Hello community, here is the log from the commit of package tomcat6 for openSUSE:11.4 checked in at Mon Jan 9 11:09:52 CET 2012.
-------- --- old-versions/11.4/UPDATES/all/tomcat6/tomcat6.changes 2011-09-15 16:14:01.000000000 +0200 +++ 11.4/tomcat6/tomcat6.changes 2012-01-06 13:53:11.000000000 +0100 @@ -1,0 +2,16 @@ +Thu Jan 5 14:06:11 UTC 2012 - [email protected] + +- fix bnc#727543 - VUL-0: Apache tomcat vulnerable to hash collision attack + backport upstream changes: + * add getCharset method for B2Converter + http://svn.apache.org/viewvc?view=revision&revision=1140904 + * add isConfigProblemFatal method + http://svn.apache.org/viewvc?view=revision&revision=1199122 + * GET POST parameter processing performance. Adds maximum number of + parameters per request (defaults to 10000) and new FailedRequestFilter for + rejecting requests with excessive number of parameters + http://svn.apache.org/viewvc?view=revision&revision=1200601 +- fix bnc#712784 - tomcat6: add missing Requires on java >= 1.6.0 + * add recommends on java >= 1.6.0 and java-devel >= 1.6.0 + +------------------------------------------------------------------- calling whatdependson for 11.4-i586 New: ---- apache-tomcat-get-charset.patch apache-tomcat-isconfigproblemfatal.patch apache-tomcat-parameter-processing-performance.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libtcnative-1-0.spec ++++++ --- /var/tmp/diff_new_pack.6uLlji/_old 2012-01-09 11:09:33.000000000 +0100 +++ /var/tmp/diff_new_pack.6uLlji/_new 2012-01-09 11:09:33.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package libtcnative-1-0 # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,7 +29,7 @@ Name: libtcnative-1-0 Version: %{major}.%{minor}.%{micro} -Release: 11.<RELEASE2> +Release: 11.<RELEASE3> Summary: JNI wrappers for Apache Portable Runtime for Tomcat Group: Productivity/Networking/Web/Servers License: Apache Software License .. ++++++ tomcat6.spec ++++++ --- /var/tmp/diff_new_pack.6uLlji/_old 2012-01-09 11:09:33.000000000 +0100 +++ /var/tmp/diff_new_pack.6uLlji/_new 2012-01-09 11:09:33.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package tomcat6 # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2000-2009, JPackage Project # All rights reserved. # @@ -41,7 +41,7 @@ Name: tomcat6 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 7.<RELEASE10> +Release: 7.<RELEASE12> Summary: Apache Servlet/JSP Engine, RI for Servlet 2.5/JSP 2.1 API Group: Productivity/Networking/Web/Servers License: Apache Software License .. @@ -70,6 +70,14 @@ Patch3: apache-tomcat-CVE-2011-2526.patch #PATCH-FIX-UPSTREAM: http://svn.apache.org/viewvc?view=revision&revision=1162959 Patch4: apache-tomcat-CVE-2011-3190.patch +# PATCH-FIX-UPSTREAM: http://svn.apache.org/viewvc?view=revision&revision=1140904 +# add getCharset method for B2CConverter expected by parameter-processing patch +Patch5: apache-tomcat-get-charset.patch +# PATCH-FIX-UPSTREAM: http://svn.apache.org/viewvc?view=revision&revision=1199122 +# add isConfigProblemFatal method expected by parameter-processing patch +Patch6: apache-tomcat-isconfigproblemfatal.patch +#PATCH-FIX-UPSTREAM: http://svn.apache.org/viewvc?view=revision&revision=1200601 +Patch7: apache-tomcat-parameter-processing-performance.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch BuildRequires: ant @@ -99,6 +107,11 @@ Requires(preun): /sbin/chkconfig Requires(post): findutils Requires(post): coreutils +# bnc#712784 - we need java and javac (for jsps) +# to have a possibility use tomcat with third-party java +# let's use recommends instead +Recommends: java >= 1.6.0 +Recommends: java-devel >= 1.6.0 %description Tomcat is the servlet container that is used in the official Reference @@ -229,6 +242,9 @@ %patch2 -p1 -b .CVE-2011-2204 %patch3 -p1 -b .CVE-2011-2526 %patch4 -p1 -b .CVE-2011-3190 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 %build export CLASSPATH= ++++++ apache-tomcat-get-charset.patch ++++++ Index: apache-tomcat-6.0.32-src/java/org/apache/tomcat/util/buf/ByteChunk.java =================================================================== --- apache-tomcat-6.0.32-src.orig/java/org/apache/tomcat/util/buf/ByteChunk.java 2011-02-02 20:07:33.000000000 +0100 +++ apache-tomcat-6.0.32-src/java/org/apache/tomcat/util/buf/ByteChunk.java 2012-01-05 14:10:21.099521215 +0100 @@ -19,6 +19,8 @@ import java.io.IOException; import java.io.Serializable; +import java.nio.ByteBuffer; +import java.nio.charset.Charset; /* * In a server it is very important to be able to operate on @@ -95,7 +97,12 @@ 8859_1, and this object is used mostly for servlets. */ public static final String DEFAULT_CHARACTER_ENCODING="ISO-8859-1"; - + + /** Default Charset to use for interpreting byte[] as as String + */ + public static final Charset DEFAULT_CHARSET = + Charset.forName(DEFAULT_CHARACTER_ENCODING); + // byte[] private byte[] buff; @@ -493,8 +500,14 @@ public String toStringInternal() { String strValue=null; try { - if( enc==null ) enc=DEFAULT_CHARACTER_ENCODING; - strValue = new String( buff, start, end-start, enc ); + Charset charset; + if (enc == null) { + charset = DEFAULT_CHARSET; + } else { + charset = B2CConverter.getCharset(enc); + } + strValue = charset.decode( + ByteBuffer.wrap(buff, start, end-start)).toString(); /* Does not improve the speed too much on most systems, it's safer to use the "clasical" new String(). Index: apache-tomcat-6.0.32-src/java/org/apache/tomcat/util/buf/B2CConverter.java =================================================================== --- apache-tomcat-6.0.32-src.orig/java/org/apache/tomcat/util/buf/B2CConverter.java 2011-02-02 20:07:33.000000000 +0100 +++ apache-tomcat-6.0.32-src/java/org/apache/tomcat/util/buf/B2CConverter.java 2012-01-05 14:10:21.101521285 +0100 @@ -22,6 +22,10 @@ import java.io.InputStream; import java.io.InputStreamReader; import java.io.UnsupportedEncodingException; +import java.nio.charset.Charset; +import java.util.HashMap; +import java.util.Locale; +import java.util.Map; /** Efficient conversion of bytes to character . * @@ -39,7 +43,36 @@ private static org.apache.juli.logging.Log log= org.apache.juli.logging.LogFactory.getLog( B2CConverter.class ); + + private static final Map<String, Charset> encodingToCharsetCache = + new HashMap<String, Charset>(); + static { + for (Charset charset: Charset.availableCharsets().values()) { + encodingToCharsetCache.put( + charset.name().toLowerCase(Locale.US), charset); + for (String alias : charset.aliases()) { + encodingToCharsetCache.put( + alias.toLowerCase(Locale.US), charset); + } + } + } + + public static Charset getCharset(String enc) + throws UnsupportedEncodingException { + + // Encoding names should all be ASCII + String lowerCaseEnc = enc.toLowerCase(Locale.US); + + Charset charset = encodingToCharsetCache.get(lowerCaseEnc); + + if (charset == null) { + // Pre-population of the cache means this must be invalid + throw new UnsupportedEncodingException(enc); + } + return charset; + } + private IntermediateInputStream iis; private ReadConvertor conv; private String encoding; @@ -114,7 +147,7 @@ { // destroy the reader/iis iis=new IntermediateInputStream(); - conv=new ReadConvertor( iis, encoding ); + conv=new ReadConvertor( iis, getCharset(encoding) ); } private final int debug=0; @@ -192,10 +225,9 @@ /** Create a converter. */ - public ReadConvertor( IntermediateInputStream in, String enc ) - throws UnsupportedEncodingException + public ReadConvertor( IntermediateInputStream in, Charset charset ) { - super( in, enc ); + super( in, charset ); } /** Overriden - will do nothing but reset internal state. Index: apache-tomcat-6.0.32-src/java/org/apache/catalina/connector/Request.java =================================================================== --- apache-tomcat-6.0.32-src.orig/java/org/apache/catalina/connector/Request.java 2012-01-05 14:10:10.000000000 +0100 +++ apache-tomcat-6.0.32-src/java/org/apache/catalina/connector/Request.java 2012-01-05 14:10:21.114521738 +0100 @@ -1537,15 +1537,12 @@ if (usingReader) return; - - // Ensure that the specified