This is an automated email from the git hooks/post-receive script. apo pushed a commit to annotated tag debian/6.0.45+dfsg-1_deb7u3 in repository tomcat6.
commit dacc8401d45abdb8b0c654607ed4a216937d00ff Author: Markus Koschany <[email protected]> Date: Fri Nov 25 22:04:20 2016 +0100 Import Debian patch 6.0.45+dfsg-1~deb7u3 --- debian/changelog | 215 +++---- debian/compat | 2 +- debian/control | 229 ++++---- debian/copyright | 2 +- debian/defaults.template | 2 - debian/orig-tar.sh | 2 +- debian/patches/CVE-2016-0762.patch | 85 +++ debian/patches/CVE-2016-5018.patch | 88 +++ debian/patches/CVE-2016-6794.patch | 141 +++++ debian/patches/CVE-2016-6796.patch | 78 +++ debian/patches/CVE-2016-6797.patch | 211 +++++++ debian/patches/CVE-2016-6816.patch | 1105 ++++++++++++++++++++++++++++++++++++ debian/patches/CVE-2016-8735.patch | 24 + debian/patches/series | 7 + debian/rules | 58 +- debian/tomcat6.cron.daily | 11 +- debian/tomcat6.init | 7 +- debian/watch | 2 +- 18 files changed, 2012 insertions(+), 257 deletions(-) diff --git a/debian/changelog b/debian/changelog index 560fcbc..5ecc7a3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,104 +1,129 @@ -tomcat6 (6.0.45+dfsg-1) unstable; urgency=medium +tomcat6 (6.0.45+dfsg-1~deb7u3) UNRELEASED; urgency=high + + * Fixed CVE-2016-0762: The Realm implementations did not process the supplied + password if the supplied user name did not exist. This made a timing attack + possible to determine valid user names. + * Fixed CVE-2016-5018: A malicious web application was able to bypass + a configured SecurityManager via a Tomcat utility method that was + accessible to web applications. + * Fixed CVE-2016-6794: When a SecurityManager is configured, a web + application's ability to read system properties should be controlled by + the SecurityManager. Tomcat's system property replacement feature for + configuration files could be used by a malicious web application to bypass + the SecurityManager and read system properties that should not be visible. + * Fixed CVE-2016-6796: A malicious web application was able to bypass + a configured SecurityManager via manipulation of the configuration + parameters for the JSP Servlet. + * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application + access to global JNDI resources to those resources explicitly linked to the + web application. Therefore, it was possible for a web application to access + any global JNDI resource whether an explicit ResourceLink had been + configured or not. + * Fixed CVE-2016-6816: The code that parsed the HTTP request line permitted + invalid characters. This could be exploited, in conjunction with a proxy + that also permitted the invalid characters but with a different + interpretation, to inject data into the HTTP response. By manipulating the + HTTP response the attacker could poison a web-cache, perform an XSS attack + and/or obtain sensitive information from requests other then their own. + * Fixed CVE-2016-8735: The JmxRemoteLifecycleListener was not updated to take + account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations + using this listener remained vulnerable to a similar remote code execution + vulnerability. + * CVE-2016-1240 follow-up: + - The previous init.d fix was vulnerable to a race condition that could + be exploited to make any existing file writable by the tomcat user. + Thanks to Paul Szabo for the report and the fix. + - The catalina.policy file generated on startup was affected by a similar + vulnerability that could be exploited to overwrite any file on the system. + Thanks to Paul Szabo for the report. + * Hardened the init.d script, thanks to Paul Szabo + + -- Markus Koschany <[email protected]> Fri, 25 Nov 2016 22:04:20 +0100 + +tomcat6 (6.0.45+dfsg-1~deb7u2) wheezy-security; urgency=high * Team upload. - * Imported Upstream version 6.0.45+dfsg. - - Remove all prebuilt jar files. - * Declare compliance with Debian Policy 3.9.7. - * Vcs-fields: Use https. - * This update fixes the following security vulnerabilities in the source - package. Since src:tomcat6 only builds libservlet2.5-java and - documentation, users are not directly affected. - - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java. - - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45 - processes redirects before considering security constraints and Filters. - - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place - org.apache.catalina.manager.StatusManagerServlet on the - org/apache/catalina/core/RestrictedServlets.properties list which allows - remote authenticated users to bypass intended SecurityManager - restrictions. - - CVE-2016-0714: The session-persistence implementation in Apache Tomcat - before 6.0.45 mishandles session attributes, which allows remote - authenticated users to bypass intended SecurityManager