Dear Markus, >> [ I contacted t...@security.debian.org about this, but no response ... ] > ... Please send them to the security team > first and not to a public mailing list.
I did. They did not reply within what seemed a reasonable timeframe. >> Recently DSA-3670 was released, and /etc/init.d/tomcat8 modified so... > No, we did not modify this part in /etc/init.d/tomcat8. ... Whoops, sorry, you are right. Now checking, I do not see how I got confused. This is a separate, maybe new issue. > ... more information and a working proof > of concept code are appreciated. ... Maybe the security team will understand (recognize, accept) the issue without a PoC. If they reply with such a need, then I will write one. You or they might accept the suggested patch/fix: mkdir without -p, chown with -h. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia