Hello community, here is the log from the commit of package tomcat6 for openSUSE:12.1:Update:Test checked in at 2012-01-24 10:29:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update:Test/tomcat6 (Old) and /work/SRC/openSUSE:12.1:Update:Test/.tomcat6.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tomcat6", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:12.1:Update:Test/tomcat6/tomcat6.changes 2012-01-24 10:29:44.000000000 +0100 +++ /work/SRC/openSUSE:12.1:Update:Test/.tomcat6.new/tomcat6.changes 2012-01-24 10:29:44.000000000 +0100 @@ -1,0 +2,14 @@ +Thu Jan 5 10:40:33 UTC 2012 - [email protected] + +- fix bnc#727543 - VUL-0: Apache tomcat vulnerable to hash collision attack + backport upstream changes: + * add isConfigProblemFatal method + http://svn.apache.org/viewvc?view=revision&revision=1199122 + * GET POST parameter processing performance. Adds maximum number of + parameters per request (defaults to 10000) and new FailedRequestFilter for + rejecting requests with excessive number of parameters + http://svn.apache.org/viewvc?view=revision&revision=1200601 +- fix bnc#712784 - tomcat6: add missing Requires on java >= 1.6.0 + * add recommends on java >= 1.6.0 and java-devel >= 1.6.0 + +------------------------------------------------------------------- New: ---- apache-tomcat-isconfigproblemfatal.patch apache-tomcat-parameter-processing-performance.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libtcnative-1-0.spec ++++++ --- /var/tmp/diff_new_pack.9WF6Gh/_old 2012-01-24 10:29:44.000000000 +0100 +++ /var/tmp/diff_new_pack.9WF6Gh/_new 2012-01-24 10:29:44.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package libtcnative-1-0 # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed ++++++ tomcat6.spec ++++++ --- /var/tmp/diff_new_pack.9WF6Gh/_old 2012-01-24 10:29:45.000000000 +0100 +++ /var/tmp/diff_new_pack.9WF6Gh/_new 2012-01-24 10:29:45.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package tomcat6 # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2000-2009, JPackage Project # All rights reserved. # @@ -64,6 +64,11 @@ Patch0: %{name}-%{major_version}.%{minor_version}.bootstrap-MANIFEST.MF.patch #PATCH-FIX-UPSTREAM: from jpackage.org package Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch +#PATCH-FIX-UPSTREAM: http://svn.apache.org/viewvc?view=revision&revision=1200601 +Patch2: apache-tomcat-parameter-processing-performance.patch +# PATCH-FIX-UPSTREAM: http://svn.apache.org/viewvc?view=revision&revision=1199122 +# add isConfigProblemFatal method expected by patch2 +Patch3: apache-tomcat-isconfigproblemfatal.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch BuildRequires: ant @@ -93,6 +98,11 @@ Requires(preun): /sbin/chkconfig Requires(post): findutils Requires(post): coreutils +# bnc#712784 - we need java and javac (for jsps) +# to have a possibility use tomcat with third-party java +# let's use recommends instead +Recommends: java >= 1.6.0 +Recommends: java-devel >= 1.6.0 %description Tomcat is the servlet container that is used in the official Reference @@ -220,6 +230,8 @@ -name "*.jar" -o -name "*.war" -o -name "*.zip" \) | xargs -t %{__rm} %patch0 -p1 %patch1 -p0 +%patch2 -p1 +%patch3 -p1 %build export CLASSPATH= ++++++ apache-tomcat-isconfigproblemfatal.patch ++++++ Index: apache-tomcat-6.0.33-src/java/org/apache/catalina/filters/FilterBase.java =================================================================== --- apache-tomcat-6.0.33-src.orig/java/org/apache/catalina/filters/FilterBase.java 2011-08-16 14:26:14.000000000 +0200 +++ apache-tomcat-6.0.33-src/java/org/apache/catalina/filters/FilterBase.java 2012-01-05 11:35:54.627279703 +0100 @@ -49,8 +49,13 @@ String paramName = (String) paramNames.nextElement(); if (!IntrospectionUtils.setProperty(this, paramName, filterConfig.getInitParameter(paramName))) { - getLogger().warn(sm.getString("filterbase.noSuchProperty", - paramName, this.getClass().getName())); + String msg = sm.getString("filterbase.noSuchProperty", + paramName, this.getClass().getName()); + if (isConfigProblemFatal()) { + throw new ServletException(msg); + } else { + getLogger().warn(msg); + } } } } @@ -59,4 +64,15 @@ // NOOP } + /** + * Determines if an exception when calling a setter or an unknown + * configuration attribute triggers the failure of the this filter which in + * turn will prevent the web application from starting. + * + * @return <code>true</code> if a problem should trigger the failure of this + * filter, else <code>false</code> + */ + protected boolean isConfigProblemFatal() { + return false; + } } Index: apache-tomcat-6.0.33-src/java/org/apache/catalina/filters/CsrfPreventionFilter.java =================================================================== --- apache-tomcat-6.0.33-src.orig/java/org/apache/catalina/filters/CsrfPreventionFilter.java 2011-08-16 14:26:14.000000000 +0200 +++ apache-tomcat-6.0.33-src/java/org/apache/catalina/filters/CsrfPreventionFilter.java 2012-01-05 11:35:54.644280296 +0100 @@ -186,6 +186,13 @@ chain.doFilter(request, wResponse); } + + @Override + protected boolean isConfigProblemFatal() { + return true; + } + + /** * Generate a once time token (nonce) for authenticating subsequent * requests. This will also add the token to the session. The nonce Index: apache-tomcat-6.0.33-src/webapps/docs/changelog.xml =================================================================== --- apache-tomcat-6.0.33-src.orig/webapps/docs/changelog.xml 2012-01-05 11:35:44.000000000 +0100 +++ apache-tomcat-6.0.33-src/webapps/docs/changelog.xml 2012-01-05 11:35:54.654280645 +0100 @@ -435,6 +435,10 @@ At build time use two alternative download locations for components downloaded from apache.org. (kkolinko) </update> + <add> + Make configuration issue for CsrfPreventionFilter result in the + failure of the filter rather than just a warning message. (kkolinko) + </add> </changelog> </subsection> </section> ++++++ apache-tomcat-parameter-processing-performance.patch ++++++ ++++ 1656 lines (skipped) -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