restrictions. - - CVE-2016-0763: The setGlobalContext method in - org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does - not consider whether ResourceLinkFactory.setGlobalContext callers are - authorized, which allows remote authenticated users to bypass intended - SecurityManager restrictions and read or write to arbitrary application - data, or cause a denial of service (application disruption), via a web - application that sets a crafted global context. - - CVE-2015-5351: The Manager and Host Manager applications in - Apache Tomcat establish sessions and send CSRF tokens for arbitrary new - requests, which allows remote attackers to bypass a CSRF protection - mechanism by using a token. - - -- Markus Koschany <[email protected]> Sat, 27 Feb 2016 19:32:00 +0100 - -tomcat6 (6.0.41-4) unstable; urgency=medium - - * Removed the timstamp from the Javadoc of the Servlet API - to make the build reproducible - - -- Emmanuel Bourg <[email protected]> Wed, 06 May 2015 09:35:37 +0200 - -tomcat6 (6.0.41-3) unstable; urgency=medium - - * Build only the libservlet2.5-java and libservlet2.5-java-doc packages. - Tomcat 6 will not be supported in Jessie, but the Servlet API is still - useful as a build dependency for other packages. - * Standards-Version updated to 3.9.6 (no changes) - - -- Emmanuel Bourg <[email protected]> Wed, 22 Oct 2014 09:48:54 +0200 - -tomcat6 (6.0.41-2) unstable; urgency=medium - - [ Emmanuel Bourg ] - * Updated the version required for libtcnative-1 (>= 1.1.30) + * Fix CVE-2016-1240: + tomcat6.init: Protect /var/log/tomcat6/catalina.out against symlink + attacks and a possible root privilege escalation. - [ tony mancill ] - * Add patch for logfile compression. (Closes: #682955) - - Thank you to Thijs Kinkhorst. - - -- tony mancill <[email protected]> Sun, 24 Aug 2014 13:52:40 -0700 - -tomcat6 (6.0.41-1) unstable; urgency=medium - - * New upstream release. - - Refreshed the patches - - -- Emmanuel Bourg <[email protected]> Thu, 22 May 2014 10:03:04 +0200 - -tomcat6 (6.0.39-1) unstable; urgency=medium - - * Team upload. - * New upstream release. - - Refreshed the patches - * Standards-Version updated to 3.9.5 (no changes) - * Switch to debhelper level 9 - * Use XZ compression for the upstream tarball - * Use canonical URL for the Vcs-Git field - - -- Emmanuel Bourg <[email protected]> Mon, 17 Feb 2014 00:02:00 +0100 - -tomcat6 (6.0.37-1) unstable; urgency=low + -- Markus Koschany <[email protected]> Thu, 15 Sep 2016 15:41:21 +0200 - * New upstream release. - - Drop patches for CVE-2012-4534, CVE-2012-4431, CVE-2012-3546, - CVE-2012-2733, CVE-2012-3439 - - Drop 0011-CVE-02012-0022-regression-fix.patch - - Drop 0017-eclipse-compiler-update.patch - * Freshened remaining patches. - - -- tony mancill <[email protected]> Sat, 03 Aug 2013 21:50:20 -0700 - -tomcat6 (6.0.35-7) unstable; urgency=low +tomcat6 (6.0.45+dfsg-1~deb7u1) wheezy-security; urgency=high * Team upload. - * Fixed the watch file - * Fix FTBFS with ecj 3.8 (closes: #717279, #713796) - * Updated the standards version to 3.9.4 - no changes - * Updated the Vcs-Git field to the canonical url - - -- Stephen Nelson <[email protected]> Tue, 30 Jul 2013 23:07:18 +0100 + * The full list of changes between 6.0.35 (the version previously available + in Wheezy) and 6.0.45 can be seen in the upstream changelog, which is + available online at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html + * This update fixes the following security issues: + - CVE-2014-0033: prevent remote attackers from conducting session + fixation attacks via crafted URLs. + - CVE-2014-0119: Fix not properly constraining class loader that accesses + the XML parser used with an XSLT stylesheet which allowed remote + attackers to read arbitrary files via crafted web applications. + - CVE-2014-0099: Fix integer overflow in + java/org/apache/tomcat/util/buf/Ascii.java. + - CVE-2014-0096: Properly restrict XSLT stylesheets that allowed remote + attackers to bypass security-manager restrictions. + - CVE-2014-0075: Fix integer overflow in the parseChunkHeader function in + java/org/apache/coyote/http11/filters/ChunkedInputFilter.java. + - CVE-2013-4590: prevent "Tomcat internals" information leaks. + - CVE-2013-4322: prevent remote attackers from doing denial of service + attacks. + - CVE-2013-4286: reject requests with multiple content-length headers or + with a content-length header when chunked encoding is being used. + - Avoid CVE-2013-1571 when generating Javadoc. + * CVE-2014-0227.patch: + - Add error flag to allow subsequent attempts at reading after an error to + fail fast. + * CVE-2014-0230: Add support for maxSwallowSize. + * CVE-2014-7810: + - Fix potential BeanELResolver issue when running under a security manager. + Some classes may not be accessible but may have accessible