[Git][java-team/tomcat8][stretch] 4 commits: Import patches for CVE-2018-1304 and CVE-2018-1305 and fix #867247
Markus Koschany
gitlab at salsa.debian.org
Sun Aug 26 14:56:36 BST 2018
Markus Koschany pushed to branch stretch at Debian Java Maintainers / tomcat8
Commits:
3f7b0915 by Markus Koschany at 2018-08-24T19:10:51Z
Import patches for CVE-2018-1304 and CVE-2018-1305 and fix #867247
- - - - -
363aca77 by Markus Koschany at 2018-08-24T19:43:56Z
Fix CVE-2018-1336, CVE-2018-8034 and CVE-2018-8037
- - - - -
ceb63208 by Markus Koschany at 2018-08-24T19:47:32Z
Update changelog
- - - - -
81e0a521 by Markus Koschany at 2018-08-24T19:53:53Z
Update CVE-2018-8034.patch
- - - - -
8 changed files:
- debian/changelog
- debian/libtomcat8-java.manifest
- + debian/patches/CVE-2018-1304.patch
- + debian/patches/CVE-2018-1305.patch
- + debian/patches/CVE-2018-1336.patch
- + debian/patches/CVE-2018-8034.patch
- + debian/patches/CVE-2018-8037.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,41 @@
+tomcat8 (8.5.14-1+deb9u3) stretch-security; urgency=high
+
+ [ Emmanuel Bourg ]
+ * Fixed CVE-2018-1304: Security constraints mapped to context root are
+ ignored. The URL pattern of "" (the empty string) which exactly maps to the
+ context root was not correctly handled when used as part of a security
+ constraint definition. This caused the constraint to be ignored. It was,
+ therefore, possible for unauthorised users to gain access to web
+ application resources that should have been protected. Only security
+ constraints with a URL pattern of the empty string were affected.
+ * Fixed CVE-2018-1305: Security constraint annotations applied too late.
+ Security constraints defined by annotations of Servlets were only applied
+ once a Servlet had been loaded. Because security constraints defined in
+ this way apply to the URL pattern and any URLs below that point, it was
+ possible - depending on the order Servlets were loaded - for some security
+ constraints not to be applied. This could have exposed resources to users
+ who were not authorised to access them.
+ * Changed the Class-Path manifest entry of tomcat8-jasper.jar to use
+ the specification jars from libtomcat8-java instead of libservlet3.1-java
+ (Closes: #867247)
+
+ [ Markus Koschany ]
+ * Fix CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder
+ with supplementary characters can lead to an infinite loop in the decoder
+ causing a Denial of Service.
+ * Fix CVE-2018-8034: The host name verification when using TLS with the
+ WebSocket client was missing. It is now enabled by default.
+ * Fix CVE-2018-8037: If an async request was completed by the application at
+ the same time as the container triggered the async timeout, a race condition
+ existed that could result in a user seeing a response intended for a
+ different user. An additional issue was present in the NIO and NIO2
+ connectors that did not correctly track the closure of the connection when an
+ async request was completed by the application and timed out by the container
+ at the same time. This could also result in a user seeing a response intended
+ for another user.
+
+ -- Markus Koschany <apo at debian.org> Fri, 24 Aug 2018 21:44:12 +0200
+
tomcat8 (8.5.14-1+deb9u2) stretch-security; urgency=high
* Team upload.
