedback": [{"karma": 0, "comment_id": 512755, "bug_id": 1375581, "bug": {"bug_id": 1375581, "title": "CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header [fedora-all]", "security": true, "parent": false}}, {"karma": 0, "comment_id": 512755, "bug_id": 1383216, "bug": {"bug_id": 1383216, "title": "CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation [fedora-all]", "security": true, "parent": false}}, {"karma": 0, "comment_id": 512755, "bug_id": 1383210, "bug": {"bug_id": 1383210, "title": "CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service [fedora-all]", "security": true, "parent": false}}, {"karma": 0, "comment_id": 512755, "bug_id": 1370262, "bug": {"bug_id": 1370262, "title": "catalina.out is no longer in use in the main package, but still gets rotated", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "csutherl", "email": "csutherl@redhat.com", "id": 2565, "avatar": "https://seccdn.libravatar.org/avatar/d44964302ea7dbc5b71ae38cf11aa7dc1d59882f834050d7411a36dec8d5a106?s=24&d=retro", "openid": "csutherl.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "diversity-team"}]}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to testing.", "timestamp": "2016-10-26 22:27:32", "update_id": 71124, "user_id": 91, "id": 512915, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "csutherl edited this update.", "timestamp": "2016-11-01 12:40:13", "update_id": 71124, "user_id": 91, "id": 515255, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes", "timestamp": "2016-11-03 00:00:24", "update_id": 71124, "user_id": 91, "id": 515936, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for stable by csutherl. ", "timestamp": "2016-11-11 19:34:50", "update_id": 71124, "user_id": 91, "id": 520042, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to stable.", "timestamp": "2016-11-12 23:55:54", "update_id": 71124, "user_id": 91, "id": 520406, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}], "builds": [{"nvr": "tomcat-8.0.38-1.fc24", "signed": true, "release_id": 14, "type": "rpm", "epoch": 1}], "bugs": [{"bug_id": 1370262, "title": "catalina.out is no longer in use in the main package, but still gets rotated", "security": false, "parent": false, "feedback": [{"karma": 0, "comment_id": 512140, "bug_id": 1370262, "comment": {"karma": -1, "karma_critpath": 0, "text": "This update broke Dogtag PKI setup during FreeIPA server installation:\n\n Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds\n [1/25]: creating certificate server user\n [2/25]: configuring certificate server instance\n ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp9kNE80' returned non-zero exit status 1\n ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information:\n ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat\n [error] RuntimeError: CA configuration failed.\n Your system may be partly configured.\n Run /usr/sbin/ipa-server-install --uninstall to clean up.\n\n ipa.ipapython.install.cli.install_tool(Replica): ERROR CA configuration failed.\n ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information\n\nSee also the following cornucopia of stack traces in the pki-tomcat service journal log: https://paste.fedoraproject.org/460589/77394029\n\ngiving negative karma until the issue is fixed either on tomcat or dogtag side.\n\n\n", "timestamp": "2016-10-25 11:18:19", "update_id": 71124, "user_id": 1567, "id": 512140, "testcase_feedback": [], "user": {"name": "mbabinsk", "email": "mbabinsk@redhat.com", "id": 1567, "avatar": "https://seccdn.libravatar.org/avatar/abf8f97fed2d2d9cc024eb8a796b96500b124fbf8fdb541a9a189fa082adb6c1?s=24&d=retro", "openid": "mbabinsk.id.fedoraproject.org", "groups": []}}}, {"karma": 0, "comment_id": 512141, "bug_id": 1370262, "comment": {"karma": -1, "karma_critpath": 0, "text": "After upgrade a restart of FreeIPA fails. In catalina log I can see there is a missing java class that cannot be found:\n\n 25-Oct-2016 14:29:18.278 SEVERE [localhost-startStop-1] org.apache.jasper.security.SecurityClassLoad.securityClassLoad SecurityClassLoad\n java.lang.ClassNotFoundException: org.apache.jasper.runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper\n at java.net.URLClassLoader.findClass(URLClassLoader.java:381)\n at java.lang.ClassLoader.loadClass(ClassLoader.java:424)\n at java.lang.ClassLoader.loadClass(ClassLoader.java:357)\n at org.apache.jasper.security.SecurityClassLoad.securityClassLoad(SecurityClassLoad.java:47)\n at org.apache.jasper.servlet.JasperInitializer.(JasperInitializer.java:52)\n at java.lang.Class.forName0(Native Method)\n at java.lang.Class.forName(Class.java:348)\n at org.apache.catalina.startup.WebappServiceLoader.loadServices(WebappServiceLoader.java:186)\n at org.apache.catalina.startup.WebappServiceLoader.load(WebappServiceLoader.java:157)\n at org.apache.catalina.startup.ContextConfig.processServletContainerInitializers(ContextConfig.java:1631)\n at org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1140)\n at org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:783)\n at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:307)\n at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:95)\n at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)\n at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5213)\n at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)\n at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)\n at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131)\n