Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tomcat for openSUSE:Factory checked in at 2021-11-10 21:46:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tomcat (Old) and /work/SRC/openSUSE:Factory/.tomcat.new.1890 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tomcat" Wed Nov 10 21:46:39 2021 rev:78 rq:930612 version:9.0.43 Changes: -------- --- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes 2021-10-21 23:55:17.772018384 +0200 +++ /work/SRC/openSUSE:Factory/.tomcat.new.1890/tomcat.changes 2021-11-10 21:47:20.695834900 +0100 @@ -1,0 +2,25 @@ +Wed Nov 10 06:51:24 UTC 2021 - Fridrich Strba <fst...@suse.com> + +- Modified patch: + * tomcat-9.0-osgi-build.patch + + account for biz.aQute.bnd.ant artifact in aqute-bnd >= 5.2.0 + +------------------------------------------------------------------- +Fri Oct 29 11:15:32 UTC 2021 - Michele Bussolotto <michele.bussolo...@suse.com> + +- Fixed CVEs: + * CVE-2021-30640: Escape parameters in JNDI Realm queries (bsc#1188279) + * CVE-2021-33037: Process T-E header from both HTTP 1.0 and HTTP 1.1. clients (bsc#1188278) +- Added patches: + * tomcat-9.0-CVE-2021-30640.patch + * tomcat-9.0-CVE-2021-33037.patch + +------------------------------------------------------------------- +Thu Oct 28 08:33:07 UTC 2021 - Michele Bussolotto <michele.bussolo...@suse.com> + +- Fixed CVEs: + * CVE-2021-41079: Validate incoming TLS packet (bsc#1190558) +- Added patches: + * tomcat-9.0-CVE-2021-41079.patch + +------------------------------------------------------------------- New: ---- tomcat-9.0-CVE-2021-30640.patch tomcat-9.0-CVE-2021-33037.patch tomcat-9.0-CVE-2021-41079.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tomcat.spec ++++++ --- /var/tmp/diff_new_pack.PfPRWw/_old 2021-11-10 21:47:21.531835264 +0100 +++ /var/tmp/diff_new_pack.PfPRWw/_new 2021-11-10 21:47:21.535835266 +0100 @@ -83,6 +83,9 @@ Patch5: tomcat-9.0.43-java8compat.patch # PATCH-FIX-OPENSUSE: set ajp connector secreteRequired to false by default to avoid tomcat not starting Patch6: tomcat-9.0.31-secretRequired-default.patch +Patch7: tomcat-9.0-CVE-2021-41079.patch +Patch8: tomcat-9.0-CVE-2021-33037.patch +Patch9: tomcat-9.0-CVE-2021-30640.patch BuildRequires: ant >= 1.8.1 BuildRequires: ant-antlr @@ -90,8 +93,8 @@ BuildRequires: apache-commons-daemon BuildRequires: apache-commons-dbcp >= 2.0 BuildRequires: apache-commons-pool2 -BuildRequires: aqute-bnd >= 5.1.1 -BuildRequires: aqute-bndlib >= 5.1.1 +BuildRequires: aqute-bnd >= 5.2 +BuildRequires: aqute-bndlib >= 5.2 BuildRequires: ecj >= 4.4.0 BuildRequires: fdupes BuildRequires: findutils @@ -257,6 +260,9 @@ %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 # remove date from docs sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl @@ -293,6 +299,7 @@ -Dwsdl4j-lib.jar="$(build-classpath wsdl4j)" \ -Dsaaj-api.jar="$(build-classpath geronimo-saaj-1.1-api)" \ -Dbnd.jar="$(build-classpath aqute-bnd/biz.aQute.bnd)" \ + -Dbndant.jar="$(build-classpath aqute-bnd/biz.aQute.bnd.ant)" \ -Dbndlib.jar="$(build-classpath aqute-bnd/biz.aQute.bndlib)" \ -Dbndlibg.jar="$(build-classpath aqute-bnd/aQute.libg)" \ -Dbndannotation.jar="$(build-classpath aqute-bnd/biz.aQute.bnd.annotation)" \ ++++++ tomcat-9.0-CVE-2021-30640.patch ++++++ ++++ 2666 lines (skipped) ++++++ tomcat-9.0-CVE-2021-33037.patch ++++++ Index: apache-tomcat-9.0.43-src/java/org/apache/coyote/http11/Http11Processor.java =================================================================== --- apache-tomcat-9.0.43-src.orig/java/org/apache/coyote/http11/Http11Processor.java +++ apache-tomcat-9.0.43-src/java/org/apache/coyote/http11/Http11Processor.java @@ -212,11 +212,8 @@ public class Http11Processor extends Abs // Parsing trims and converts to lower case. - if (encodingName.equals("identity")) { - // Skip - } else if (encodingName.equals("chunked")) { - inputBuffer.addActiveFilter - (inputFilters[Constants.CHUNKED_FILTER]); + if (encodingName.equals("chunked")) { + inputBuffer.addActiveFilter(inputFilters[Constants.CHUNKED_FILTER]); contentDelimitation = true; } else { for (int i = pluggableFilterIndex; i < inputFilters.length; i++) { @@ -753,13 +750,14 @@ public class Http11Processor extends Abs InputFilter[] inputFilters = inputBuffer.getFilters(); // Parse transfer-encoding header - if (http11) { + // HTTP specs say an HTTP 1.1 server should accept any recognised + // HTTP 1.x header from a 1.x client unless the specs says otherwise. + if (!http09) { MessageBytes transferEncodingValueMB = headers.getValue("transfer-encoding"); if (transferEncodingValueMB != null) { List<String> encodingNames = new ArrayList<>(); if (TokenList.parseTokenList(headers.values("transfer-encoding"), encodingNames)) { for (String encodingName : encodingNames) { - // "identity" codings are ignored addInputFilter(inputFilters, encodingName); } } else { Index: apache-tomcat-9.0.43-src/test/org/apache/coyote/http11/TestHttp11Processor.java =================================================================== --- apache-tomcat-9.0.43-src.orig/test/org/apache/coyote/http11/TestHttp11Processor.java +++ apache-tomcat-9.0.43-src/test/org/apache/coyote/http11/TestHttp11Processor.java @@ -254,31 +254,6 @@ public class TestHttp11Processor extends @Test - public void testWithTEIdentity() throws Exception { - getTomcatInstanceTestWebapp(false, true); - - String request = - "POST /test/echo-params.jsp HTTP/1.1" + SimpleHttpClient.CRLF + - "Host: any" + SimpleHttpClient.CRLF + - "Transfer-encoding: identity" + SimpleHttpClient.CRLF + - "Content-Length: 9" + SimpleHttpClient.CRLF + - "Content-Type: application/x-www-form-urlencoded" + - SimpleHttpClient.CRLF + - "Connection: close" + SimpleHttpClient.CRLF + - SimpleHttpClient.CRLF + - "test=data"; - - Client client = new Client(getPort()); - client.setRequest(new String[] {request}); - - client.connect(); - client.processRequest(); - Assert.assertTrue(client.isResponse200()); - Assert.assertTrue(client.getResponseBody().contains("test - data")); - } - - - @Test public void testWithTESavedRequest() throws Exception { getTomcatInstanceTestWebapp(false, true); @@ -1859,4 +1834,102 @@ public class TestHttp11Processor extends // NO-OP } } + + + @Test + public void testTEHeaderUnknown01() throws Exception { + doTestTEHeaderUnknown("identity"); + } + + + @Test + public void testTEHeaderUnknown02() throws Exception { + doTestTEHeaderUnknown("identity, chunked"); + } + + + @Test + public void testTEHeaderUnknown03() throws Exception { + doTestTEHeaderUnknown("unknown, chunked"); + } + + + @Test + public void testTEHeaderUnknown04() throws Exception { + doTestTEHeaderUnknown("void"); + } + + + @Test + public void testTEHeaderUnknown05() throws Exception { + doTestTEHeaderUnknown("void, chunked"); + } + + + @Test + public void testTEHeaderUnknown06() throws Exception { + doTestTEHeaderUnknown("void, identity"); + } + + + @Test + public void testTEHeaderUnknown07() throws Exception { + doTestTEHeaderUnknown("identity, void"); + } + + + private void doTestTEHeaderUnknown(String headerValue) throws Exception { + Tomcat tomcat = getTomcatInstance(); + + // No file system docBase required + Context ctx = tomcat.addContext("", null); + + // Add servlet + Tomcat.addServlet(ctx, "TesterServlet", new TesterServlet(false)); + ctx.addServletMappingDecoded("/foo", "TesterServlet"); + + tomcat.start(); + + String request = + "GET /foo HTTP/1.1" + SimpleHttpClient.CRLF + + "Host: localhost:" + getPort() + SimpleHttpClient.CRLF + + "Transfer-Encoding: " + headerValue + SimpleHttpClient.CRLF + + SimpleHttpClient.CRLF; + + Client client = new Client(tomcat.getConnector().getLocalPort()); + client.setRequest(new String[] {request}); + + client.connect(); + client.processRequest(false); + + Assert.assertTrue(client.isResponse501()); + } + + + @Test + public void testWithTEChunkedHttp10() throws Exception { + + getTomcatInstanceTestWebapp(false, true); + + String request = + "POST /test/echo-params.jsp HTTP/1.0" + SimpleHttpClient.CRLF + + "Host: any" + SimpleHttpClient.CRLF + + "Transfer-encoding: chunked" + SimpleHttpClient.CRLF + + "Content-Type: application/x-www-form-urlencoded" + + SimpleHttpClient.CRLF + + "Connection: close" + SimpleHttpClient.CRLF + + SimpleHttpClient.CRLF + + "9" + SimpleHttpClient.CRLF + + "test=data" + SimpleHttpClient.CRLF + + "0" + SimpleHttpClient.CRLF + + SimpleHttpClient.CRLF; + + Client client = new Client(getPort()); + client.setRequest(new