encoding is valid - byte buffer[] = new byte[1]; - buffer[0] = (byte) 'a'; - String dummy = new String(buffer, enc); + + // Confirm that the encoding name is valid + B2CConverter.getCharset(enc); // Save the validated encoding coyoteRequest.setCharacterEncoding(enc); - } Index: apache-tomcat-6.0.32-src/webapps/docs/changelog.xml =================================================================== --- apache-tomcat-6.0.32-src.orig/webapps/docs/changelog.xml 2011-02-02 20:07:33.000000000 +0100 +++ apache-tomcat-6.0.32-src/webapps/docs/changelog.xml 2012-01-05 14:10:21.119521913 +0100 @@ -139,6 +139,11 @@ Remove a huge memory leak in the NIO connector introduced by the fix for <bug>49884</bug>. (markt) </fix> + <fix> + <bug>51400</bug>: Avoid jvm bottleneck on String/byte[] conversion + triggered by a JVM bug. Based on patches by Dave Engberg and Konstantin + Prei�er. (markt) + </fix> </changelog> </subsection> <subsection name="Cluster"> ++++++ apache-tomcat-isconfigproblemfatal.patch ++++++ --- java/org/apache/catalina/filters/CsrfPreventionFilter.java | 7 ++++ java/org/apache/catalina/filters/FilterBase.java | 20 +++++++++++-- webapps/docs/changelog.xml | 4 ++ 3 files changed, 29 insertions(+), 2 deletions(-) Index: apache-tomcat-6.0.32-src/java/org/apache/catalina/filters/FilterBase.java =================================================================== --- apache-tomcat-6.0.32-src.orig/java/org/apache/catalina/filters/FilterBase.java 2012-01-05 12:13:48.074439868 +0100 +++ apache-tomcat-6.0.32-src/java/org/apache/catalina/filters/FilterBase.java 2012-01-05 12:17:59.202265516 +0100 @@ -49,8 +49,13 @@ String paramName = (String) paramNames.nextElement(); if (!IntrospectionUtils.setProperty(this, paramName, filterConfig.getInitParameter(paramName))) { - getLogger().warn(sm.getString("filterbase.noSuchProperty", - paramName, this.getClass().getName())); + String msg = sm.getString("filterbase.noSuchProperty", + paramName, this.getClass().getName()); + if (isConfigProblemFatal()) { + throw new ServletException(msg); + } else { + getLogger().warn(msg); + } } } } @@ -59,4 +64,15 @@ // NOOP } + /** + * Determines if an exception when calling a setter or an unknown + * configuration attribute triggers the failure of the this filter which in + * turn will prevent the web application from starting. + * + * @return <code>true</code> if a problem should trigger the failure of this + * filter, else <code>false</code> + */ + protected boolean isConfigProblemFatal() { + return false; + } } Index: apache-tomcat-6.0.32-src/java/org/apache/catalina/filters/CsrfPreventionFilter.java =================================================================== --- apache-tomcat-6.0.32-src.orig/java/org/apache/catalina/filters/CsrfPreventionFilter.java 2012-01-05 12:13:48.078440009 +0100 +++ apache-tomcat-6.0.32-src/java/org/apache/catalina/filters/CsrfPreventionFilter.java 2012-01-05 12:17:59.231266535 +0100 @@ -186,6 +186,13 @@ chain.doFilter(request, wResponse); } + + @Override + protected boolean isConfigProblemFatal() { + return true; + } + + /** * Generate a once time token (nonce) for authenticating subsequent * requests. This will also add the token to the session. The nonce Index: apache-tomcat-6.0.32-src/webapps/docs/changelog.xml =================================================================== --- apache-tomcat-6.0.32-src.orig/webapps/docs/changelog.xml 2012-01-05 12:13:48.080440079 +0100 +++ apache-tomcat-6.0.32-src/webapps/docs/changelog.xml 2012-01-05 12:17:59.240266851 +0100 @@ -616,6 +616,10 @@ add DetailPrint statements for operations that may take time and improve the descriptions of the components. (kkolinko, mturk, markt) </update> + <add> + Make configuration issue for CsrfPreventionFilter result in the + failure of the filter rather than just a warning message. (kkolinko) + </add> </changelog> </subsection> </section> ++++++ apache-tomcat-parameter-processing-performance.patch ++++++ ++++ 1681 lines (skipped) continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