at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153)\n at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143)\n at java.security.AccessController.doPrivileged(Native Method)\n at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699)\n at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)\n at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:587)\n at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1798)\n at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)\n at java.util.concurrent.FutureTask.run(FutureTask.java:266)\n at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\n at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)\n at java.lang.Thread.run(Thread.java:745)\n\n", "timestamp": "2016-10-25 11:35:54", "update_id": 71124, "user_id": 1242, "id": 512141, "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}}, {"karma": 0, "comment_id": 512142, "bug_id": 1370262, "comment": {"karma": 0, "karma_critpath": 0, "text": "Note that the only java packages upgraded were from tomcat:\n\n Running transaction check\n Transaction check succeeded.\n Running transaction test\n Transaction test succeeded.\n Running transaction\n Upgrading : tomcat-servlet-3.1-api-1:8.0.37-3.fc24.noarch 1/12 \n Upgrading : tomcat-el-3.0-api-1:8.0.37-3.fc24.noarch 2/12 \n Upgrading : tomcat-jsp-2.3-api-1:8.0.37-3.fc24.noarch 3/12 \n Upgrading : tomcat-lib-1:8.0.37-3.fc24.noarch 4/12 \n Upgrading : tomcat-1:8.0.37-3.fc24.noarch 5/12 \n Upgrading : pcre-8.39-6.fc24.x86_64 6/12 \n Cleanup : tomcat-1:8.0.36-2.fc24.noarch 7/12 \n Cleanup : tomcat-lib-1:8.0.36-2.fc24.noarch 8/12 \n Cleanup : tomcat-jsp-2.3-api-1:8.0.36-2.fc24.noarch 9/12 \n Cleanup : tomcat-el-3.0-api-1:8.0.36-2.fc24.noarch 10/12 \n Cleanup : tomcat-servlet-3.1-api-1:8.0.36-2.fc24.noarch 11/12 \n Cleanup : pcre-8.39-5.fc24.x86_64 12/12 \n Verifying : pcre-8.39-6.fc24.x86_64 1/12 \n Verifying : tomcat-1:8.0.37-3.fc24.noarch 2/12 \n Verifying : tomcat-lib-1:8.0.37-3.fc24.noarch 3/12 \n Verifying : tomcat-el-3.0-api-1:8.0.37-3.fc24.noarch 4/12 \n Verifying : tomcat-jsp-2.3-api-1:8.0.37-3.fc24.noarch 5/12 \n Verifying : tomcat-servlet-3.1-api-1:8.0.37-3.fc24.noarch 6/12 \n Verifying : tomcat-servlet-3.1-api-1:8.0.36-2.fc24.noarch 7/12 \n Verifying : tomcat-1:8.0.36-2.fc24.noarch 8/12 \n Verifying : tomcat-el-3.0-api-1:8.0.36-2.fc24.noarch 9/12 \n Verifying : tomcat-jsp-2.3-api-1:8.0.36-2.fc24.noarch 10/12 \n Verifying : tomcat-lib-1:8.0.36-2.fc24.noarch 11/12 \n Verifying : pcre-8.39-5.fc24.x86_64 12/12 \n \n Upgraded:\n pcre.x86_64 8.39-6.fc24 tomcat.noarch 1:8.0.37-3.fc24 \n tomcat-el-3.0-api.noarch 1:8.0.37-3.fc24 tomcat-jsp-2.3-api.noarch 1:8.0.37-3.fc24 \n tomcat-lib.noarch 1:8.0.37-3.fc24 tomcat-servlet-3.1-api.noarch 1:8.0.37-3.fc24 \n \n Complete!\n [root@f24-master ~]# ipactl stop\n Stopping ipa-dnskeysyncd Service\n Stopping ipa-otpd Service\n Stopping winbind Service\n Stopping smb Service\n Stopping pki-tomcatd Service\n Stopping ntpd Service\n Stopping ipa-custodia Service\n Stopping httpd Service\n Stopping ipa_memcached Service\n Stopping named Service\n Stopping kadmin Service\n Stopping krb5kdc Service\n Stopping Directory Service\n ipa: INFO: The ipactl command was successful\n [root@f24-master ~]# ipactl start\n Starting Directory Service\n debugging enabled, suppressing output.\n Starting krb5kdc Service\n Starting kadmin Service\n Starting named Service\n Starting ipa_memcached Service\n Starting httpd Service\n Starting ipa-custodia Service\n Starting ntpd Service\n Starting pki-tomcatd Service\n Failed to start pki-tomcatd Service\n Shutting down\n Hint: You can use --ignore-service-failure option for forced start in case that a non-critical service failed\n Aborting ipactl\n ", "timestamp": "2016-10-25 11:38:21", "update_id": 71124, "user_id": 1242, "id": 512142, "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}}, {"karma": 0, "comment_id": 512176, "bug_id": 1370262, "comment": {"karma": 0, "karma_critpath": 0, "text": "Corresponding Apache bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=60101\n\nSo we need to get 8.0.38 packaged.", "timestamp": "2016-10-25 12:01:55", "update_id": 71124, "user_id": 1242, "id": 512176, "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}}, {"karma": 0, "comment_id": 512181, "bug_id": 1370262, "comment": {"karma": 0, "karma_critpath": 0, "text": "Thanks for pinning that down @abbra; I'll rebase to 8.0.38 asap.", "timestamp": "2016-10-25 12:12:54", "update_id": 71124, "user_id": 2565, "id": 512181, "testcase_feedback": [], "user": {"name": "csutherl", "email": "csutherl@redhat.com", "id": 2565, "avatar": "https://seccdn.libravatar.org/avatar/d44964302ea7dbc5b71ae38cf11aa7dc1d59882f834050d7411a36dec8d5a106?s=24&d=retro", "openid": "csutherl.