project_key: JBEWS A flaw was recently reported for apache-/jakarta-commons-daemon jsvc: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2729 It only affected Linux builds that were compiled with libcap support. While investigating which EWS versions are affected, it was determined that we have libcap support in RHEL-4 version, but not in RHEL-5 and RHEL-6. It should be determined whether jsvc should be compiled with libcap support or not, and be consistent across RHEL versions (i.e. explicitly disable in .spec file, or add proper BuildRequires to have libcap-devel in RHEL-5 and RHEL-6 buildroots too). As part of response to CVE-2011-2729, we're disabling libcap support in 1.0.2 RHEL-4 builds, for consistency with RHEL-5/6.
Malden, can you shed some light on whether if we should build with libcap support or not? We should then sync all builds to make sure they all behave in the same manner. Thanks!
We should definitely *use* libpcap on linux. The soution would be to implement the patch [1] instead disabling libpcap! Using libpcap is truly what jsvc is meant to be used for on unixes and that is to allow to bind to the port 80 while running as non root user. Using libcap is also more secure solution cause binding is done after seteuid() call unlike on other unixes that don't have libcap where it can be done only as root. So without libcap Tomcat runs as root until initialized and then it switches the user, while with libcap it runs as target user with elevated privileges and the drops the capabilities after initialized. [1] https://svn.apache.org/viewvc/commons/proper/daemon/trunk/src/native/unix/native/jsvc-unix.c?r1=1130635&r2=1152701&view=patch
Docs QE Status: Removed: NEW