cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hiroaki KAWAI <>
Subject Re: [VOTE][RESULTS] Release Apache CloudStack 4.1.0 (fifth round)
Date Tue, 04 Jun 2013 02:26:01 GMT

I looked into tomcat6.spec file, the catalina.out
stuff seems to be handled in rpm installation process.
/bin/touch ${RPM_BUILD_ROOT}%{logdir}/catalina.out

%attr(0644,tomcat,tomcat) %{logdir}/catalina.out

So I'd like to suggest to do as such in our cloudstack spec file, too.

(2013/06/03 19:10), Prasanna Santhanam wrote:
> I couldn't find a reasonably good solution for this. The vulnerability
> is fixed in Tomcat more than a year ago and it was applied only
> recently, as Ove pointed, in the distros. While this doesn't affect
> those upgrading, it is problematic for those installing CloudStack
> afresh.  Any version - 3.0.2, ($insert_commercial_version), 4.0,
> 4.0.1, 4.0.2, 4.1 and even the 4.2-SNAPSHOT RPMs.
> I've applied a fix on master (54127f8) that I think is reasonable by
> changing the permissions on the file so it is owned by user `cloud`
> which is the user cloudstack-management will run as. To understand why
> this is not an obvious hack please see [1]. If there's an even elegant
> way, please let the list know.
> I'm also not quite sure how and when the deb packages will be
> affected. It looked like the debian users haven't reported this
> problem yet. We started seeing issues of this right after May 25th,
> should've paid more attention then (/me facepalm)
> It's an awkward situation, so I'm not sure what will be the next
> course of action since our src release is ready to be published.
> The options are:
> a) Publish workaround of giving `cloud` permissions to catalina.out
> b) Release a new source package with fix cherry-picked to 4.1 and
> whereever applicable.
> b. shouldn't take longer - just testing the packaging should be
> sufficient. CloudStack's overall functionality is satisfactory from
> the tests done so far.
> [1]

View raw message