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "diversity-team"}]}}}, {"karma": 0, "comment_id": 512733, "bug_id": 1370262, "comment": {"karma": 0, "karma_critpath": 0, "text": "Is it possible to remove the tomcat-8.0.37-3.fc24 package from updates-testing?", "timestamp": "2016-10-26 14:08:58", "update_id": 71124, "user_id": 2329, "id": 512733, "testcase_feedback": [], "user": {"name": "mkubik", "email": "mkubik@redhat.com", "id": 2329, "avatar": "https://seccdn.libravatar.org/avatar/e86ba69535a9375a864b04fefe0fdf646291f87ff8f4e54da24c682ac01f94e5?s=24&d=retro", "openid": "mkubik.id.fedoraproject.org", "groups": []}}}, {"karma": 0, "comment_id": 512755, "bug_id": 1370262, "comment": {"karma": 0, "karma_critpath": 0, "text": "I was under the impression that adding a new build would remove the old one, but maybe that isn't the case. I do see that this update is pending the push to testing, so maybe when that happens the old build will be removed. I'm going to wait and see what happens when this update is pushed to testing. If it doesn't resolve it, I'll try untagging the 8.0.37-3 build.", "timestamp": "2016-10-26 14:47:40", "update_id": 71124, "user_id": 2565, "id": 512755, "testcase_feedback": [], "user": {"name": "csutherl", "email": "csutherl@redhat.com", "id": 2565, "avatar": "https://seccdn.libravatar.org/avatar/d44964302ea7dbc5b71ae38cf11aa7dc1d59882f834050d7411a36dec8d5a106?s=24&d=retro", "openid": "csutherl.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "diversity-team"}]}}}, {"karma": 1, "comment_id": 520039, "bug_id": 1370262, "comment": {"karma": 0, "karma_critpath": 0, "text": "wfm too :)", "timestamp": "2016-11-11 19:33:54", "update_id": 71123, "user_id": 2565, "id": 520039, "testcase_feedback": [], "user": {"name": "csutherl", "email": "csutherl@redhat.com", "id": 2565, "avatar": "https://seccdn.libravatar.org/avatar/d44964302ea7dbc5b71ae38cf11aa7dc1d59882f834050d7411a36dec8d5a106?s=24&d=retro", "openid": "csutherl.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "diversity-team"}]}}}]}, {"bug_id": 1375581, "title": "CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header [fedora-all]", "security": true, "parent": false, "feedback": [{"karma": 0, "comment_id": 512140, "bug_id": 1375581, "comment": {"karma": -1, "karma_critpath": 0, "text": "This update broke Dogtag PKI setup during FreeIPA server installation:\n\n Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds\n [1/25]: creating certificate server user\n [2/25]: configuring certificate server instance\n ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp9kNE80' returned non-zero exit status 1\n ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information:\n ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat\n [error] RuntimeError: CA configuration failed.\n Your system may be partly configured.\n Run /usr/sbin/ipa-server-install --uninstall to clean up.\n\n ipa.ipapython.install.cli.install_tool(Replica): ERROR CA configuration failed.\n ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information\n\nSee also the following cornucopia of stack traces in the pki-tomcat service journal log: https://paste.fedoraproject.org/460589/77394029\n\ngiving negative karma until the issue is fixed either on tomcat or dogtag side.\n\n\n", "timestamp": "2016-10-25 11:18:19", "update_id": 71124, "user_id": 1567, "id": 512140, "testcase_feedback": [], "user": {"name": "mbabinsk", "email": "mbabinsk@redhat.com", "id": 1567, "avatar": "https://seccdn.libravatar.org/avatar/abf8f97fed2d2d9cc024eb8a796b96500b124fbf8fdb541a9a189fa082adb6c1?s=24&d=retro", "openid": "mbabinsk.id.fedoraproject.org", "groups": []}}}, {"karma": 0, "comment_id": 512141, "bug_id": 1375581, "comment": {"karma": -1, "karma_critpath": 0, "text": "After upgrade a restart of FreeIPA fails. In catalina log I can see there is a missing java class that cannot be found:\n\n 25-Oct-2016 14:29:18.278 SEVERE [localhost-startStop-1] org.apache.jasper.security.SecurityClassLoad.securityClassLoad SecurityClassLoad\n java.lang.ClassNotFoundException: org.apache.jasper.runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper\n at java.net.URLClassLoader.findClass(URLClassLoader.java:381)\n at java.lang.ClassLoader.loadClass(ClassLoader.java:424)\n at java.lang.ClassLoader.loadClass(ClassLoader.java:357)\n at org.apache.jasper.security.SecurityClassLoad.securityClassLoad(SecurityClassLoad.java:47)\n at org.apache.jasper.servlet.JasperInitializer.(JasperInitializer.java:52)\n at java.lang.Class.forName0(Native Method)\n at java.lang.Class.forName(Class.java:348)\n at org.apache.catalina.startup.WebappServiceLoader.loadServices(WebappServiceLoader.java:186)\n at org.apache.catalina.startup.WebappServiceLoader.load(WebappServiceLoader.java:157)\n at org.apache.catalina.startup.ContextConfig.processServletContainerInitializers(ContextConfig.java:1631)\n at org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1140)\n at org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:783)\n at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:307)\n at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:95)\n at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)\n at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5213)\n at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)\n at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)\n at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131)\n at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153)\n at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143)\n at java.security.AccessController.doPrivileged(Native Method)\n at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699)\n at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)\n at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:587)\n at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1798)\n at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)\n at java.util.concurrent.FutureTask.run(FutureTask.java:266)\n at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\n at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)\n at java.lang.Thread.run(Thread.java:745)\n\n", "timestamp": "2016-10-25 11:35:54", "update_id": 71124, "user_id": 1242, "id": 512141, "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}}, {"karma": 0, "comment_id": 512142, "bug_id": 1375581, "comment": {"karma": 0, "karma_critpath": 0, "text": "Note that the only java packages upgraded were from tomcat:\n\n Running transaction check\n Transaction check succeeded.