=====================================
debian/libtomcat8-java.manifest
=====================================
@@ -19,7 +19,7 @@ usr/share/java/tomcat8-jasper.jar:
Export-Package: org.apache.jasper;version="8.0.0";uses:="javax.servlet,javax.servlet.jsp.tagext,org.apache.jasper.compiler,org.apache.jasper.servlet,org.apache.tools.ant",org.apache.jasper.compiler;version="8.0.0";uses:="javax.el,javax.servlet,javax.servlet.jsp.tagext,javax.xml.parsers,org.apache.jasper,org.apache.jasper.compiler.tagplugin,org.apache.jasper.servlet,org.apache.jasper.util,org.apache.jasper.xmlparser,org.apache.juli.logging,org.apache.tomcat,org.apache.tools.ant,org.eclipse.jdt.internal.compiler,org.eclipse.jdt.internal.compiler.env,org.xml.sax,org.xml.sax.ext,org.xml.sax.helpers",org.apache.jasper.compiler.tagplugin;version="8.0.0",org.apache.jasper.el;version="8.0.0";uses:="javax.el,javax.servlet.jsp.el",org.apache.jasper.resources;version="8.0.0",org.apache.jasper.runtime;version="8.0.0";uses:="javax.el,javax.servlet,javax.servlet.http,javax.servlet.jsp,javax.servlet.jsp.el,javax.servlet.jsp.tagext,org.apache.jasper,org.apache.jasper.el,org.apache.tomcat",org.apache.jasper.security;version="8.0.0",org.apache.jasper.servlet;version="8.0.0";uses:="javax.servlet,javax.servlet.descriptor,javax.servlet.http,javax.servlet.jsp.tagext,org.apache.jasper,org.apache.jasper.compiler,org.apache.jasper.util,org.apache.tomcat",org.apache.jasper.tagplugins.jstl;version="8.0.0";uses:="javax.servlet,javax.servlet.http,javax.servlet.jsp",org.apache.jasper.tagplugins.jstl.core;version="8.0.0";uses:="org.apache.jasper.compiler.tagplugin",org.apache.jasper.util;version="8.0.0";uses:="org.xml.sax,org.xml.sax.helpers",org.apache.jasper.xmlparser;version="8.0.0";uses:="org.apache.jasper,org.apache.jasper.compiler,org.w3c.dom,org.xml.sax"
Import-Package: javax.el;version="[1.0.0, 3.1.0)",javax.servlet;version="[2.6.0, 4.0.0)",javax.servlet.descriptor;version="[2.6.0, 4.0.0)",javax.servlet.http;version="[2.6.0, 4.0.0)",javax.servlet.jsp;version="[2.2.0, 3.0.0)",javax.servlet.jsp.el;version="[2.2.0, 3.0.0)",javax.servlet.jsp.resources;version="[2.2.0, 3.0.0)",javax.servlet.jsp.tagext;version="[2.2.0, 3.0.0)",javax.servlet.resources;version="[2.6.0, 4.0.0)",javax.xml.parsers;version="0",org.apache.el;version="[8.0.0, 8.0.0]",org.apache.el.lang;version="[8.0.0, 8.0.0]",org.apache.juli.logging;version="[8.0.0, 8.0.0]",org.apache.tomcat;version="[8.0.0, 8.0.0]",org.apache.tomcat.util.scan;version="[8.0.0, 8.0.0]",org.apache.tools.ant;version="[1.7.0, 2.0.0)";resolution:="optional",org.apache.tools.ant.taskdefs;version="[1.7.0, 2.0.0)";resolution:="optional",org.apache.tools.ant.types;version="[1.7.0, 2.0.0)";resolution:="optional",org.apache.tools.ant.util;version="[1.7.0, 2.0.0)";resolution:="optional",org.eclipse.jdt.core.compiler;version="0",org.eclipse.jdt.internal.compiler;version="0",org.eclipse.jdt.internal.compiler.classfmt;version="0",org.eclipse.jdt.internal.compiler.env;version="0",org.eclipse.jdt.internal.compiler.impl;version="0",org.eclipse.jdt.internal.compiler.problem;version="0",org.w3c.dom;version="0",org.xml.sax;version="0",org.xml.sax.ext;version="0",org.xml.sax.helpers;version="0"
Unversioned-Imports: javax.xml.parsers.*,org.w3c.dom.*,org.xml.sax.*
- Class-Path: ecj.jar el-api-3.0.jar servlet-api-3.1.jar jsp-api-2.3.jar
+ Class-Path: ecj.jar tomcat8-el-api.jar tomcat8-servlet-api.jar tomcat8-jsp-api.jar
usr/share/java/tomcat8-juli.jar:
Bundle-ManifestVersion: 2
=====================================
debian/patches/CVE-2018-1304.patch
=====================================
@@ -0,0 +1,31 @@
+Description: CVE-2018-1304: The URL pattern of "" (the empty string) which
+ exactly maps to the context root was not correctly handled when used as part
+ of a security constraint definition. This caused the constraint to be ignored.
+ It was, therefore, possible for unauthorised users to gain access to web
+ application resources that should have been protected. Only security
+ constraints with a URL pattern of the empty string were affected.