interfaces. + * CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java. + * CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45 + processes redirects before considering security constraints and Filters. + * CVE-2016-0706: Apache Tomcat before 6.0.45 does not place + org.apache.catalina.manager.StatusManagerServlet on the + org/apache/catalina/core/RestrictedServlets.properties list which allows + remote authenticated users to bypass intended SecurityManager + restrictions. + * CVE-2016-0714: The session-persistence implementation in Apache Tomcat + before 6.0.45 mishandles session attributes, which allows remote + authenticated users to bypass intended SecurityManager restrictions. + * CVE-2016-0763: The setGlobalContext method in + org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does + not consider whether ResourceLinkFactory.setGlobalContext callers are + authorized, which allows remote authenticated users to bypass intended + SecurityManager restrictions and read or write to arbitrary application + data, or cause a denial of service (application disruption), via a web + application that sets a crafted global context. + * CVE-2015-5351: The Manager and Host Manager applications in + Apache Tomcat establish sessions and send CSRF tokens for arbitrary new + requests, which allows remote attackers to bypass a CSRF protection + mechanism by using a token. + * Drop the following patches. Applied upstream. + - 0011-CVE-2012-0022-regression-fix.patch + - 0012-CVE-2012-3544.patch + - 0014-CVE-2012-4534.patch + - 0015-CVE-2012-4431.patch + - 0016-CVE-2012-3546.patch + - 0017-CVE-2013-2067.patch + - cve-2012-2733.patch + - cve-2012-3439.patch + - CVE-2014-0227.patch + - CVE-2014-0230.patch + - CVE-2014-7810-1.patch + - CVE-2014-7810-2.patch + - 0011-Fix-for-NoSuchElementException-when-an-attribute-has.patch + + -- Markus Koschany <[email protected]> Wed, 16 Mar 2016 14:08:48 +0100 + +tomcat6 (6.0.35-6+deb7u1) stable-security; urgency=low + + * CVE-2012-3544, CVE-2013-2067 + + -- Moritz Mühlenhoff <[email protected]> Thu, 18 Jul 2013 00:00:35 +0200 tomcat6 (6.0.35-6) unstable; urgency=high diff --git a/debian/compat b/debian/compat index ec63514..7f8f011 100644 --- a/debian/compat +++ b/debian/compat @@ -1 +1 @@ -9 +7 diff --git a/debian/control b/debian/control index 2876bad..bb9e632 100644 --- a/debian/control +++ b/debian/control @@ -6,90 +6,89 @@ Uploaders: Torsten Werner <[email protected]>, Ludovic Claude <[email protected]>, Damien Raude-Morvan <[email protected]>, Miguel Landaeta <[email protected]>, - tony mancill <[email protected]>, - Emmanuel Bourg <[email protected]> -Build-Depends: default-jdk, ant-optional, debhelper (>= 9), po-debconf + tony mancill <[email protected]> +Build-Depends: default-jdk, ant-optional, debhelper (>= 7), po-debconf Build-Depends-Indep: maven-repo-helper (>> 1.0.1), libecj-java -Standards-Version: 3.9.7 -Vcs-Git: https://anonscm.debian.org/git/pkg-java/tomcat6.git -Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/tomcat6.git +Standards-Version: 3.9.3 Homepage: http://tomcat.apache.org +Vcs-Git: git://git.debian.org/git/pkg-java/tomcat6.git +Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-java/tomcat6.git -#Package: tomcat6-common -#Architecture: all -#Depends: libtomcat6-java (>= ${source:Version}), ${misc:Depends}, -# default-jre-headless | java7-runtime-headless | java7-runtime | java6-runtime-headless | java6-runtime | java5-runtime -#Description: Servlet and JSP engine -- common files -# Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) -# specifications from Sun Microsystems, and provides a "pure Java" HTTP web -# server environment for Java code to run. -# . -# This package contains common files needed by the tomcat6 and tomcat6-user -# packages (Tomcat 6 scripts and libraries). +Package: tomcat6-common +Architecture: all +Depends: libtomcat6-java (>= ${source:Version}), ${misc:Depends}, + default-jre-headless | java7-runtime-headless | java7-runtime | java6-runtime-headless | java6-runtime | java5-runtime +Description: Servlet and JSP engine -- common files + Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) + specifications from Sun Microsystems, and provides a "pure Java" HTTP web + server environment for Java code to run. + . + This package contains common files needed by the tomcat6 and tomcat6-user + packages (Tomcat 6 scripts and libraries). -#Package: tomcat6 -#Architecture: all -#Depends: tomcat6-common (>= ${source:Version}), ucf, -# adduser, ${misc:Depends} -#Recommends: authbind -#Suggests: tomcat6-docs (>= ${source:Version}), -# tomcat6-admin (>= ${source:Version}), -# tomcat6-examples (>= ${source:Version}), -# tomcat6-user (>= ${source:Version}), -# libtcnative-1 (>= 1.1.30) -#Description: Servlet and JSP engine -# Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) -# specifications from Sun Microsystems, and provides a "pure Java" HTTP web -# server environment for Java code to run. -# . -# This package contains only the startup scripts for the system-wide daemon. -# No documentation or web applications are included here, please install -# the tomcat6-docs and tomcat6-examples packages if you want them. -# Install the authbind package if you need to use Tomcat on ports 1-1023. -# Install tomcat6-user instead of this package if you don't want Tomcat to -# start as a service. +Package: tomcat6 +Architecture: all +Depends: tomcat6-common (>= ${source:Version}), ucf, + adduser, ${misc:Depends} +Recommends: authbind +Suggests: tomcat6-docs (>= ${source:Version}), + tomcat6-admin (>= ${source:Version}), + tomcat6-examples (>= ${source:Version}), + tomcat6-user (>= ${source:Version}), + libtcnative-1 +Description: Servlet and JSP engine + Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) + specifications from Sun Microsystems, and provides a "pure Java" HTTP web + server environment for Java code to run. + . + This package contains only the startup scripts for the system-wide daemon. + No documentation or web applications are included here, please install + the tomcat6-docs and tomcat6-examples packages if you want them. + Install the authbind package if you need to use Tomcat on ports 1-1023. + Install tomcat6-user instead of this package if you don't want Tomcat to + start as a service. -#Package: tomcat6-user -#Architecture: all -#Depends: tomcat6-common (>= ${source:Version}), netcat, ${misc:Depends} -#Suggests: tomcat6-docs (>= ${source:Version}), -# tomcat6-admin (>= ${source:Version}), -# tomcat6-examples (>= ${source:Version}), -# tomcat6 (>= ${source:Version}) -#Description: Servlet and JSP engine -- tools to create user instances -# Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) -# specifications from Sun Microsystems, and provides a "pure Java" HTTP web -# server environment for Java code to run. -# . -# This package contains files needed to create a user Tomcat instance. -# This user Tomcat instance can be started and stopped using the scripts -# provided in the Tomcat instance directory. +Package: tomcat6-user +Architecture: all +Depends: tomcat6-common (>= ${source:Version}), netcat, ${misc:Depends} +Suggests: tomcat6-docs (>= ${source:Version}), + tomcat6-admin (>= ${source:Version}), + tomcat6-examples (>= ${source:Version}), + tomcat6 (>= ${source:Version}) +Description: Servlet and JSP engine -- tools to create user instances + Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) + specifications from Sun Microsystems, and provides a "pure Java" HTTP web + server environment for Java code to run. + . + This package contains files needed to create a user Tomcat instance. + This user Tomcat instance can be started and stopped using the scripts + provided in the Tomcat instance directory. -#Package: libtomcat6-java -#Architecture: all -#Depends: libecj-java, -# libcommons-dbcp-java, -# libcommons-pool-java, -# libservlet2.5-java (>= ${source:Version}), ${misc:Depends} -#Suggests: tomcat6 (>= ${source:Version}) -#Conflicts: tomcat6-common (<< 6.0.20-5) -#Description: Servlet and JSP engine -- core libraries -# Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) -# specifications from Sun Microsystems, and provides a "pure Java" HTTP web -# server environment for Java code to run. -# . -# This package contains the Tomcat core classes which can be used by other -# Java applications to embed Tomcat. +Package: libtomcat6-java +Architecture: all +Depends: libecj-java, + libcommons-dbcp-java, + libcommons-pool-java, + libservlet2.5-java (>= ${source:Version}), ${misc:Depends} +Suggests: tomcat6 (>= ${source:Version}) +Conflicts: tomcat6-common (<< 6.0.20-5) +Description: Servlet and JSP engine -- core libraries + Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) + specifications from Sun Microsystems, and provides a "pure Java" HTTP web + server environment for Java code to run. + . + This package contains the Tomcat core classes which can be used by other + Java applications to embed Tomcat. -#Package: libservlet2.4-java -#Section: oldlibs -#Priority: extra -#Architecture: all -#Depends: ${misc:Depends}, libservlet2.5-java -#Description: Transitional package for libservlet2.5-java -# This is a transitional package to facilitate upgrading from -# libservlet2.4-java to libservlet2.5-java, and can be safely -# removed after the installation is complete. +Package: libservlet2.4-java +Section: oldlibs +Priority: extra +Architecture: all +Depends: ${misc:Depends}, libservlet2.5-java +Description: Transitional package for libservlet2.5-java + This is a transitional package to facilitate upgrading from + libservlet2.4-java to libservlet2.5-java, and can be safely + removed after the installation is complete. Package: libservlet2.5-java Architecture: all @@ -114,44 +113,44 @@ Description: Servlet 2.5 and JSP 2.1 Java API documentation . This package contains the documentation for the Java Servlet and JSP library. -#Package: tomcat6-admin -#Architecture: all -#Depends: tomcat6-common (>= ${source:Version}), ${misc:Depends} -#Description: Servlet and JSP engine -- admin web applications -# Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) -# specifications from Sun Microsystems, and provides a "pure Java" HTTP web -# server environment for Java code to run. -# . -# This package contains the administrative web interfaces. +Package: tomcat6-admin +Architecture: all +Depends: tomcat6-common (>= ${source:Version}), ${misc:Depends} +Description: Servlet and JSP engine -- admin web applications + Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) + specifications from Sun Microsystems, and provides a "pure Java" HTTP web + server environment for Java code to run. + . + This package contains the administrative web interfaces. -#Package: tomcat6-examples -#Architecture: all -#Depends: tomcat6-common (>= ${source:Version}), ${misc:Depends} -#Description: Servlet and JSP engine -- example web applications -# Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) -# specifications from Sun Microsystems, and provides a "pure Java" HTTP web -# server environment for Java code to run. -# . -# This package contains the default Tomcat example webapps. +Package: tomcat6-examples +Architecture: all +Depends: tomcat6-common (>= ${source:Version}), ${misc:Depends} +Description: Servlet and JSP engine -- example web applications + Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) + specifications from Sun Microsystems, and provides a "pure Java" HTTP web + server environment for Java code to run. + . + This package contains the default Tomcat example webapps. -#Package: tomcat6-docs -#Section: doc -#Architecture: all -#Depends: tomcat6-common (>= ${source:Version}), ${misc:Depends} -#Description: Servlet and JSP engine -- documentation -# Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) -# specifications from Sun Microsystems, and provides a "pure Java" HTTP web -# server environment for Java code to run. -# . -# This package contains the online documentation web application. +Package: tomcat6-docs +Section: doc +Architecture: all +Depends: tomcat6-common (>= ${source:Version}), ${misc:Depends} +Description: Servlet and JSP engine -- documentation + Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) + specifications from Sun Microsystems, and provides a "pure Java" HTTP web + server environment for Java code to run. + . + This package contains the online documentation web application. -#Package: tomcat6-extras -#Architecture: all -#Depends: tomcat6-common (>= ${source:Version}), ${misc:Depends} -#Description: Servlet and JSP engine -- additional components -# Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) -# specifications from Sun Microsystems, and provides a "pure Java" HTTP web -# server environment for Java code to run. -# . -# This package contains additional ("extra") component libraries. -# (Currently only catalina-jmx-remote.jar.) +Package: tomcat6-extras +Architecture: all +Depends: tomcat6-common (>= ${source:Version}), ${misc:Depends} +Description: Servlet and JSP engine -- additional components + Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) + specifications from Sun Microsystems, and provides a "pure Java" HTTP web + server environment for Java code to run. + . + This package contains additional ("extra") component libraries. + (Currently only catalina-jmx-remote.jar.) diff --git a/debian/copyright b/debian/copyright index c9cb78a..12448db 100644 --- a/debian/copyright +++ b/debian/copyright @@ -9,7 +9,7 @@ on Tomcat 5.5 and initial packaging by David Pashley <[email protected]>. It was downloaded from http://tomcat.apache.org Copyright: - Copyright (C) 2000-2014, The Apache Software Foundation. + Copyright (C) 2000-2007 Apache Software Foundation. Copyright (C) International Business Machines Corporation 2002 Authors: diff --git a/debian/defaults.template b/debian/defaults.template index 3ef3280..416312c 100644 --- a/debian/defaults.template +++ b/debian/defaults.template @@ -33,8 +33,6 @@ JAVA_OPTS="-Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC" # Number of days to keep logfiles in /var/log/tomcat6. Default is 14 days. #LOGFILE_DAYS=14 -# Whether to compress logfiles older than today's -#LOGFILE_COMPRESS=1 # Location of the JVM temporary directory # WARNING: This directory will be destroyed and recreated at every startup ! diff --git a/debian/orig-tar.sh b/debian/orig-tar.sh index 22b8732..0dea910 100755 --- a/debian/orig-tar.sh +++ b/debian/orig-tar.sh @@ -6,7 +6,7 @@ DIR=tomcat6-$VERSION TAG=$(echo TOMCAT_$VERSION | sed -e 's/\./_/g') svn export http://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/$TAG $DIR -tar -c -J -f $TAR --exclude 'standard.jar' --exclude 'jstl.jar' $DIR +tar -c -z -f $TAR --exclude 'standard.jar' --exclude 'jstl.jar' $DIR rm -rf $DIR ../$TAG # move to directory 'tarballs' diff --git a/debian/patches/CVE-2016-0762.patch b/debian/patches/CVE-2016-0762.patch new file mode 100644 index 0000000..1bd0052 --- /dev/null +++ b/debian/patches/CVE-2016-0762.patch @@ -0,0 +1,85 @@ +From: Markus Koschany <[email protected]> +Date: Mon, 7 Nov 2016 13:38:38 +0100 +Subject: CVE-2016-0762 + +Origin: https://svn.apache.org/viewvc?view=revision&revision=1758506 +--- + java/org/apache/catalina/realm/MemoryRealm.java | 30 +++++++++++++++---------- + java/org/apache/catalina/realm/RealmBase.java | 14 +++++++----- + 2 files changed, 27 insertions(+), 17 deletions(-) + +diff --git a/java/org/apache/catalina/realm/MemoryRealm.java b/java/org/apache/catalina/realm/MemoryRealm.java +index 56bc970..8e6bf68 100644 +--- a/java/org/apache/catalina/realm/MemoryRealm.java ++++ b/java/org/apache/catalina/realm/MemoryRealm.java +@@ -142,23 +142,29 @@ public class MemoryRealm extends RealmBase { + * @param credentials Password or other credentials to use in + * authenticating this username + */ ++ @Override + public Principal authenticate(String username, String credentials) { + +- GenericPrincipal principal = +- (GenericPrincipal) principals.get(username); ++ // No user or no credentials ++ // Can't possibly authenticate, don't bother the database then ++ if (username == null || credentials == null) { ++ return null; ++ } ++ ++ GenericPrincipal principal = principals.get(username); + + boolean validated = false; +- if (principal != null && credentials != null) { +- if (hasMessageDigest()) { +- // Hex hashes should be compared case-insensitive +- validated = (digest(credentials) +- .equalsIgnoreCase(principal.getPassword())); +- } else { +- validated = +- (digest(credentials).equals(principal.getPassword())); +- } ++ String dbCredentials = null; ++ if (principal != null) { ++ dbCredentials = principal.getPassword(); + } +- ++ if (hasMessageDigest()) { ++ // Hex hashes should be compared case-insensitive ++ validated = (digest(credentials).equalsIgnoreCase(dbCredentials)); ++ } else { ++ validated = (digest(credentials).equals(dbCredentials)); ++ } ++ + if (validated) { + if (log.isDebugEnabled()) + log.debug(sm.getString("memoryRealm.authenticateSuccess", username)); +diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java +index 4f7c27f..cd62bf4 100644 +--- a/java/org/apache/catalina/realm/RealmBase.java ++++ b/java/org/apache/catalina/realm/RealmBase.java +@@ -336,15 +336,19 @@ public abstract class RealmBase + */ + public Principal authenticate(String username, String credentials) { + ++ // No user or no credentials ++ // Can't possibly authenticate, don't bother the database then ++ if (username == null || credentials == null) { ++ return null; ++ } ++ + String serverCredentials = getPassword(username); + + boolean validated ; +- if ( serverCredentials == null ) { +- validated = false; +- } else if(hasMessageDigest()) { +- validated = serverCredentials.equalsIgnoreCase(digest(credentials)); ++ if(hasMessageDigest()) { ++ validated = digest(credentials).equalsIgnoreCase(serverCredentials); + } else { +- validated = serverCredentials.equals(credentials); ++ validated = credentials.equals(serverCredentials); + } + if(! validated ) { + if (containerLog.isTraceEnabled()) { diff --git a/debian/patches/CVE-2016-5018.patch b/debian/patches/CVE-2016-5018.patch new file mode 100644 index 0000000..5d5d709 --- /dev/null +++ b/debian/patches/CVE-2016-5018.patch @@ -0,0 +1,88 @@ +From: Markus Koschany <[email protected]> +Date: Mon, 7 Nov 2016 13:31:22 +0100 +Subject: CVE-2016-5018 + +Origin: https://svn.apache.org/viewvc?view=revision&revision=1754904 +--- + .../apache/jasper/runtime/JspRuntimeLibrary.java | 54 +--------------------- + 1 file changed, 1 insertion(+), 53 deletions(-) + +diff --git a/java/org/apache/jasper/runtime/JspRuntimeLibrary.java b/java/org/apache/jasper/runtime/JspRuntimeLibrary.java +index 02d21dd..bdc769f 100644 +--- a/java/org/apache/jasper/runtime/JspRuntimeLibrary.java ++++ b/java/org/apache/jasper/runtime/JspRuntimeLibrary.java +@@ -14,7 +14,6 @@ + * See the License for the specific language governing permissions and + * limitations under the License. + */ +- + package org.apache.jasper.runtime; + + import java.beans.PropertyEditor; +@@ -60,35 +59,6 @@ public class JspRuntimeLibrary { + private static final String JSP_EXCEPTION + = "javax.servlet.jsp.jspException"; + +- protected static class PrivilegedIntrospectHelper +- implements PrivilegedExceptionAction { +- +- private Object bean; +- private String prop; +- private String