[tomcat6] 03/13: drop patches included in upstream
Tony Mancill
tmancill at alioth.debian.org
Sun Aug 4 05:22:19 UTC 2013
This is an automated email from the git hooks/post-receive script.
tmancill pushed a commit to branch master
in repository tomcat6.
commit 6c7d85fc8a24d2fe4b8d63bbb838745e1b860cbf
Author: tony mancill <tmancill at debian.org>
Date: Sat Aug 3 20:57:53 2013 -0700
drop patches included in upstream
---
debian/patches/0014-CVE-2012-4534.patch | 75 -------------------------------
debian/patches/0015-CVE-2012-4431.patch | 51 ---------------------
debian/patches/0016-CVE-2012-3546.patch | 46 -------------------
debian/patches/series | 3 --
4 files changed, 175 deletions(-)
diff --git a/debian/patches/0014-CVE-2012-4534.patch b/debian/patches/0014-CVE-2012-4534.patch
deleted file mode 100644
index fec0610..0000000
--- a/debian/patches/0014-CVE-2012-4534.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-Description: Fix high CPU load with SSL, NIO and sendfile when
- client breaks the connection before reading all the requested data.
- It is a fix for CVE-2012-4534.
-Origin: upstream, http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java?r1=1372035&r2=1372034&pathrev=1372035
-Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=52858
-
---- a/java/org/apache/tomcat/util/net/NioEndpoint.java
-+++ b/java/org/apache/tomcat/util/net/NioEndpoint.java
-@@ -1713,8 +1713,14 @@
- public boolean processSendfile(SelectionKey sk, KeyAttachment attachment, boolean reg, boolean event) {
- NioChannel sc = null;
- try {
-- //unreg(sk,attachment);//only do this if we do process send file on a separate thread
-+ unreg(sk, attachment, sk.readyOps());
- SendfileData sd = attachment.getSendfileData();
-+
-+ if (log.isTraceEnabled()) {
-+ log.trace("Processing send file for: " + sd.fileName);
-+ }
-+
-+ //setup the file channel
- if ( sd.fchannel == null ) {
- File f = new File(sd.fileName);
- if ( !f.exists() ) {
-@@ -1723,10 +1729,14 @@
- }
- sd.fchannel = new FileInputStream(f).getChannel();
- }
-+
-+ //configure output channel
- sc = attachment.getChannel();
- sc.setSendFile(true);
-+ //ssl channel is slightly different
- WritableByteChannel wc =(WritableByteChannel) ((sc instanceof SecureNioChannel)?sc:sc.getIOChannel());
--
-+
-+ //we still have data in the buffer
- if (sc.getOutboundRemaining()>0) {
- if (sc.flushOutbound()) {
- attachment.access();
-@@ -1753,15 +1763,13 @@
- attachment.setSendfileData(null);
- try {sd.fchannel.close();}catch(Exception ignore){}
- if ( sd.keepAlive ) {
-- if (reg) {
-- if (log.isDebugEnabled()) {
-- log.debug("Connection is keep alive, registering back for OP_READ");
-- }
-- if (event) {
-- this.add(attachment.getChannel(),SelectionKey.OP_READ);
-- } else {
-- reg(sk,attachment,SelectionKey.OP_READ);
-- }
-+ if (log.isDebugEnabled()) {
-+ log.debug("Connection is keep alive, registering back for OP_READ");
-+ }
-+ if (event) {
-+ this.add(attachment.getChannel(),SelectionKey.OP_READ);
-+ } else {
-+ reg(sk,attachment,SelectionKey.OP_READ);
- }
- } else {
- if (log.isDebugEnabled()) {
-@@ -1770,9 +1778,9 @@
- cancelledKey(sk,SocketStatus.STOP,false);
- return false;
- }
-- } else if ( attachment.interestOps() == 0 && reg ) {
-+ } else {
- if (log.isDebugEnabled()) {
-- log.debug("OP_WRITE for sendilfe:"+sd.fileName);
-+ log.debug("OP_WRITE for sendfile:" + sd.fileName);
- }
- if (event) {
- add(attachment.getChannel(),SelectionKey.OP_WRITE);
diff --git a/debian/patches/0015-CVE-2012-4431.patch b/debian/patches/0015-CVE-2012-4431.patch
deleted file mode 100644
index 8ad8d2e..0000000
--- a/debian/patches/0015-CVE-2012-4431.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-Description: Improve session management in CsrfPreventionFilter (kkolinko)
- It is a fix for CVE-2012-4431.
-Origin: upstream, http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?r1=1394456&r2=1394455&pathrev=1394456
-
---- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
-+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
-@@ -33,6 +33,7 @@
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletResponse;
- import javax.servlet.http.HttpServletResponseWrapper;
-+import javax.servlet.http.HttpSession;
-
- import org.apache.juli.logging.Log;
- import org.apache.juli.logging.LogFactory;
-@@ -153,16 +154,19 @@
- }
- }
-
-+ HttpSession session = req.getSession(false);
-+
- @SuppressWarnings("unchecked")
-- LruCache<String> nonceCache =
-- (LruCache<String>) req.getSession(true).getAttribute(
-- Constants.CSRF_NONCE_SESSION_ATTR_NAME);
--
-+ LruCache<String> nonceCache = (session == null) ? null
-+ : (LruCache<String>) session.getAttribute(
-+ Constants.CSRF_NONCE_SESSION_ATTR_NAME);
-+
- if (!skipNonceCheck) {
- String previousNonce =
- req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM);
-
-- if (nonceCache != null && !nonceCache.contains(previousNonce)) {
-+ if (nonceCache == null || previousNonce == null ||
-+ !nonceCache.contains(previousNonce)) {
- res.sendError(HttpServletResponse.SC_FORBIDDEN);
- return;
- }
-@@ -170,7 +174,10 @@
-
- if (nonceCache == null) {
- nonceCache = new LruCache<String>(nonceCacheSize);
-- req.getSession().setAttribute(
-+ if (session == null) {
-+ session = req.getSession(true);
-+ }
-+ session.setAttribute(
- Constants.CSRF_NONCE_SESSION_ATTR_NAME, nonceCache);
- }
-
diff --git a/debian/patches/0016-CVE-2012-3546.patch b/debian/patches/0016-CVE-2012-3546.patch
deleted file mode 100644
index 0ae4bb6..0000000
--- a/debian/patches/0016-CVE-2012-3546.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-Description: Remove unneeded handling of FORM authentication in RealmBase.
- It is a fix for CVE-2012-3546.
-Origin: upstream, http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java?r1=1381035&r2=1381034&pathrev=1381035
-
---- a/java/org/apache/catalina/realm/RealmBase.java
-+++ b/java/org/apache/catalina/realm/RealmBase.java
-@@ -45,7 +45,6 @@
- import org.apache.catalina.connector.Request;
- import org.apache.catalina.connector.Response;
- import org.apache.catalina.core.ContainerBase;
--import org.apache.catalina.deploy.LoginConfig;
- import org.apache.catalina.deploy.SecurityConstraint;
- import org.apache.catalina.deploy.SecurityCollection;
- import org.apache.catalina.util.HexUtils;
-@@ -734,31 +733,6 @@
- if (constraints == null || constraints.length == 0)
- return (true);
-
-- // Specifically allow access to the form login and form error pages
-- // and the "j_security_check" action
-- LoginConfig config = context.getLoginConfig();
-- if ((config != null) &&
-- (Constants.FORM_METHOD.equals(config.getAuthMethod()))) {
-- String requestURI = request.getRequestPathMB().toString();
-- String loginPage = config.getLoginPage();
-- if (loginPage.equals(requestURI)) {
-- if (log.isDebugEnabled())
-- log.debug(" Allow access to login page " + loginPage);
-- return (true);
-- }
-- String errorPage = config.getErrorPage();
-- if (errorPage.equals(requestURI)) {
-- if (log.isDebugEnabled())
-- log.debug(" Allow access to error page " + errorPage);
-- return (true);
-- }
-- if (requestURI.endsWith(Constants.FORM_ACTION)) {
-- if (log.isDebugEnabled())
-- log.debug(" Allow access to username/password submission");
-- return (true);
-- }
-- }
--
- // Which user principal have we already authenticated?
- Principal principal = request.getPrincipal();
- boolean status = false;
diff --git a/debian/patches/series b/debian/patches/series
index 617502e..9fb5128 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,7 +10,4 @@
0011-CVE-2012-0022-regression-fix.patch
cve-2012-2733.patch
cve-2012-3439.patch
-0014-CVE-2012-4534.patch
-0015-CVE-2012-4431.patch
-0016-CVE-2012-3546.patch
0017-eclipse-compiler-update.patch
--
Alioth's hooks/post-receive on /srv/git.debian.org/git/pkg-java/tomcat6.git
More information about the pkg-java-commits
mailing list