\n Running transaction test\n Transaction test succeeded.\n Running transaction\n Upgrading : tomcat-servlet-3.1-api-1:8.0.37-3.fc24.noarch 1/12 \n Upgrading : tomcat-el-3.0-api-1:8.0.37-3.fc24.noarch 2/12 \n Upgrading : tomcat-jsp-2.3-api-1:8.0.37-3.fc24.noarch 3/12 \n Upgrading : tomcat-lib-1:8.0.37-3.fc24.noarch 4/12 \n Upgrading : tomcat-1:8.0.37-3.fc24.noarch 5/12 \n Upgrading : pcre-8.39-6.fc24.x86_64 6/12 \n Cleanup : tomcat-1:8.0.36-2.fc24.noarch 7/12 \n Cleanup : tomcat-lib-1:8.0.36-2.fc24.noarch 8/12 \n Cleanup : tomcat-jsp-2.3-api-1:8.0.36-2.fc24.noarch 9/12 \n Cleanup : tomcat-el-3.0-api-1:8.0.36-2.fc24.noarch 10/12 \n Cleanup : tomcat-servlet-3.1-api-1:8.0.36-2.fc24.noarch 11/12 \n Cleanup : pcre-8.39-5.fc24.x86_64 12/12 \n Verifying : pcre-8.39-6.fc24.x86_64 1/12 \n Verifying : tomcat-1:8.0.37-3.fc24.noarch 2/12 \n Verifying : tomcat-lib-1:8.0.37-3.fc24.noarch 3/12 \n Verifying : tomcat-el-3.0-api-1:8.0.37-3.fc24.noarch 4/12 \n Verifying : tomcat-jsp-2.3-api-1:8.0.37-3.fc24.noarch 5/12 \n Verifying : tomcat-servlet-3.1-api-1:8.0.37-3.fc24.noarch 6/12 \n Verifying : tomcat-servlet-3.1-api-1:8.0.36-2.fc24.noarch 7/12 \n Verifying : tomcat-1:8.0.36-2.fc24.noarch 8/12 \n Verifying : tomcat-el-3.0-api-1:8.0.36-2.fc24.noarch 9/12 \n Verifying : tomcat-jsp-2.3-api-1:8.0.36-2.fc24.noarch 10/12 \n Verifying : tomcat-lib-1:8.0.36-2.fc24.noarch 11/12 \n Verifying : pcre-8.39-5.fc24.x86_64 12/12 \n \n Upgraded:\n pcre.x86_64 8.39-6.fc24 tomcat.noarch 1:8.0.37-3.fc24 \n tomcat-el-3.0-api.noarch 1:8.0.37-3.fc24 tomcat-jsp-2.3-api.noarch 1:8.0.37-3.fc24 \n tomcat-lib.noarch 1:8.0.37-3.fc24 tomcat-servlet-3.1-api.noarch 1:8.0.37-3.fc24 \n \n Complete!\n [root@f24-master ~]# ipactl stop\n Stopping ipa-dnskeysyncd Service\n Stopping ipa-otpd Service\n Stopping winbind Service\n Stopping smb Service\n Stopping pki-tomcatd Service\n Stopping ntpd Service\n Stopping ipa-custodia Service\n Stopping httpd Service\n Stopping ipa_memcached Service\n Stopping named Service\n Stopping kadmin Service\n Stopping krb5kdc Service\n Stopping Directory Service\n ipa: INFO: The ipactl command was successful\n [root@f24-master ~]# ipactl start\n Starting Directory Service\n debugging enabled, suppressing output.\n Starting krb5kdc Service\n Starting kadmin Service\n Starting named Service\n Starting ipa_memcached Service\n Starting httpd Service\n Starting ipa-custodia Service\n Starting ntpd Service\n Starting pki-tomcatd Service\n Failed to start pki-tomcatd Service\n Shutting down\n Hint: You can use --ignore-service-failure option for forced start in case that a non-critical service failed\n Aborting ipactl\n ", "timestamp": "2016-10-25 11:38:21", "update_id": 71124, "user_id": 1242, "id": 512142, "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}}, {"karma": 0, "comment_id": 512176, "bug_id": 1375581, "comment": {"karma": 0, "karma_critpath": 0, "text": "Corresponding Apache bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=60101\n\nSo we need to get 8.0.38 packaged.", "timestamp": "2016-10-25 12:01:55", "update_id": 71124, "user_id": 1242, "id": 512176, "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}}, {"karma": 0, "comment_id": 512181, "bug_id": 1375581, "comment": {"karma": 0, "karma_critpath": 0, "text": "Thanks for pinning that down @abbra; I'll rebase to 8.0.38 asap.", "timestamp": "2016-10-25 12:12:54", "update_id": 71124, "user_id": 2565, "id": 512181, "testcase_feedback": [], "user": {"name": "csutherl", "email": "csutherl@redhat.com", "id": 2565, "avatar": "https://seccdn.libravatar.org/avatar/d44964302ea7dbc5b71ae38cf11aa7dc1d59882f834050d7411a36dec8d5a106?s=24&d=retro", "openid": "csutherl.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "diversity-team"}]}}}, {"karma": 0, "comment_id": 512733, "bug_id": 1375581, "comment": {"karma": 0, "karma_critpath": 0, "text": "Is it possible to remove the tomcat-8.0.37-3.fc24 package from updates-testing?", "timestamp": "2016-10-26 14:08:58", "update_id": 71124, "user_id": 2329, "id": 512733, "testcase_feedback": [], "user": {"name": "mkubik", "email": "mkubik@redhat.com", "id": 2329, "avatar": "https://seccdn.libravatar.org/avatar/e86ba69535a9375a864b04fefe0fdf646291f87ff8f4e54da24c682ac01f94e5?s=24&d=retro", "openid": "mkubik.id.fedoraproject.org", "groups": []}}}, {"karma": 0, "comment_id": 512755, "bug_id": 1375581, "comment": {"karma": 0, "karma_critpath": 0, "text": "I was under the impression that adding a new build would remove the old one, but maybe that isn't the case. I do see that this update is pending the push to testing, so maybe when that happens the old build will be removed. I'm going to wait and see what happens when this update is pushed to testing. If it doesn't resolve it, I'll try untagging the 8.0.37-3 build.", "timestamp": "2016-10-26 14:47:40", "update_id": 71124, "user_id": 2565, "id": 512755, "testcase_feedback": [], "user": {"name": "csutherl", "email": "csutherl@redhat.com", "id": 2565, "avatar": "https://seccdn.libravatar.org/avatar/d44964302ea7dbc5b71ae38cf11aa7dc1d59882f834050d7411a36dec8d5a106?s=24&d=retro", "openid": "csutherl.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "diversity-team"}]}}}, {"karma": 1, "comment_id": 520039, "bug_id": 1375581, "comment": {"karma": 0, "karma_critpath": 0, "text": "wfm too :)", "timestamp": "2016-11-11 19:33:54", "update_id": 71123, "user_id": 2565, "id": 520039, "testcase_feedback": [], "user": {"name": "csutherl", "email": "csutherl@redhat.com", "id": 2565, "avatar": "https://seccdn.libravatar.org/avatar/d44964302ea7dbc5b71ae38cf11aa7dc1d59882f834050d7411a36dec8d5a106?s=24&d=retro", "openid": "csutherl.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "diversity-team"}]}}}]}, {"bug_id": 1383210, "title": "CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service [fedora-all]", "security": true, "parent": false, "feedback": [{"karma": 0, "comment_id": 512140, "bug_id": 1383210, "comment": {"karma": -1, "karma_critpath": 0, "text": "This update broke Dogtag PKI setup during FreeIPA server installation:\n\n Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds\n [1/25]: creating certificate server user\n [2/25]: configuring certificate server instance\n ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp9kNE80' returned non-zero exit status 1\n ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information:\n ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat\n [error] RuntimeError: CA configuration failed.\n Your system may be partly configured.\n Run /usr/sbin/ipa-server-install --uninstall to clean up.\n\n ipa.ipapython.install.cli.install_tool(Replica): ERROR CA configuration failed.\n ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information\n\nSee also the following cornucopia of stack traces in the pki-tomcat service journal log: https://paste.fedoraproject.org/460589/77394029\n\ngiving negative karma until the issue is fixed either on tomcat or dogtag side.\n\n\n", "timestamp": "2016-10-25 11:18:19", "update_id": 71124, "user_id": 1567, "id": 512140, "testcase_feedback": [], "user": {"name": "mbabinsk", "email": "mbabinsk@redhat.com", "id": 1567, "avatar": "https://seccdn.libravatar.org/avatar/abf8f97fed2d2d9cc024eb8a796b96500b124fbf8fdb541a9a189fa082adb6c1?s=24&d=retro", "openid": "mbabinsk.id.fedoraproject.org", "groups": []}}}, {"karma": 0, "comment_id": 512141, "bug_id": 1383210, "comment": {"karma": -1, "karma_critpath": 0, "text": "After upgrade a restart of FreeIPA fails. In catalina log I can see there is a missing java class that cannot be found:\n\n 25-Oct-2016 14:29:18.278 SEVERE [localhost-startStop-1] org.apache.jasper.security.SecurityClassLoad.securityClassLoad SecurityClassLoad\n java.lang.ClassNotFoundException: org.apache.jasper.runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper\n at java.net.URLClassLoader.findClass(URLClassLoader.java:381)\n at java.lang.ClassLoader.loadClass(ClassLoader.java:424)\n at java.lang.ClassLoader.loadClass(ClassLoader.java:357)\n at org.apache.jasper.security.SecurityClassLoad.securityClassLoad(SecurityClassLoad.java:47)\n at org.apache.jasper.servlet.JasperInitializer.(JasperInitializer.java:52)\n at java.lang.Class.forName0(Native Method)\n at java.lang.Class.forName(Class.java:348)\n at org.apache.catalina.startup.WebappServiceLoader.loadServices(WebappServiceLoader.java:186)\n at org.apache.catalina.startup.WebappServiceLoader.load(WebappServiceLoader.java:157)\n at org.apache.catalina.startup.ContextConfig.processServletContainerInitializers(ContextConfig.java:1631)\n at org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1140)\n at org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:783)\n at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:307)\n at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:95)\n at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)\n at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5213)\n at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)\n at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)\n at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131)\n at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153)\n at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143)\n at java.security.AccessController.doPrivileged(Native Method)\n at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699)\n at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)\n at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:587)\n at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1798)\n at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)\n at java.util.concurrent.FutureTask.run(FutureTask.java:266)\n at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\n at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)\n at java.lang.Thread.run(Thread.java:745)\n\n", "timestamp": "2016-10-25 11:35:54", "update_id": 71124, "user_id": 1242, "id": 512141, "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}}, {"karma": 0, "comment_id": 512142, "bug_id": 1383210, "comment": {"karma": 0, "karma_critpath": 0, "text": "Note that the only java packages upgraded were from tomcat:\n\n Running transaction check\n Transaction check succeeded.\n Running transaction test\n Transaction test succeeded.\n Running transaction\n Upgrading : tomcat-servlet-3.1-api-1:8.0.37-3.fc24.noarch 1/12 \n Upgrading : tomcat-el-3.0-api-1:8.0.37-3.fc24.noarch 2/12 \n Upgrading : tomcat-jsp-2.3-api-1:8.0.37-3.fc24.noarch 3/12 \n Upgrading : tomcat-lib-1:8.0.37-3.fc24.noarch 4/12 \n Upgrading : tomcat-1:8.0.37-3.fc24.noarch 5/12 \n Upgrading : pcre-8.39-6.fc24.x86_64 6/12 \n Cleanup : tomcat-1:8.0.36-2.fc24.noarch 7/12 \n Cleanup : tomcat-lib-1:8.0.36-2.fc24.noarch 8/12 \n Cleanup : tomcat-jsp-2.3-api-1:8.0.36-2.fc24.noarch 9/12 \n Cleanup : tomcat-el-3.0-api-1:8.0.36-2.fc24.noarch 10/12 \n Cleanup : tomcat-servlet-3.1-api-1:8.0.36-2.fc24.noarch 11/12 \n Cleanup : pcre-8.39-5.fc24.x86_64 12/12 \n Verifying : pcre-8.39-6.fc24.x86_64 1/12 \n Verifying : tomcat-1:8.0.37-3.fc24.noarch 2/12 \n Verifying : tomcat-lib-1:8.0.37-3.fc24.noarch 3/12 \n Verifying : tomcat-el-3.0-api-1:8.0.37-3.fc24.noarch 4/12 \n Verifying : tomcat-jsp-2.3-api-1:8.0.37-3.fc24.noarch 5/12 \n Verifying : tomcat-servlet-3.1-api-1:8.0.37-3.fc24.noarch 6/12 \n Verifying : tomcat-servlet-3.1-api-1:8.0.36-2.fc24.noarch 7/12 \n Verifying : tomcat-1:8.0.36-2.fc24.noarch 8/12 \n Verifying : tomcat-el-3.0-api-1:8.0.36-2.fc24.noarch 9/12 \n Verifying : tomcat-jsp-2.3-api-1:8.0.36-2.fc24.noarch 10/12 \n Verifying : tomcat-lib-1:8.0.36-2.fc24.noarch 11/12 \n Verifying : pcre-8.39-5.fc24.x86_64 12/12 \n \n Upgraded:\n pcre.x86_64 8.39-6.fc24 tomcat.noarch 1:8.0.37-3.fc24 \n tomcat-el-3.0-api.noarch 1:8.0.37-3.fc24 tomcat-jsp-2.3-api.noarch 1:8.0.37-3.fc24 \n tomcat-lib.noarch 1:8.0.37-3.fc24 tomcat-servlet-3.1-api.noarch 1:8.0.37-3.fc24 \n \n Complete!\n [root@f24-master ~]# ipactl stop\n Stopping ipa-dnskeysyncd Service\n Stopping ipa-otpd Service\n Stopping winbind Service\n Stopping smb Service\n Stopping pki-tomcatd Service\n Stopping ntpd Service\n Stopping ipa-custodia Service\n Stopping httpd Service\n Stopping ipa_memcached Service\n Stopping named Service\n Stopping kadmin Service\n Stopping krb5kdc Service\n Stopping Directory Service\n ipa: INFO: The ipactl command was successful\n [root@f24-master ~]# ipactl start\n Starting Directory Service\n debugging enabled, suppressing output.\n Starting krb5kdc Service\n Starting kadmin Service\n Starting named Service\n Starting ipa_memcached Service\n Starting httpd Service\n Starting ipa-custodia Service\n Starting ntpd Service\n Starting pki-tomcatd Service\n Failed to start pki-tomcatd Service\n Shutting down\n Hint: You can use --ignore-service-failure option for forced start in case that a non-critical service failed\n Aborting ipactl\n ", "timestamp": "2016-10-25 11:38:21", "update_id": 71124, "user_id": 1242, "id": 512142, "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}}, {"karma": 0, "comment_id": 512176, "bug_id": 1383210, "comment": {"karma": 0, "karma_critpath": 0, "text": "Corresponding Apache bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=60101\n\nSo we need to get 8.0.38 packaged.", "timestamp": "2016-10-25 12:01:55", "update_id": 71124, "user_id": 1242, "id": 512176, "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}}, {"karma": 0, "comment_id": 512181, "bug_id": 1383210, "comment": {"karma": 0, "karma_critpath": 0, "text": "Thanks for pinning that down @abbra; I'll rebase to 8.0.38 asap.", "timestamp": "2016-10-25 12:12:54", "update_id": 71124, "user_id": 2565, "id": 512181, "testcase_feedback": [], "user": {"name": "csutherl", "email": "csutherl@redhat.com", "id": 2565, "avatar": "https://seccdn.libravatar.org/avatar/d44964302ea7dbc5b71ae38cf11aa7dc1d59882f834050d7411a36dec8d5a106?s=24&d=retro", "openid": "csutherl.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "diversity-team"}]}}}, {"karma": 0, "comment_id": 512733, "bug_id": 1383210, "comment": {"karma": 0, "karma_critpath": 0, "text": "Is it possible to remove the tomcat-8.0.37-3.fc24 package from updates-testing?", "timestamp": "2016-10-26 14:08:58", "update_id": 71124, "user_id": 2329, "id": 512733, "testcase_feedback": [], "user": {"name": "mkubik", "email": "mkubik@redhat.com", "id": 2329, "avatar": "https://seccdn.libravatar.org/avatar/e86ba69535a9375a864b04fefe0fdf646291f87ff8f4e54da24c682ac01f94e5?s=24&d=retro", "openid": "mkubik.id.fedoraproject.org", "groups": []}}}, {"karma": 0, "comment_id": 512755, "bug_id": 1383210, "comment": {"karma": 0, "karma_critpath": 0, "text": "I was under the impression that adding a new build would remove the old one, but maybe that isn't the case. I do see that this update is pending the push to testing, so maybe when that happens the old build will be removed. I'm going to wait and see what happens when this update is pushed to testing. If it doesn't resolve it, I'll try untagging the 8.0.37-3 build.", "timestamp": "2016-10-26 14:47:40", "update_id": 71124, "user_id": 2565, "id": 512755, "testcase_feedback": [], "user": {"name": "csutherl", "email": "csutherl@redhat.com", "id": 2565, "avatar": "https://seccdn.libravatar.org/avatar/d44964302ea7dbc5b71ae38cf11aa7dc1d59882f834050d7411a36dec8d5a106?s=24&d=retro", "openid": "csutherl.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "diversity-team"}]}}}, {"karma": 1, "comment_id": 520039, "bug_id": 1383210, "comment": {"karma": 0, "karma_critpath": 0, "text": "wfm too :)", "timestamp": "2016-11-11 19:33:54", "update_id": 71123, "user_id": 2565, "id": 520039, "testcase_feedback": [], "user": {"name": "csutherl", "email": "csutherl@redhat.com", "id": 2565, "avatar": "https://seccdn.libravatar.org/avatar/d44964302ea7dbc5b71ae38cf11aa7dc1d59882f834050d7411a36dec8d5a106?s=24&d=retro", "openid": "csutherl.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "diversity-team"}]}}}]}, {"bug_id": 1383216, "title": "CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation [fedora-all]", "security": true, "parent": false, "feedback": [{"karma": 0, "comment_id": 512140, "bug_id": 1383216, "comment": {"karma": -1, "karma_critpath": 0, "text": "This update broke Dogtag PKI setup during FreeIPA server installation:\n\n Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds\n [1/25]: creating certificate server user\n [2/25]: configuring certificate server instance\n ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp9kNE80' returned non-zero exit status 1\n ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information:\n ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat\n [error] RuntimeError: CA configuration failed.\n Your system may be partly configured.\n Run /usr/sbin/ipa-server-install --uninstall to clean up.\n\n ipa.ipapython.install.cli.install_tool(Replica): ERROR CA configuration failed.\n ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information\n\nSee also the following cornucopia of stack traces in the pki-tomcat service journal log: https://paste.fedoraproject.org/460589/77394029\n\ngiving negative karma until the issue is fixed either on tomcat or dogtag side.\n\n\n", "timestamp": "2016-10-25 11:18:19", "update_id": 71124, "user_id": 1567, "id": 512140, "testcase_feedback": [], "user": {"name": "mbabinsk", "email": "mbabinsk@redhat.com", "id": 1567, "avatar": "https://seccdn.libravatar.org/avatar/abf8f97fed2d2d9cc024eb8a796b96500b124fbf8fdb541a9a189fa082adb6c1?s=24&d=retro", "openid": "mbabinsk.id.fedoraproject.org", "groups": []}}}, {"karma": 0, "comment_id": 512141, "bug_id": 1383216, "comment": {"karma": -1, "karma_critpath": 0, "text": "After upgrade a restart of FreeIPA fails. In catalina log I can see there is a missing java class that cannot be found:\n\n 25-Oct-2016 14:29:18.278 SEVERE [localhost-startStop-1] org.apache.jasper.security.SecurityClassLoad.securityClassLoad SecurityClassLoad\n java.lang.ClassNotFoundException: org.apache.jasper.runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper\n at java.net.URLClassLoader.findClass(URLClassLoader.java:381)\n at java.lang.ClassLoader.loadClass(ClassLoader.java:424)\n at java.lang.ClassLoader.loadClass(ClassLoader.java:357)\n at org.apache.jasper.security.SecurityClassLoad.securityClassLoad(SecurityClassLoad.java:47)\n at org.apache.jasper.servlet.JasperInitializer.(JasperInitializer.java:52)\n at java.lang.Class.forName0(Native Method)\n at java.lang.Class.forName(Class.java:348)\n at org.apache.catalina.startup.WebappServiceLoader.loadServices(WebappServiceLoader.java:186)\n at org.apache.catalina.startup.WebappServiceLoader.load(WebappServiceLoader.java:157)\n at org.apache.catalina.startup.ContextConfig.processServletContainerInitializers(ContextConfig.java:1631)\n at org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1140)\n at org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:783)\n at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:307)\n at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:95)\n at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)\n at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5213)\n at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)\n at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)\n at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131)\n at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153)\n at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143)\n at java.security.AccessController.doPrivileged(Native Method)\n at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699)\n at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)\n at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:587)\n at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1798)\n at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)\n at java.util.concurrent.FutureTask.run(FutureTask.java:266)\n at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\n at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)\n at java.lang.Thread.run(Thread.java:745)\n\n", "timestamp": "2016-10-25 11:35:54", "update_id": 71124, "user_id": 1242, "id": 512141, "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}}, {"karma": 0, "comment_id": 512142, "bug_id": 1383216, "comment": {"karma": 0, "karma_critpath": 0, "text": "Note that the only java packages upgraded were from tomcat:\n\n Running transaction check\n Transaction check succeeded.\n Running transaction test\n Transaction test succeeded.\n Running transaction\n Upgrading : tomcat-servlet-3.1-api-1:8.0.37-3.fc24.noarch 1/12 \n Upgrading : tomcat-el-3.0-api-1:8.0.37-3.fc24.noarch 2/12 \n Upgrading : tomcat-jsp-2.3-api-1:8.0.37-3.fc24.noarch 3/12 \n Upgrading : tomcat-lib-1:8.0.37-3.fc24.noarch 4/12 \n Upgrading : tomcat-1:8.0.37-3.fc24.noarch 5/12 \n Upgrading : pcre-8.39-6.fc24.x86_64 6/12 \n Cleanup : tomcat-1:8.0.36-2.fc24.noarch 7/12 \n Cleanup : tomcat-lib-1:8.0.36-2.fc24.noarch 8/12 \n Cleanup : tomcat-jsp-2.3-api-1:8.0.36-2.fc24.noarch 9/12 \n Cleanup : tomcat-el-3.0-api-1:8.0.36-2.fc24.noarch 10/12 \n Cleanup : tomcat-servlet-3.1-api-1:8.0.36-2.fc24.noarch 11/12 \n Cleanup : pcre-8.39-5.fc24.x86_64 12/12 \n Verifying : pcre-8.39-6.fc24.x86_64 1/12 \n Verifying : tomcat-1:8.0.37-3.fc24.noarch 2/12 \n Verifying : tomcat-lib-1:8.0.37-3.fc24.noarch 3/12 \n Verifying : tomcat-el-3.0-api-1:8.0.37-3.fc24.noarch 4/12 \n Verifying : tomcat-jsp-2.3-api-1:8.0.37-3.fc24.noarch 5/12 \n Verifying : tomcat-servlet-3.1-api-1:8.0.37-3.fc24.noarch 6/12 \n Verifying : tomcat-servlet-3.1-api-1:8.0.36-2.fc24.noarch 7/12 \n Verifying : tomcat-1:8.0.36-2.fc24.noarch 8/12 \n Verifying : tomcat-el-3.0-api-1:8.0.36-2.fc24.noarch 9/12 \n Verifying : tomcat-jsp-2.3-api-1:8.0.36-2.fc24.noarch 10/12 \n Verifying : tomcat-lib-1:8.0.36-2.fc24.noarch 11/12 \n Verifying : pcre-8.39-5.fc24.x86_64 12/12 \n \n Upgraded:\n pcre.x86_64 8.39-6.fc24 tomcat.noarch 1:8.0.37-3.fc24 \n tomcat-el-3.0-api.noarch 1:8.0.37-3.fc24 tomcat-jsp-2.3-api.noarch 1:8.0.37-3.fc24 \n tomcat-lib.noarch 1:8.0.37-3.fc24 tomcat-servlet-3.1-api.noarch 1:8.0.37-3.fc24 \n \n Complete!