[SCM] tomcat7: Servlet and JSP engine branch, master, updated. debian/7.0.28-3+nmu1-2-ga0d091a
tony mancill
tmancill at debian.org
Sat Dec 8 07:44:51 UTC 2012
The following commit has been merged in the master branch:
commit 802ae65a6512e6e9c9c61efa41a84f1348582266
Author: tony mancill <tmancill at debian.org>
Date: Fri Dec 7 21:30:54 2012 -0800
add upstream patches for 695251
diff --git a/debian/changelog b/debian/changelog
index 56461ca..ac92166 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+tomcat7 (7.0.28-4) UNRELEASED; urgency=high
+
+ * Acknowledge NMU: 7.0.28-3+nmu1 (Closes: #692440)
+ - Thank you to Michael Gilbert.
+ * Add patches for the following security issues: (Closes: #695251)
+ - CVE-2012-4431, CVE-2012-3546
+
+ -- tony mancill <tmancill at debian.org> Thu, 06 Dec 2012 22:25:07 -0800
+
tomcat7 (7.0.28-3+nmu1) unstable; urgency=high
* Non-maintainer upload.
diff --git a/debian/patches/0016-CVE-2012-4431.patch b/debian/patches/0016-CVE-2012-4431.patch
new file mode 100644
index 0000000..a394cd8
--- /dev/null
+++ b/debian/patches/0016-CVE-2012-4431.patch
@@ -0,0 +1,51 @@
+Description: Improve session management in CsrfPreventionFilter
+ It is a fix for CVE-2012-4431.
+Origin: upstream, http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?r1=1393088&r2=1393087&pathrev=1393088
+
+--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
++++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+@@ -33,6 +33,7 @@
+ import javax.servlet.http.HttpServletRequest;
+ import javax.servlet.http.HttpServletResponse;
+ import javax.servlet.http.HttpServletResponseWrapper;
++import javax.servlet.http.HttpSession;
+
+ import org.apache.juli.logging.Log;
+ import org.apache.juli.logging.LogFactory;
+@@ -153,16 +154,19 @@
+ }
+ }
+
++ HttpSession session = req.getSession(false);
++
+ @SuppressWarnings("unchecked")
+- LruCache<String> nonceCache =
+- (LruCache<String>) req.getSession(true).getAttribute(
+- Constants.CSRF_NONCE_SESSION_ATTR_NAME);
+-
++ LruCache<String> nonceCache = (session == null) ? null
++ : (LruCache<String>) session.getAttribute(
++ Constants.CSRF_NONCE_SESSION_ATTR_NAME);
++
+ if (!skipNonceCheck) {
+ String previousNonce =
+ req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM);
+
+- if (nonceCache != null && !nonceCache.contains(previousNonce)) {
++ if (nonceCache == null || previousNonce == null ||
++ !nonceCache.contains(previousNonce)) {
+ res.sendError(HttpServletResponse.SC_FORBIDDEN);
+ return;
+ }
+@@ -170,7 +174,10 @@
+
+ if (nonceCache == null) {
+ nonceCache = new LruCache<String>(nonceCacheSize);
+- req.getSession().setAttribute(
++ if (session == null) {
++ session = req.getSession(true);
++ }
++ session.setAttribute(
+ Constants.CSRF_NONCE_SESSION_ATTR_NAME, nonceCache);
+ }
+
diff --git a/debian/patches/0017-CVE-2012-3546.patch b/debian/patches/0017-CVE-2012-3546.patch
new file mode 100644
index 0000000..97940ab
--- /dev/null
+++ b/debian/patches/0017-CVE-2012-3546.patch
@@ -0,0 +1,48 @@
+Description: Remove unneeded handling of FORM authentication in RealmBase.
+ The login and error pages are handled via forward, so processing completes
+ before this code is ever reached. The action page is handled elsewhere.
+ It is a fix for CVE-2012-3546.
+Origin: upstream, http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java?r1=1377892&r2=1377891&pathrev=1377892
+
+--- a/java/org/apache/catalina/realm/RealmBase.java
++++ b/java/org/apache/catalina/realm/RealmBase.java
+@@ -45,7 +45,6 @@
+ import org.apache.catalina.Wrapper;
+ import org.apache.catalina.connector.Request;
+ import org.apache.catalina.connector.Response;
+-import org.apache.catalina.deploy.LoginConfig;
+ import org.apache.catalina.deploy.SecurityCollection;
+ import org.apache.catalina.deploy.SecurityConstraint;
+ import org.apache.catalina.mbeans.MBeanUtils;
+@@ -819,31 +818,6 @@
+ if (constraints == null || constraints.length == 0)
+ return (true);
+
+- // Specifically allow access to the form login and form error pages
+- // and the "j_security_check" action
+- LoginConfig config = context.getLoginConfig();
+- if ((config != null) &&
+- (Constants.FORM_METHOD.equals(config.getAuthMethod()))) {
+- String requestURI = request.getRequestPathMB().toString();
+- String loginPage = config.getLoginPage();
+- if (loginPage.equals(requestURI)) {
+- if (log.isDebugEnabled())
+- log.debug(" Allow access to login page " + loginPage);
+- return (true);
+- }
+- String errorPage = config.getErrorPage();
+- if (errorPage.equals(requestURI)) {
+- if (log.isDebugEnabled())
+- log.debug(" Allow access to error page " + errorPage);
+- return (true);
+- }
+- if (requestURI.endsWith(Constants.FORM_ACTION)) {
+- if (log.isDebugEnabled())
+- log.debug(" Allow access to username/password submission");
+- return (true);
+- }
+- }
+-
+ // Which user principal have we already authenticated?
+ Principal principal = request.getPrincipal();
+ boolean status = false;
diff --git a/debian/patches/series b/debian/patches/series
index 4f78259..8635686 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,5 @@
0013-dont-look-for-build-properties-in-user-home.patch
cve-2012-3439.patch
cve-2012-3439-tests.patch
+0016-CVE-2012-4431.patch
+0017-CVE-2012-3546.patch
--
tomcat7: Servlet and JSP engine
More information about the pkg-java-commits
mailing list