Hello community, here is the log from the commit of package tomcat6 for openSUSE:11.3 checked in at Mon Jan 9 11:09:21 CET 2012.
-------- --- old-versions/11.3/UPDATES/all/tomcat6/tomcat6.changes 2011-09-15 15:58:46.000000000 +0200 +++ 11.3/tomcat6/tomcat6.changes 2012-01-06 13:51:47.000000000 +0100 @@ -1,0 +2,24 @@ +Fri Jan 6 08:27:37 UTC 2012 - [email protected] + +- fix bnc#727543 - VUL-0: Apache tomcat vulnerable to hash collision attack + backport upstream changes: + * generic CSRF protection layer (to have FilterBase needed for + FailedRequestFilter) + http://svn.apache.org/viewvc?view=revision&revision=1030547 + * add getCharset method for B2Converter + http://svn.apache.org/viewvc?view=revision&revision=1140904 + * add isConfigProblemFatal method + http://svn.apache.org/viewvc?view=revision&revision=1199122 + * GET POST parameter processing performance. Adds maximum number of + parameters per request (defaults to 10000) and new FailedRequestFilter for + rejecting requests with excessive number of parameters + http://svn.apache.org/viewvc?view=revision&revision=1200601 +- fix bnc#712784 - tomcat6: add missing Requires on java >= 1.6.0 + * add recommends on java >= 1.6.0 and java-devel >= 1.6.0 +- with CSRF protection layer manager and host-manager now supports + new roles, see + * /srv/tomcat6/webapps/docs/manager-howto.html + * /srv/tomcat6/webapps/manager/WEB-INF/web.xml + * /srv/tomcat6/webapps/host-manager/WEB-INF/web.xml + +------------------------------------------------------------------- calling whatdependson for 11.3-i586 New: ---- apache-tomcat-generic-csrf-protection.patch apache-tomcat-get-charset.patch apache-tomcat-isconfigproblemfatal.patch apache-tomcat-parameter-processing-performance.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libtcnative-1-0.spec ++++++ --- /var/tmp/diff_new_pack.W3LUq8/_old 2012-01-09 11:08:54.000000000 +0100 +++ /var/tmp/diff_new_pack.W3LUq8/_new 2012-01-09 11:08:54.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package libtcnative-1-0 # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,7 +29,7 @@ Name: libtcnative-1-0 Version: %{major}.%{minor}.%{micro} -Release: 5.<RELEASE9> +Release: 5.<RELEASE10> Summary: JNI wrappers for Apache Portable Runtime for Tomcat Group: Productivity/Networking/Web/Servers License: Apache Software License .. ++++++ tomcat6.spec ++++++ --- /var/tmp/diff_new_pack.W3LUq8/_old 2012-01-09 11:08:54.000000000 +0100 +++ /var/tmp/diff_new_pack.W3LUq8/_new 2012-01-09 11:08:54.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package tomcat6 # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2000-2009, JPackage Project # All rights reserved. # @@ -41,7 +41,7 @@ Name: tomcat6 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 5.<RELEASE14> +Release: 5.<RELEASE16> Summary: Apache Servlet/JSP Engine, RI for Servlet 2.5/JSP 2.1 API Group: Productivity/Networking/Web/Servers License: Apache Software License .. @@ -79,6 +79,17 @@ Patch9: apache-tomcat-CVE-2011-2526.patch #PATCH-FIX-UPSTREAM: http://svn.apache.org/viewvc?view=revision&revision=1162959 Patch10: apache-tomcat-CVE-2011-3190.patch +#PATCH-FIX-UPSTREAM: http://svn.apache.org/viewvc?view=revision&revision=1030547 +# add FilterBase et all needed by parameter-processing and related patches +Patch11: apache-tomcat-generic-csrf-protection.patch +# PATCH-FIX-UPSTREAM: http://svn.apache.org/viewvc?view=revision&revision=1140904 +# add getCharset method for B2CConverter expected by parameter-processing patch +Patch12: apache-tomcat-get-charset.patch +# PATCH-FIX-UPSTREAM: http://svn.apache.org/viewvc?view=revision&revision=1199122 +# add isConfigProblemFatal method expected by parameter-processing patch +Patch13: apache-tomcat-isconfigproblemfatal.patch +#PATCH-FIX-UPSTREAM: http://svn.apache.org/viewvc?view=revision&revision=1200601 +Patch14: apache-tomcat-parameter-processing-performance.