value; +- private ServletRequest request; +- private String param; +- private boolean ignoreMethodNF; +- +- PrivilegedIntrospectHelper(Object bean, String prop, +- String value, ServletRequest request, +- String param, boolean ignoreMethodNF) +- { +- this.bean = bean; +- this.prop = prop; +- this.value = value; +- this.request = request; +- this.param = param; +- this.ignoreMethodNF = ignoreMethodNF; +- } +- +- public Object run() throws JasperException { +- internalIntrospecthelper( +- bean,prop,value,request,param,ignoreMethodNF); +- return null; +- } +- } +- + /** + * Returns the value of the javax.servlet.error.exception request + * attribute value, if present, otherwise the value of the +@@ -292,29 +262,7 @@ public class JspRuntimeLibrary { + public static void introspecthelper(Object bean, String prop, + String value, ServletRequest request, + String param, boolean ignoreMethodNF) +- throws JasperException +- { +- if( Constants.IS_SECURITY_ENABLED ) { +- try { +- PrivilegedIntrospectHelper dp = +- new PrivilegedIntrospectHelper( +- bean,prop,value,request,param,ignoreMethodNF); +- AccessController.doPrivileged(dp); +- } catch( PrivilegedActionException pe) { +- Exception e = pe.getException(); +- throw (JasperException)e; +- } +- } else { +- internalIntrospecthelper( +- bean,prop,value,request,param,ignoreMethodNF); +- } +- } +- +- private static void internalIntrospecthelper(Object bean, String prop, +- String value, ServletRequest request, +- String param, boolean ignoreMethodNF) +- throws JasperException +- { ++ throws JasperException { + Method method = null; + Class type = null; + Class propertyEditorClass = null; diff --git a/debian/patches/CVE-2016-6794.patch b/debian/patches/CVE-2016-6794.patch new file mode 100644 index 0000000..5ad88e7 --- /dev/null +++ b/debian/patches/CVE-2016-6794.patch @@ -0,0 +1,141 @@ +From: Markus Koschany <[email protected]> +Date: Mon, 7 Nov 2016 12:36:03 +0100 +Subject: CVE-2016-6794 + +Origin: https://svn.apache.org/viewvc?view=revision&revision=1754733 +--- + .../apache/catalina/loader/WebappClassLoader.java | 27 ++++++++++++-- + java/org/apache/tomcat/util/digester/Digester.java | 10 +++++ + .../tomcat/util/security/PermissionCheck.java | 43 ++++++++++++++++++++++ + 3 files changed, 76 insertions(+), 4 deletions(-) + create mode 100644 java/org/apache/tomcat/util/security/PermissionCheck.java + +diff --git a/java/org/apache/catalina/loader/WebappClassLoader.java b/java/org/apache/catalina/loader/WebappClassLoader.java +index 528d906..dab7299 100644 +--- a/java/org/apache/catalina/loader/WebappClassLoader.java ++++ b/java/org/apache/catalina/loader/WebappClassLoader.java +@@ -74,6 +74,7 @@ import org.apache.naming.resources.ProxyDirContext; + import org.apache.naming.resources.Resource; + import org.apache.naming.resources.ResourceAttributes; + import org.apache.tomcat.util.IntrospectionUtils; ++import org.apache.tomcat.util.security.PermissionCheck; + + /** + * Specialized web application class loader. +@@ -112,10 +113,8 @@ import org.apache.tomcat.util.IntrospectionUtils; + * @author Craig R. McClanahan + * + */ +-public class WebappClassLoader +- extends URLClassLoader +- implements Reloader, Lifecycle +- { ++public class WebappClassLoader extends URLClassLoader ++ implements Reloader, Lifecycle, PermissionCheck { + + protected static org.apache.juli.logging.Log log= + org.apache.juli.logging.LogFactory.getLog( WebappClassLoader.class ); +@@ -1711,6 +1710,26 @@ public class WebappClassLoader + + } + ++ public boolean check(Permission permission) { ++ if (!Globals.IS_SECURITY_ENABLED) { ++ return true; ++ } ++ Policy currentPolicy = Policy.getPolicy(); ++ if (currentPolicy != null) { ++ ResourceEntry entry = findResourceInternal("/", "/"); ++ if (entry != null) { ++ CodeSource cs = new CodeSource( ++ entry.codeBase, (java.security.cert.Certificate[]) null); ++ PermissionCollection pc = currentPolicy.getPermissions(cs); ++ if (pc.implies(permission)) { ++ return true; ++ } ++ } ++ } ++ return false; ++ ++ } ++ + + /** + * Returns the search path of URLs for loading classes and resources. +diff --git a/java/org/apache/tomcat/util/digester/Digester.java b/java/org/apache/tomcat/util/digester/Digester.java +index ffae93f..afa8f6a 100644 +--- a/java/org/apache/tomcat/util/digester/Digester.java ++++ b/java/org/apache/tomcat/util/digester/Digester.java +@@ -52,6 +52,9 @@ import org.xml.sax.SAXParseException; + import org.xml.sax.XMLReader; + import org.xml.sax.ext.DefaultHandler2; + import org.xml.sax.helpers.AttributesImpl; ++import java.security.Permission; ++import java.util.PropertyPermission; ++import org.apache.tomcat.util.security.PermissionCheck; + + + /** +@@ -80,6 +83,13 @@ public class Digester extends DefaultHandler2 { + private static class SystemPropertySource + implements IntrospectionUtils.PropertySource { + public String getProperty( String key ) { ++ ClassLoader cl = Thread.currentThread().getContextClassLoader(); ++ if (cl instanceof PermissionCheck) { ++ Permission p = new PropertyPermission(key, "read"); ++ if (!