Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 13 Jul 2015 13:40:41 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   [Bug 201526] devel/oozie: bundled version of tomcat is vulnerable, unnecessary
Message-ID:  <bug-201526-13@https.bugs.freebsd.org/bugzilla/>

next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201526

            Bug ID: 201526
           Summary: devel/oozie: bundled version of tomcat is vulnerable,
                    unnecessary
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: demon@FreeBSD.org
          Reporter: feld@FreeBSD.org
          Assignee: demon@FreeBSD.org
             Flags: maintainer-feedback?(demon@FreeBSD.org)

oozie bundles Tomcat 6.0.41 which is unnecessary and currently a security
vulnerability. You should be able to require www/tomcat6 as a RUN_DEPENDENCY
instead. Tomcat has the ability for different programs to share a single
installation via the use of CATALINA_HOME and CATALINA_BASE using something
like this:

CATALINA_HOME=${LOCALBASE}/apache-tomcat-6.0
CATALINA_BASE=${LOCALBASE}/oozie/oozie-server

The CATALINA_HOME should point to the system-installed Tomcat and CATALINA_BASE
is where you want your own private {bin,conf,logs,temp,webapps,work} dirs. (bin
is usually only used if you want to supply a setenv.sh script to override any
ENVs internal to Tomcat)

My initial glance at oozie indicates we should able to easily patch oozied.sh
to handle this.

I do not know how to run or test oozie, but if you would like my assistance I
can help with this if you can do the testing.


Thanks!

-- 
You are receiving this mail because:
You are the assignee for the bug.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-201526-13>