+Origin: backport, http://svn.apache.org/r1823307
+--- a/java/org/apache/catalina/realm/RealmBase.java
++++ b/java/org/apache/catalina/realm/RealmBase.java
+@@ -550,9 +550,9 @@
+
+ // Check each defined security constraint
+ String uri = request.getRequestPathMB().toString();
+- // Bug47080 - in rare cases this may be null
++ // Bug47080 - in rare cases this may be null or ""
+ // Mapper treats as '/' do the same to prevent NPE
+- if (uri == null) {
++ if (uri == null || uri.length() == 0) {
+ uri = "/";
+ }
+
+@@ -584,7 +584,8 @@
+ }
+
+ for(int k=0; k < patterns.length; k++) {
+- if(uri.equals(patterns[k])) {
++ // Exact match including special case for the context root.
++ if(uri.equals(patterns[k]) || patterns[k].length() == 0 && uri.equals("/")) {
+ found = true;
+ if(collection[j].findMethod(method)) {
+ if(results == null) {
=====================================
debian/patches/CVE-2018-1305.patch
=====================================
@@ -0,0 +1,358 @@
+Description: CVE-2018-1305: Process all ServletSecurity annotations at web
+ application start rather than at servlet load time to ensure constraints
+ are applied consistently.
+Origin: backport, https://svn.apache.org/r1823314
+ https://svn.apache.org/r1824358
+--- a/java/org/apache/catalina/Wrapper.java
++++ b/java/org/apache/catalina/Wrapper.java
+@@ -368,21 +368,23 @@
+ public void setEnabled(boolean enabled);
+
+ /**
+- * Set the flag that indicates
+- * {@link javax.servlet.annotation.ServletSecurity} annotations must be
+- * scanned when the Servlet is first used.
++ * This method is no longer used. All implementations should be NO-OPs.
+ *
+- * @param b The new value of the flag
++ * @param b Unused.
++ *
++ * @deprecated This will be removed in Tomcat 9.
+ */
++ @Deprecated
+ public void setServletSecurityAnnotationScanRequired(boolean b);
+
+ /**
+- * Scan for (if necessary) and process (if found) the
+- * {@link javax.servlet.annotation.ServletSecurity} annotations for the
+- * Servlet associated with this wrapper.
++ * This method is no longer used. All implementations should be NO-OPs.
++ *
++ * @throws ServletException Never thrown
+ *
+- * @throws ServletException if an annotation scanning error occurs
++ * @deprecated This will be removed in Tomcat 9.
+ */
++ @Deprecated
+ public void servletSecurityAnnotationScan() throws ServletException;
+
+ /**
+--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
++++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+@@ -52,7 +52,6 @@
+ import org.apache.catalina.Session;
+ import org.apache.catalina.TomcatPrincipal;
+ import org.apache.catalina.Valve;
+-import org.apache.catalina.Wrapper;
+ import org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl;
+ import org.apache.catalina.authenticator.jaspic.MessageInfoImpl;
+ import org.apache.catalina.connector.Request;
+@@ -455,13 +454,6 @@
+
+ boolean authRequired = isContinuationRequired(request);
+
+- // The Servlet may specify security constraints through annotations.
+- // Ensure that they have been processed before constraints are checked
+- Wrapper wrapper = request.getMappingData().wrapper;
+- if (wrapper != null) {
+- wrapper.servletSecurityAnnotationScan();
+- }
+-
+ Realm realm = this.context.getRealm();
+ // Is this request URI subject to a security constraint?
+ SecurityConstraint[] constraints = realm.findSecurityConstraints(request, this.context);
+--- a/java/org/apache/catalina/core/ApplicationContext.java
++++ b/java/org/apache/catalina/core/ApplicationContext.java
+@@ -50,8 +50,10 @@
+ import javax.servlet.ServletRegistration.Dynamic;
+ import javax.servlet.ServletRequestAttributeListener;
+ import javax.servlet.ServletRequestListener;
++import javax.servlet.ServletSecurityElement;
+ import javax.servlet.SessionCookieConfig;
+ import javax.servlet.SessionTrackingMode;
++import javax.servlet.annotation.ServletSecurity;
+ import javax.servlet.descriptor.JspConfigDescriptor;
+ import javax.servlet.http.HttpSessionAttributeListener;
+ import javax.servlet.http.HttpSessionIdListener;
+@@ -68,6 +70,7 @@
+ import org.apache.catalina.connector.Connector;
+ import org.apache.catalina.mapper.MappingData;
+ import org.apache.catalina.servlet4preview.http.ServletMapping;
++import org.apache.catalina.util.Introspection;
+ import org.apache.catalina.util.ServerInfo;
+ import org.apache.catalina.util.URLEncoder;
+ import org.apache.tomcat.util.ExceptionUtils;
+@@ -918,11 +921,19 @@
+ }
+ }
+
++ ServletSecurity annotation = null;
+ if (servlet == null) {
+ wrapper.setServletClass(servletClass);
++ Class<?> clazz = Introspection.loadClass(context, servletClass);
++ if (clazz != null) {
++ annotation = clazz.getAnnotation(ServletSecurity.class);
++ }
+ } else {
+ wrapper.setServletClass(servlet.getClass().getName());
+ wrapper.setServlet(servlet);
++ if (context.wasCreatedDynamicServlet(servlet)) {
++ annotation = servlet.getClass().getAnnotation(ServletSecurity.class);
++ }
+ }
+
+ if (initParams != null) {
+@@ -931,7 +942,12 @@
+ }
+ }
+
+- return context.dynamicServletAdded(wrapper);
++ ServletRegistration.Dynamic registration =
++ new ApplicationServletRegistration(wrapper, context);
++ if (annotation != null) {
++ registration.setServletSecurity(new ServletSecurityElement(annotation));
++ }
++ return registration;
+ }
+
+
+--- a/java/org/apache/catalina/core/ApplicationServletRegistration.java
++++ b/java/org/apache/catalina/core/ApplicationServletRegistration.java
+@@ -45,6 +45,7 @@
+
+ private final Wrapper wrapper;
+ private final Context context;
++ private ServletSecurityElement constraint;
+
+ public ApplicationServletRegistration(Wrapper wrapper,
+ Context context) {
+@@ -159,6 +160,7 @@
+ getName(), context.getName()));
+ }
+
++ this.constraint = constraint;
+ return context.addServletSecurity(this, constraint);
+ }
+
+@@ -193,6 +195,11 @@
+ context.addServletMappingDecoded(
+ UDecoder.URLDecode(urlPattern, "UTF-8"), wrapper.getName());
+ }
++
++ if (constraint != null) {
++ context.addServletSecurity(this, constraint);
++ }
++
+ return Collections.emptySet();
+ }
+
+--- a/java/org/apache/catalina/core/StandardContext.java
++++ b/java/org/apache/catalina/core/StandardContext.java
+@@ -4443,28 +4443,36 @@
+ }
+
+ /**
+- * Hook to register that we need to scan for security annotations.
+- * @param wrapper The wrapper for the Servlet that was added
+- * @return the associated registration
++ * Create a servlet registration.
++ *
++ * @param wrapper The wrapper for which the registration should be created.
++ *
++ * @return An appropriate registration
++ *
++ * @deprecated This will be removed in Tomcat 9. The registration should be
++ * created directly.
+ */
++ @Deprecated
+ public ServletRegistration.Dynamic dynamicServletAdded(Wrapper wrapper) {
+- Servlet s = wrapper.getServlet();
+- if (s != null && createdServlets.contains(s)) {
+- // Mark the wrapper to indicate annotations need to be scanned
+- wrapper.setServletSecurityAnnotationScanRequired(true);
+- }
+ return new ApplicationServletRegistration(wrapper, this);
+ }
+
+ /**
+- * Hook to track which registrations need annotation scanning
+- * @param servlet the Servlet to add
++ * Hook to track which Servlets were created via
++ * {@link ServletContext#createServlet(Class)}.
++ *
++ * @param servlet the created Servlet
+ */
+ public void dynamicServletCreated(Servlet servlet) {
+ createdServlets.add(servlet);
+ }
+
+
++ public boolean wasCreatedDynamicServlet(Servlet servlet) {
++ return createdServlets.contains(servlet);
++ }
++
++
+ /**
+ * A helper class to manage the filter mappings in a Context.
+ */
+@@ -5741,8 +5749,6 @@
+ newSecurityConstraints) {
+ addConstraint(securityConstraint);
+ }
+-
+- checkConstraintsForUncoveredMethods(newSecurityConstraints);
+ }
+ }
+
+--- a/java/org/apache/catalina/core/StandardWrapper.java
++++ b/java/org/apache/catalina/core/StandardWrapper.java
+@@ -42,11 +42,9 @@
+ import javax.servlet.ServletConfig;
+ import javax.servlet.ServletContext;
+ import javax.servlet.ServletException;
+-import javax.servlet.ServletSecurityElement;
+ import javax.servlet.SingleThreadModel;
+ import javax.servlet.UnavailableException;
+ import javax.servlet.annotation.MultipartConfig;
+-import javax.servlet.annotation.ServletSecurity;
+
+ import org.apache.catalina.Container;
+ import org.apache.catalina.ContainerServlet;
+@@ -256,8 +254,6 @@
+ */
+ protected boolean enabled = true;
+
+- protected volatile boolean servletSecurityAnnotationScanRequired = false;
+-
+ private boolean overridable = false;
+
+ /**
+@@ -619,7 +615,7 @@
+ */
+ @Override
+ public void setServletSecurityAnnotationScanRequired(boolean b) {
+- this.servletSecurityAnnotationScanRequired = b;
++ // NO-OP
+ }
+
+ // --------------------------------------------------------- Public Methods
+@@ -1078,8 +1074,6 @@
+ }
+ }
+
+- processServletSecurityAnnotation(servlet.getClass());
+-
+ // Special handling for ContainerServlet instances
+ if ((servlet instanceof ContainerServlet) &&
+ (isContainerProvidedServlet(servletClass) ||
+@@ -1122,40 +1116,9 @@
+ */
+ @Override
+ public void servletSecurityAnnotationScan() throws ServletException {
+- if (getServlet() == null) {
+- Class<?> clazz = null;
+- try {
+- clazz = ((Context) getParent()).getLoader().getClassLoader().loadClass(
+- getServletClass());
+- processServletSecurityAnnotation(clazz);
+- } catch (ClassNotFoundException e) {
+- // Safe to ignore. No class means no annotations to process
+- }
+- } else {
+- if (servletSecurityAnnotationScanRequired) {
+- processServletSecurityAnnotation(getServlet().getClass());
+- }
+- }
++ // NO-OP
+ }
+
+- private void processServletSecurityAnnotation(Class<?> clazz) {
+- // Calling this twice isn't harmful so no syncs
+- servletSecurityAnnotationScanRequired = false;
+-
+- Context ctxt = (Context) getParent();
+-
+- if (ctxt.getIgnoreAnnotations()) {
+- return;
+- }
+-
+- ServletSecurity secAnnotation =
+- clazz.getAnnotation(ServletSecurity.class);
+- if (secAnnotation != null) {
+- ctxt.addServletSecurity(
+- new ApplicationServletRegistration(this, ctxt),
+- new ServletSecurityElement(secAnnotation));
+- }
+- }
+
+ private synchronized void initServlet(Servlet servlet)
+ throws ServletException {
+--- a/java/org/apache/catalina/startup/ContextConfig.java
++++ b/java/org/apache/catalina/startup/ContextConfig.java
+@@ -343,19 +343,10 @@
+
+ LoginConfig loginConfig = context.getLoginConfig();
+
+- SecurityConstraint constraints[] = context.findConstraints();
+- if (context.getIgnoreAnnotations() &&
+- (constraints == null || constraints.length ==0) &&
+- !context.getPreemptiveAuthentication()) {
+- return;
+- } else {
+- if (loginConfig == null) {
+- // Not metadata-complete or security constraints present, need
+- // an authenticator to support @ServletSecurity annotations
+- // and/or constraints
+- loginConfig = DUMMY_LOGIN_CONFIG;
+- context.setLoginConfig(loginConfig);
+- }
++ if (loginConfig == null) {
++ // Need an authenticator to support HttpServletRequest.login()
++ loginConfig = DUMMY_LOGIN_CONFIG;
++ context.setLoginConfig(loginConfig);
+ }
+
+ // Has an authenticator been configured already?