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch BuildRequires: ant @@ -108,6 +119,11 @@ Requires(preun): /sbin/chkconfig Requires(post): findutils Requires(post): coreutils +# bnc#712784 - we need java and javac (for jsps) +# to have a possibility use tomcat with third-party java +# let's use recommends instead +Recommends: java >= 1.6.0 +Recommends: java-devel >= 1.6.0 %description Tomcat is the servlet container that is used in the official Reference @@ -244,6 +260,10 @@ %patch8 -p0 -b .CVE-2011-2204 %patch9 -p0 -b .CVE-2011-2526 %patch10 -p1 -b .CVE-2011-3190 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 %build export CLASSPATH= ++++++ apache-tomcat-CVE-2011-3190.patch ++++++ --- /var/tmp/diff_new_pack.W3LUq8/_old 2012-01-09 11:08:54.000000000 +0100 +++ /var/tmp/diff_new_pack.W3LUq8/_new 2012-01-09 11:08:54.000000000 +0100 @@ -1,8 +1,8 @@ Index: tomcat6-6.0.24/apache-tomcat-6.0.24-src/java/org/apache/coyote/ajp/AjpProcessor.java =================================================================== ---- tomcat6-6.0.24/apache-tomcat-6.0.24-src/java/org/apache/coyote/ajp/AjpProcessor.java (revision 1162958) -+++ tomcat6-6.0.24/apache-tomcat-6.0.24-src/java/org/apache/coyote/ajp/AjpProcessor.java (revision 1162959) -@@ -423,11 +423,13 @@ +--- tomcat6-6.0.24.orig/apache-tomcat-6.0.24-src/java/org/apache/coyote/ajp/AjpProcessor.java 2010-01-19 14:43:40.000000000 +0100 ++++ tomcat6-6.0.24/apache-tomcat-6.0.24-src/java/org/apache/coyote/ajp/AjpProcessor.java 2012-01-05 15:47:42.144369873 +0100 +@@ -408,11 +408,13 @@ } continue; } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) { @@ -20,7 +20,7 @@ } request.setStartTime(System.currentTimeMillis()); -@@ -1061,6 +1063,11 @@ +@@ -1031,6 +1033,11 @@ finished = true; @@ -34,9 +34,9 @@ Index: tomcat6-6.0.24/apache-tomcat-6.0.24-src/java/org/apache/coyote/ajp/AjpAprProcessor.java =================================================================== ---- tomcat6-6.0.24/apache-tomcat-6.0.24-src/java/org/apache/coyote/ajp/AjpAprProcessor.java (revision 1162958) -+++ tomcat6-6.0.24/apache-tomcat-6.0.24-src/java/org/apache/coyote/ajp/AjpAprProcessor.java (revision 1162959) -@@ -405,11 +405,13 @@ +--- tomcat6-6.0.24.orig/apache-tomcat-6.0.24-src/java/org/apache/coyote/ajp/AjpAprProcessor.java 2010-01-19 14:43:40.000000000 +0100 ++++ tomcat6-6.0.24/apache-tomcat-6.0.24-src/java/org/apache/coyote/ajp/AjpAprProcessor.java 2012-01-05 15:47:42.145369908 +0100 +@@ -390,11 +390,13 @@ } continue; } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) { @@ -54,7 +54,7 @@ } keptAlive = true; -@@ -1056,6 +1058,11 @@ +@@ -1026,6 +1028,11 @@ finished = true; ++++++ apache-tomcat-generic-csrf-protection.patch ++++++ ++++ 1501 lines (skipped) ++++++ apache-tomcat-get-charset.patch ++++++ --- apache-tomcat-6.0.24-src/java/org/apache/catalina/connector/Request.java | 9 -- apache-tomcat-6.0.24-src/java/org/apache/tomcat/util/buf/B2CConverter.java | 40 +++++++++- apache-tomcat-6.0.24-src/java/org/apache/tomcat/util/buf/ByteChunk.java | 19 ++++ apache-tomcat-6.0.24-src/webapps/docs/changelog.xml | 5 + 4 files changed, 60 insertions(+), 13 deletions(-) Index: tomcat6-6.0.24/apache-tomcat-6.0.24-src/java/org/apache/tomcat/util/buf/ByteChunk.java =================================================================== --- tomcat6-6.0.24.orig/apache-tomcat-6.0.24-src/java/org/apache/tomcat/util/buf/ByteChunk.java 2010-01-19 14:43:41.000000000 +0100 +++ tomcat6-6.0.24/apache-tomcat-6.0.24-src/java/org/apache/tomcat/util/buf/ByteChunk.java 2012-01-05 15:32:32.354581229 +0100 @@ -19,6 +19,8 @@ import java.io.IOException; import java.io.Serializable; +import java.nio.ByteBuffer; +import java.nio.charset.Charset; /* * In a server it is very important to be able to operate on @@ -95,7 +97,12 @@ 8859_1, and this object is