\n [root@f24-master ~]# ipactl stop\n Stopping ipa-dnskeysyncd Service\n Stopping ipa-otpd Service\n Stopping winbind Service\n Stopping smb Service\n Stopping pki-tomcatd Service\n Stopping ntpd Service\n Stopping ipa-custodia Service\n Stopping httpd Service\n Stopping ipa_memcached Service\n Stopping named Service\n Stopping kadmin Service\n Stopping krb5kdc Service\n Stopping Directory Service\n ipa: INFO: The ipactl command was successful\n [root@f24-master ~]# ipactl start\n Starting Directory Service\n debugging enabled, suppressing output.\n Starting krb5kdc Service\n Starting kadmin Service\n Starting named Service\n Starting ipa_memcached Service\n Starting httpd Service\n Starting ipa-custodia Service\n Starting ntpd Service\n Starting pki-tomcatd Service\n Failed to start pki-tomcatd Service\n Shutting down\n Hint: You can use --ignore-service-failure option for forced start in case that a non-critical service failed\n Aborting ipactl\n ", "timestamp": "2016-10-25 11:38:21", "update_id": 71124, "user_id": 1242, "id": 512142, "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}}, {"karma": 0, "comment_id": 512176, "bug_id": 1383216, "comment": {"karma": 0, "karma_critpath": 0, "text": "Corresponding Apache bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=60101\n\nSo we need to get 8.0.38 packaged.", "timestamp": "2016-10-25 12:01:55", "update_id": 71124, "user_id": 1242, "id": 512176, "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}}, {"karma": 0, "comment_id": 512181, "bug_id": 1383216, "comment": {"karma": 0, "karma_critpath": 0, "text": "Thanks for pinning that down @abbra; I'll rebase to 8.0.38 asap.", "timestamp": "2016-10-25 12:12:54", "update_id": 71124, "user_id": 2565, "id": 512181, "testcase_feedback": [], "user": {"name": "csutherl", "email": "csutherl@redhat.com", "id": 2565, "avatar": "https://seccdn.libravatar.org/avatar/d44964302ea7dbc5b71ae38cf11aa7dc1d59882f834050d7411a36dec8d5a106?s=24&d=retro", "openid": "csutherl.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "diversity-team"}]}}}, {"karma": 0, "comment_id": 512733, "bug_id": 1383216, "comment": {"karma": 0, "karma_critpath": 0, "text": "Is it possible to remove the tomcat-8.0.37-3.fc24 package from updates-testing?", "timestamp": "2016-10-26 14:08:58", "update_id": 71124, "user_id": 2329, "id": 512733, "testcase_feedback": [], "user": {"name": "mkubik", "email": "mkubik@redhat.com", "id": 2329, "avatar": "https://seccdn.libravatar.org/avatar/e86ba69535a9375a864b04fefe0fdf646291f87ff8f4e54da24c682ac01f94e5?s=24&d=retro", "openid": "mkubik.id.fedoraproject.org", "groups": []}}}, {"karma": 0, "comment_id": 512755, "bug_id": 1383216, "comment": {"karma": 0, "karma_critpath": 0, "text": "I was under the impression that adding a new build would remove the old one, but maybe that isn't the case. I do see that this update is pending the push to testing, so maybe when that happens the old build will be removed. I'm going to wait and see what happens when this update is pushed to testing. If it doesn't resolve it, I'll try untagging the 8.0.37-3 build.", "timestamp": "2016-10-26 14:47:40", "update_id": 71124, "user_id": 2565, "id": 512755, "testcase_feedback": [], "user": {"name": "csutherl", "email": "csutherl@redhat.com", "id": 2565, "avatar": "https://seccdn.libravatar.org/avatar/d44964302ea7dbc5b71ae38cf11aa7dc1d59882f834050d7411a36dec8d5a106?s=24&d=retro", "openid": "csutherl.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "diversity-team"}]}}}, {"karma": 1, "comment_id": 520039, "bug_id": 1383216, "comment": {"karma": 0, "karma_critpath": 0, "text": "wfm too :)", "timestamp": "2016-11-11 19:33:54", "update_id": 71123, "user_id": 2565, "id": 520039, "testcase_feedback": [], "user": {"name": "csutherl", "email": "csutherl@redhat.com", "id": 2565, "avatar": "https://seccdn.libravatar.org/avatar/d44964302ea7dbc5b71ae38cf11aa7dc1d59882f834050d7411a36dec8d5a106?s=24&d=retro", "openid": "csutherl.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "diversity-team"}]}}}]}, {"bug_id": 1390532, "title": "CVE-2016-0762 CVE-2016-5018 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 tomcat: various flaws [fedora-all]", "security": true, "parent": false, "feedback": [{"karma": 1, "comment_id": 520039, "bug_id": 1390532, "comment": {"karma": 0, "karma_critpath": 0, "text": "wfm too :)", "timestamp": "2016-11-11 19:33:54", "update_id": 71123, "user_id": 2565, "id": 520039, "testcase_feedback": [], "user": {"name": "csutherl", "email": "csutherl@redhat.com", "id": 2565, "avatar": "https://seccdn.libravatar.org/avatar/d44964302ea7dbc5b71ae38cf11aa7dc1d59882f834050d7411a36dec8d5a106?s=24&d=retro", "openid": "csutherl.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "diversity-team"}]}}}]}], "updateid": "FEDORA-2016-c1b01b9278", "karma": 0, "content_type": "rpm", "test_cases": []}, "can_edit": false, "ci_allowed": false}