String[] {request}); + + client.connect(); + client.processRequest(); + Assert.assertTrue(client.isResponse200()); + Assert.assertTrue(client.getResponseBody().contains("test - data")); + } } Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml =================================================================== --- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml +++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml @@ -347,6 +347,16 @@ connections are attempted and fail. Patch provided by Maurizio Adami. (markt) </fix> + <fix> + Remove support for the <code>identity</code> transfer encoding. The + inclusion of this encoding in RFC 2616 was an error that was corrected + in 2001. Requests using this transfer encoding will now receive a 501 + response. (markt) + </fix> + <fix> + Process transfer encoding headers from both HTTP 1.0 and HTTP 1.1 + clients. (markt) + </fix> </changelog> </subsection> <subsection name="Web applications"> ++++++ tomcat-9.0-CVE-2021-41079.patch ++++++ >From d4b340fa8feaf55831f9a59350578f7b6ca048b8 Mon Sep 17 00:00:00 2001 From: Mark Thomas <ma...@apache.org> Date: Wed, 3 Mar 2021 12:00:46 +0000 Subject: [PATCH] Improve robustness --- .../apache/tomcat/util/net/openssl/LocalStrings.properties | 1 + java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java | 6 ++++-- webapps/docs/changelog.xml | 4 ++++ 3 files changed, 9 insertions(+), 2 deletions(-) Index: apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties =================================================================== --- apache-tomcat-9.0.43-src.orig/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties +++ apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties @@ -17,6 +17,7 @@ engine.ciphersFailure=Failed getting cip engine.emptyCipherSuite=Empty cipher suite engine.engineClosed=Engine is closed engine.failedCipherSuite=Failed to enable cipher suite [{0}] +engine.failedToReadAvailableBytes=There are plain text bytes available to read but no bytes were read engine.inboundClose=Inbound closed before receiving peer's close_notify engine.invalidBufferArray=offset: [{0}], length: [{1}] (expected: offset <= offset + length <= srcs.length [{2}]) engine.invalidDestinationBuffersState=The state of the destination buffers changed concurrently while unwrapping bytes Index: apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java =================================================================== --- apache-tomcat-9.0.43-src.orig/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java +++ apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java @@ -592,8 +592,10 @@ public final class OpenSSLEngine extends throw new SSLException(e); } - if (bytesRead == 0) { - break; + if (bytesRead <= 0) { + // This should not be possible. pendingApp is positive + // therefore the read should have read at least one byte. + throw new IllegalStateException(sm.getString("engine.failedToReadAvailableBytes")); } bytesProduced += bytesRead; Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml =================================================================== --- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml +++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml @@ -173,6 +173,10 @@ the access log file, include information on the current user in the associated log message (markt) </fix> + <fix> + Make handling of OpenSSL read errors more robust when plain text data is + reported to be available to read. (markt) + </fix> </changelog> </subsection> <subsection name="Coyote"> ++++++ tomcat-9.0-osgi-build.patch ++++++ --- /var/tmp/diff_new_pack.PfPRWw/_old 2021-11-10 21:47:21.667835323 +0100 +++ /var/tmp/diff_new_pack.PfPRWw/_new 2021-11-10 21:47:21.667835323 +0100 @@ -2,10 +2,11 @@ =================================================================== --- apache-tomcat-9.0.37-src.orig/build.xml +++ apache-tomcat-9.0.37-src/build.xml -@@ -3307,6 +3307,12 @@ Read the Building page on the Apache Tom +@@ -3307,6 +3307,13 @@ Read the Building page on the Apache Tom <!-- Add bnd tasks to project --> <path id="bnd.classpath"> <fileset file="${bnd.jar}" /> ++ <fileset file="${bndant.jar}" /> + <fileset file="${bndlib.jar}" /> + <fileset file="${bndlibg.jar}" /> + <fileset file="${bndannotation.jar}" />