+--- a/java/org/apache/catalina/startup/Tomcat.java
++++ b/java/org/apache/catalina/startup/Tomcat.java
+@@ -944,6 +944,9 @@
+ Context context = (Context) event.getLifecycle();
+ if (event.getType().equals(Lifecycle.CONFIGURE_START_EVENT)) {
+ context.setConfigured(true);
++
++ // Process annotations
++ WebAnnotationSet.loadApplicationAnnotations(context);
+ }
+ // LoginConfig is required to process @ServletSecurity
+ // annotations
+--- a/java/org/apache/catalina/startup/WebAnnotationSet.java
++++ b/java/org/apache/catalina/startup/WebAnnotationSet.java
+@@ -23,10 +23,13 @@
+ import javax.annotation.Resources;
+ import javax.annotation.security.DeclareRoles;
+ import javax.annotation.security.RunAs;
++import javax.servlet.ServletSecurityElement;
++import javax.servlet.annotation.ServletSecurity;
+
+ import org.apache.catalina.Container;
+ import org.apache.catalina.Context;
+ import org.apache.catalina.Wrapper;
++import org.apache.catalina.core.ApplicationServletRegistration;
+ import org.apache.catalina.util.Introspection;
+ import org.apache.tomcat.util.descriptor.web.ContextEnvironment;
+ import org.apache.tomcat.util.descriptor.web.ContextResource;
+@@ -144,6 +147,14 @@
+ if (annotation != null) {
+ wrapper.setRunAs(annotation.value());
+ }
++
++ // Process ServletSecurity annotation
++ ServletSecurity servletSecurity = classClass.getAnnotation(ServletSecurity.class);
++ if (servletSecurity != null) {
++ context.addServletSecurity(
++ new ApplicationServletRegistration(wrapper, context),
++ new ServletSecurityElement(servletSecurity));
++ }
+ }
+ }
+
=====================================
debian/patches/CVE-2018-1336.patch
=====================================
@@ -0,0 +1,25 @@
+From: Markus Koschany <apo at debian.org>
+Date: Fri, 24 Aug 2018 21:13:11 +0200
+Subject: CVE-2018-1336
+
+Origin: https://svn.apache.org/r1830374
+---
+ java/org/apache/tomcat/util/buf/Utf8Decoder.java | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/java/org/apache/tomcat/util/buf/Utf8Decoder.java b/java/org/apache/tomcat/util/buf/Utf8Decoder.java
+index 13d6543..ca819c4 100644
+--- a/java/org/apache/tomcat/util/buf/Utf8Decoder.java
++++ b/java/org/apache/tomcat/util/buf/Utf8Decoder.java
+@@ -278,6 +278,11 @@ public class Utf8Decoder extends CharsetDecoder {
+ outRemaining--;
+ } else {
+ if (outRemaining < 2) {
++ // Encoded with 4 bytes. inIndex currently points
++ // to the final byte. Move it back to first byte.
++ inIndex -= 3;
++ in.position(inIndex - in.arrayOffset());
++ out.position(outIndex - out.arrayOffset());
+ return CoderResult.OVERFLOW;
+ }
+ cArr[outIndex++] = (char) ((jchar >> 0xA) + 0xD7C0);
=====================================
debian/patches/CVE-2018-8034.patch
=====================================
@@ -0,0 +1,104 @@
+From: Markus Koschany <apo at debian.org>
+Date: Fri, 24 Aug 2018 21:25:57 +0200
+Subject: CVE-2018-8034
+
+Origin: https://svn.apache.org/r1833758
+---
+ .../apache/tomcat/websocket/WsWebSocketContainer.java | 18 ++++++++++++++----
+ webapps/docs/web-socket-howto.xml | 19 +++++++++++++++----
+ 2 files changed, 29 insertions(+), 8 deletions(-)
+
+diff --git a/java/org/apache/tomcat/websocket/WsWebSocketContainer.java b/java/org/apache/tomcat/websocket/WsWebSocketContainer.java
+index 846cd4f..a1d8403 100644
+--- a/java/org/apache/tomcat/websocket/WsWebSocketContainer.java
++++ b/java/org/apache/tomcat/websocket/WsWebSocketContainer.java
+@@ -52,6 +52,7 @@ import java.util.concurrent.TimeoutException;