used mostly for servlets. */ public static final String DEFAULT_CHARACTER_ENCODING="ISO-8859-1"; - + + /** Default Charset to use for interpreting byte[] as as String + */ + public static final Charset DEFAULT_CHARSET = + Charset.forName(DEFAULT_CHARACTER_ENCODING); + // byte[] private byte[] buff; @@ -495,8 +502,14 @@ public String toStringInternal() { String strValue=null; try { - if( enc==null ) enc=DEFAULT_CHARACTER_ENCODING; - strValue = new String( buff, start, end-start, enc ); + Charset charset; + if (enc == null) { + charset = DEFAULT_CHARSET; + } else { + charset = B2CConverter.getCharset(enc); + } + strValue = charset.decode( + ByteBuffer.wrap(buff, start, end-start)).toString(); /* Does not improve the speed too much on most systems, it's safer to use the "clasical" new String(). Index: tomcat6-6.0.24/apache-tomcat-6.0.24-src/java/org/apache/tomcat/util/buf/B2CConverter.java =================================================================== --- tomcat6-6.0.24.orig/apache-tomcat-6.0.24-src/java/org/apache/tomcat/util/buf/B2CConverter.java 2010-01-19 14:43:41.000000000 +0100 +++ tomcat6-6.0.24/apache-tomcat-6.0.24-src/java/org/apache/tomcat/util/buf/B2CConverter.java 2012-01-05 15:33:57.649562314 +0100 @@ -22,6 +22,10 @@ import java.io.InputStream; import java.io.InputStreamReader; import java.io.UnsupportedEncodingException; +import java.nio.charset.Charset; +import java.util.HashMap; +import java.util.Locale; +import java.util.Map; /** Efficient conversion of bytes to character . * @@ -39,7 +43,36 @@ private static org.apache.juli.logging.Log log= org.apache.juli.logging.LogFactory.getLog( B2CConverter.class ); + + private static final Map<String, Charset> encodingToCharsetCache = + new HashMap<String, Charset>(); + static { + for (Charset charset: Charset.availableCharsets().values()) { + encodingToCharsetCache.put( + charset.name().toLowerCase(Locale.US), charset); + for (String alias : charset.aliases()) { + encodingToCharsetCache.put( + alias.toLowerCase(Locale.US), charset); + } + } + } + + public static Charset getCharset(String enc) + throws UnsupportedEncodingException { + + // Encoding names should all be ASCII + String lowerCaseEnc = enc.toLowerCase(Locale.US); + + Charset charset = encodingToCharsetCache.get(lowerCaseEnc); + + if (charset == null) { + // Pre-population of the cache means this must be invalid + throw new UnsupportedEncodingException(enc); + } + return charset; + } + private IntermediateInputStream iis; private ReadConvertor conv; private String encoding; @@ -114,7 +147,7 @@ { // destroy the reader/iis iis=new IntermediateInputStream(); - conv=new ReadConvertor( iis, encoding ); + conv=new ReadConvertor( iis, getCharset(encoding) ); } private final int debug=0; @@ -194,10 +227,9 @@ /** Create a converter. */ - public ReadConvertor( IntermediateInputStream in, String enc ) - throws UnsupportedEncodingException + public ReadConvertor( IntermediateInputStream in, Charset charset ) { - super( in, enc ); + super( in, charset ); iis=in; } Index: tomcat6-6.0.24/apache-tomcat-6.0.24-src/java/org/apache/catalina/connector/Request.java =================================================================== --- tomcat6-6.0.24.orig/apache-tomcat-6.0.24-src/java/org/apache/catalina/connector/Request.java 2012-01-05 15:32:19.000000000 +0100 +++ tomcat6-6.0.24/apache-tomcat-6.0.24-src/java/org/apache/catalina/connector/Request.java 2012-01-05 15:32:32.359581404 +0100 @@ -1515,15 +1515,12 @@ if (usingReader) return; - - // Ensure that the specified encoding is valid - byte buffer[] = new byte[1]; - buffer[0] = (byte) 'a'; - String dummy = new String(buffer, enc); + + // Confirm that the encoding name is valid + B2CConverter.getCharset(enc); // Save the validated encoding coyoteRequest.setCharacterEncoding(enc); - } Index: tomcat6-6.0.24/apache-tomcat-6.0.24-src/webapps/docs/changelog.xml =================================================================== --- tomcat6-6.0.24.orig/apache-tomcat-6.0.24-src/webapps/docs/changelog.xml 2012-01-05 15:32:19.000000000 +0100 +++ tomcat6-6.0.24/apache-tomcat-6.0.24-src/webapps/docs/changelog.xml 2012-01-05 15:32:32.362581509 +0100 @@ -118,6 +118,11 @@ <bug>48470</bug>: Ensure Tomcat does not lock up if shut down under load. (markt) </fix> + <fix> + <bug>51400</bug>: Avoid jvm bottleneck on String/byte[] conversion + triggered by a JVM bug. Based on patches by Dave Engberg and Konstantin + Prei�er. (markt) + </fix> </changelog> </subsection> <subsection name="Jasper"> ++++++ apache-tomcat-isconfigproblemfatal.patch ++++++ --- java/org/apache/catalina/filters/CsrfPreventionFilter.java | 7 ++++ java/org/apache/catalina/filters/FilterBase.java | 20 +++++++++++-- webapps/docs/changelog.xml | 4 ++ 3 files changed, 29 insertions(+), 2 deletions(-) Index: tomcat6-6.0.24/apache-tomcat-6.0.24-src/java/org/apache/catalina/filters/FilterBase.java =================================================================== --- tomcat6-6.0.24.orig/apache-tomcat-6.0.24-src/java/org/apache/catalina/filters/FilterBase.java 2012-01-05 16:35:29.223528684 +0100 +++ tomcat6-6.0.24/apache-tomcat-6.0.24-src/java/org/apache/catalina/filters/FilterBase.java 2012-01-06 09:11:35.020486358 +0100 @@ -49,8 +49,13 @@ String paramName = (String) paramNames.nextElement(); if (!IntrospectionUtils.setProperty(this, paramName, filterConfig.getInitParameter(paramName))) { - getLogger().warn(sm.getString("filterbase.noSuchProperty", - paramName, this.getClass().getName())); + String msg = sm.getString("filterbase.noSuchProperty", + paramName, this.getClass().getName()); + if (isConfigProblemFatal()) { + throw new ServletException(msg); + } else { + getLogger().warn(msg); + } } } } @@ -59,4 +64,15 @@ // NOOP } + /** + * Determines if an exception when calling a setter or an unknown + * configuration attribute triggers the failure of the this filter which in + * turn will prevent the web application from starting. + * + * @return <code>true</code> if a problem should trigger the failure of this + * filter, else <code>false</code> + */ + protected boolean isConfigProblemFatal() { + return false; + } } Index: tomcat6-6.0.24/apache-tomcat-6.0.24-src/java/org/apache/catalina/filters/CsrfPreventionFilter.java =================================================================== --- tomcat6-6.0.24.orig/apache-tomcat-6.0.24-src/java/org/apache/catalina/filters/CsrfPreventionFilter.java 2012-01-05 16:35:29.228528858 +0100 +++ tomcat6-6.0.24/apache-tomcat-6.0.24-src/java/org/apache/catalina/filters/CsrfPreventionFilter.java 2012-01-06 09:11:35.021486393 +0100 @@ -186,6 +186,13 @@ chain.doFilter(request, wResponse); } + + @Override + protected boolean isConfigProblemFatal() { + return true; + } + + /** * Generate a once time token (nonce) for authenticating subsequent * requests. This will also add the token to the session. The nonce Index: tomcat6-6.0.24/apache-tomcat-6.0.24-src/webapps/docs/changelog.xml =================================================================== --- tomcat6-6.0.24.orig/apache-tomcat-6.0.24-src/webapps/docs/changelog.xml 2012-01-06 09:11:28.816273730 +0100 +++ tomcat6-6.0.24/apache-tomcat-6.0.24-src/webapps/docs/changelog.xml 2012-01-06 09:11:35.024486497 +0100 @@ -923,6 +923,10 @@ Further improvements to the administrative user name and password handling in the Windows installer. (kkolinko) </update> + <add> + Make configuration issue for CsrfPreventionFilter result in the + failure of the filter rather than just a warning message. (kkolinko) + </add> </changelog> </subsection> </section> ++++++ apache-tomcat-parameter-processing-performance.patch ++++++ ++++ 1681 lines (skipped) continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