+ import javax.net.ssl.SSLContext;
+ import javax.net.ssl.SSLEngine;
+ import javax.net.ssl.SSLException;
++import javax.net.ssl.SSLParameters;
+ import javax.net.ssl.TrustManagerFactory;
+ import javax.websocket.ClientEndpoint;
+ import javax.websocket.ClientEndpointConfig;
+@@ -277,6 +278,8 @@ public class WsWebSocketContainer implements WebSocketContainer, BackgroundProce
+ "wsWebSocketContainer.asynchronousSocketChannelFail"), ioe);
+ }
+
++ Map<String,Object> userProperties = clientEndpointConfiguration.getUserProperties();
++
+ // Get the connection timeout
+ long timeout = Constants.IO_TIMEOUT_MS_DEFAULT;
+ String timeoutValue = (String) clientEndpointConfiguration.getUserProperties().get(
+@@ -323,8 +326,7 @@ public class WsWebSocketContainer implements WebSocketContainer, BackgroundProce
+ // Regardless of whether a non-secure wrapper was created for a
+ // proxy CONNECT, need to use TLS from this point on so wrap the
+ // original AsynchronousSocketChannel
+- SSLEngine sslEngine = createSSLEngine(
+- clientEndpointConfiguration.getUserProperties());
++ SSLEngine sslEngine = createSSLEngine(userProperties, host, port);
+ channel = new AsyncChannelWrapperSecure(socketChannel, sslEngine);
+ } else if (channel == null) {
+ // Only need to wrap as this point if it wasn't wrapped to process a
+@@ -750,7 +752,7 @@ public class WsWebSocketContainer implements WebSocketContainer, BackgroundProce
+ }
+
+
+- private SSLEngine createSSLEngine(Map<String,Object> userProperties)
++ private SSLEngine createSSLEngine(Map<String,Object> userProperties, String host, int port)
+ throws DeploymentException {
+
+ try {
+@@ -788,7 +790,7 @@ public class WsWebSocketContainer implements WebSocketContainer, BackgroundProce
+ }
+ }
+
+- SSLEngine engine = sslContext.createSSLEngine();
++ SSLEngine engine = sslContext.createSSLEngine(host, port);
+
+ String sslProtocolsValue =
+ (String) userProperties.get(Constants.SSL_PROTOCOLS_PROPERTY);
+@@ -798,6 +800,14 @@ public class WsWebSocketContainer implements WebSocketContainer, BackgroundProce
+
+ engine.setUseClientMode(true);
+
++ // Enable host verification
++ // Start with current settings (returns a copy)
++ SSLParameters sslParams = engine.getSSLParameters();
++ // Use HTTPS since WebSocket starts over HTTP(S)
++ sslParams.setEndpointIdentificationAlgorithm("HTTPS");
++ // Write the parameters back
++ engine.setSSLParameters(sslParams);
++
+ return engine;
+ } catch (Exception e) {
+ throw new DeploymentException(sm.getString(
+diff --git a/webapps/docs/web-socket-howto.xml b/webapps/docs/web-socket-howto.xml
+index 938d36c..85d5b64 100644
+--- a/webapps/docs/web-socket-howto.xml
++++ b/webapps/docs/web-socket-howto.xml
+@@ -110,10 +110,21 @@
+ <li><code>org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD</code></li>
+ </ul>
+ <p>The default truststore password is <code>changeit</code>.</p>
+- <p>If the <code>org.apache.tomcat.websocket.SSL_CONTEXT</code> property is
+- set then the <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE</code> and
+- <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD</code> properties
+- will be ignored.</p>
++<p>If the <code>org.apache.tomcat.websocket.SSL_CONTEXT</code> property is
++ set then the <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE</code> and
++ <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD</code> properties
++ will be ignored.</p>
++
++<p>For secure server end points, host name verification is enabled by default.
++ To bypass this verification (not recommended), it is necessary to provide a
++ custom <code>SSLContext</code> via the
++ <code>org.apache.tomcat.websocket.SSL_CONTEXT</code> user property. The
++ custom <code>SSLContext</code> must be configured with a custom
++ <code>TrustManager</code> that extends
++ <code>javax.net.ssl.X509ExtendedTrustManager</code>. The desired verification
++ (or lack of verification) can then be controlled by appropriate
++ implementations of the individual abstract methods.</p>
++
+ </section>
+
+ </body>
=====================================
debian/patches/CVE-2018-8037.patch
=====================================
@@ -0,0 +1,68 @@
+From: Markus Koschany <apo at debian.org>
+Date: Fri, 24 Aug 2018 21:37:54 +0200
+Subject: CVE-2018-8037
+
+Origin: https://svn.apache.org/r1833907
+---
+ java/org/apache/tomcat/util/net/Nio2Endpoint.java | 3 ++-
+ java/org/apache/tomcat/util/net/NioEndpoint.java | 5 ++++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/java/org/apache/tomcat/util/net/Nio2Endpoint.java b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
+index a8231bf..1052434 100644
+--- a/java/org/apache/tomcat/util/net/Nio2Endpoint.java
++++ b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
+@@ -497,6 +497,7 @@ public class Nio2Endpoint extends AbstractJsseEndpoint<Nio2Channel> {
+ private final Semaphore writePending = new Semaphore(1);
+ private boolean writeInterest = false; // Guarded by writeCompletionHandler
+ private boolean writeNotify = false;
++ private volatile boolean closed = false;
+
+ private CompletionHandler<Integer, SocketWrapperBase<Nio2Channel>> awaitBytesHandler
+ = new CompletionHandler<Integer, SocketWrapperBase<Nio2Channel>>() {
+@@ -922,7 +923,7 @@ public class Nio2Endpoint extends AbstractJsseEndpoint<Nio2Channel> {
+
+ @Override
+ public boolean isClosed() {
+- return !getSocket().isOpen();
++ return closed || !getSocket().isOpen();
+ }
+
+
+diff --git a/java/org/apache/tomcat/util/net/NioEndpoint.java b/java/org/apache/tomcat/util/net/NioEndpoint.java
+index b6d9bed..9f16a00 100644
+--- a/java/org/apache/tomcat/util/net/NioEndpoint.java
++++ b/java/org/apache/tomcat/util/net/NioEndpoint.java
+@@ -577,6 +577,7 @@ public class NioEndpoint extends AbstractJsseEndpoint<NioChannel> {
+ // since it won't have been counted down when the socket
+ // closed.
+ socket.socketWrapper.getEndpoint().countDownConnection();
++ ((NioSocketWrapper) socket.socketWrapper).closed = true;
+ } else {
+ final NioSocketWrapper socketWrapper = (NioSocketWrapper) key.attachment();
+ if (socketWrapper != null) {
+@@ -754,6 +755,7 @@ public class NioEndpoint extends AbstractJsseEndpoint<NioChannel> {
+ }
+ if (ka != null) {
+ countDownConnection();
++ ka.closed = true;
+ }
+ } catch (Throwable e) {
+ ExceptionUtils.handleThrowable(e);
+@@ -1069,6 +1071,7 @@ public class NioEndpoint extends AbstractJsseEndpoint<NioChannel> {
+ private volatile SendfileData sendfileData = null;
+ private volatile long lastRead = System.currentTimeMillis();
+ private volatile long lastWrite = lastRead;
++ private volatile boolean closed = false;
+
+ public NioSocketWrapper(NioChannel channel, NioEndpoint endpoint) {
+ super(channel, endpoint);
+@@ -1204,7 +1207,7 @@ public class NioEndpoint extends AbstractJsseEndpoint<NioChannel> {
+
+ @Override
+ public boolean isClosed() {
+- return !getSocket().isOpen();
++ return closed || !getSocket().isOpen();
+ }
+
+
=====================================
debian/patches/series
=====================================
@@ -11,3 +11,8 @@
CVE-2017-5664.patch
CVE-2017-7674.patch
CVE-2017-7675.patch
+CVE-2018-1304.patch
+CVE-2018-1305.patch
+CVE-2018-1336.patch
+CVE-2018-8034.patch
+CVE-2018-8037.patch
View it on GitLab: https://salsa.debian.org/java-team/tomcat8/compare/b2b30054606d392a0dbf653ed06fcc23abb6eaf1...81e0a521b19e1cf167993fab6b4c60a062dac9db
--
View it on GitLab: https://salsa.debian.org/java-team/tomcat8/compare/b2b30054606d392a0dbf653ed06fcc23abb6eaf1...81e0a521b19e1cf167993fab6b4c60a062dac9db
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20180826/131c6255/attachment.html>
More information about the pkg-java-commits
mailing list