((PermissionCheck) cl).check(p)) { ++ return null; ++ } ++ } + return System.getProperty(key); + } + } +diff --git a/java/org/apache/tomcat/util/security/PermissionCheck.java b/java/org/apache/tomcat/util/security/PermissionCheck.java +new file mode 100644 +index 0000000..ba2bdd3 +--- /dev/null ++++ b/java/org/apache/tomcat/util/security/PermissionCheck.java +@@ -0,0 +1,43 @@ ++/* ++ * Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++package org.apache.tomcat.util.security; ++ ++import java.security.Permission; ++ ++/** ++ * This interface is implemented by components to enable privileged code to ++ * check whether the component has a given permission. ++ * This is typically used when a privileged component (e.g. the container) is ++ * performing an action on behalf of an untrusted component (e.g. a web ++ * application) without the current thread having passed through a code source ++ * provided by the untrusted component. Because the current thread has not ++ * passed through a code source provided by the untrusted component the ++ * SecurityManager assumes the code is trusted so the standard checking ++ * mechanisms can't be used. ++ */ ++public interface PermissionCheck { ++ ++ /** ++ * Does this component have the given permission? ++ * ++ * @param permission The permission to test ++ * ++ * @return {@code false} if a SecurityManager is enabled and the component ++ * does not have the given permission, otherwise {@code false} ++ */ ++ boolean check(Permission permission); ++} diff --git a/debian/patches/CVE-2016-6796.patch b/debian/patches/CVE-2016-6796.patch new file mode 100644 index 0000000..1c0668a --- /dev/null +++ b/debian/patches/CVE-2016-6796.patch @@ -0,0 +1,78 @@ +From: Markus Koschany <[email protected]> +Date: Mon, 7 Nov 2016 12:54:08 +0100 +Subject: CVE-2016-6796 + +Origin: https://svn.apache.org/viewvc?view=revision&revision=1758496 +--- + conf/web.xml | 4 ++++ + java/org/apache/jasper/EmbeddedServletOptions.java | 4 ++++ + java/org/apache/jasper/resources/LocalStrings.properties | 1 + + java/org/apache/jasper/servlet/JspServlet.java | 6 ++++++ + 4 files changed, 15 insertions(+) + +diff --git a/conf/web.xml b/conf/web.xml +index 2e8815e..7062250 100644 +--- a/conf/web.xml ++++ b/conf/web.xml +@@ -189,6 +189,8 @@ + <!-- engineOptionsClass Allows specifying the Options class used to --> + <!-- configure Jasper. If not present, the default --> + <!-- EmbeddedServletOptions will be used. --> ++ <!-- This option is ignored when running under a --> ++ <!-- SecurityManager. --> + <!-- --> + <!-- errorOnUseBeanInvalidClassAttribute --> + <!-- Should Jasper issue an error when the value of --> +@@ -238,6 +240,8 @@ + <!-- scratchdir What scratch directory should we use when --> + <!-- compiling JSP pages? [default work directory --> + <!-- for the current web application] --> ++ <!-- This option is ignored when running under a --> ++ <!-- SecurityManager. --> + <!-- --> + <!-- suppressSmap Should the generation of SMAP info for JSR45 --> + <!-- debugging be suppressed? [false] --> +diff --git a/java/org/apache/jasper/EmbeddedServletOptions.java b/java/org/apache/jasper/EmbeddedServletOptions.java +index 3399a32..fa3d5f2 100644 +--- a/java/org/apache/jasper/EmbeddedServletOptions.java ++++ b/java/org/apache/jasper/EmbeddedServletOptions.java +@@ -586,6 +586,10 @@ public final class EmbeddedServletOptions implements Options { + * scratchdir + */ + String dir = config.getInitParameter("scratchdir"); ++ if (dir != null && Constants.IS_SECURITY_ENABLED) { ++ log.info(Localizer.getMessage("jsp.info.ignoreSetting", "scratchdir", dir)); ++ dir = null; ++ } + if (dir != null) { + scratchDir = new File(dir); + } else { +diff --git a/java/org/apache/jasper/resources/LocalStrings.properties b/java/org/apache/jasper/resources/LocalStrings.properties +index 03532ea..edb02c9 100644 +--- a/java/org/apache/jasper/resources/LocalStrings.properties ++++ b/java/org/apache/jasper/resources/LocalStrings.properties +@@ -448,6 +448,7 @@ jsp.error.nested_jsproot=Nested <jsp:root> + jsp.error.unbalanced.endtag=The end tag \"</{0}\" is unbalanced + jsp.error.invalid.bean=The value for the useBean class attribute {0} is invalid. + jsp.error.prefix.use_before_dcl=The prefix {0} specified in this tag directive has been previously used by an action in file {1} line {2}. ++jsp.info.ignoreSetting=Ignored setting for [{0}] of [{1}] because a SecurityManager was enabled + + jsp.exception=An exception occurred processing JSP page {0} at line {1} + +diff --git a/java/org/apache/jasper/servlet/JspServlet.java b/java/org/apache/jasper/servlet/JspServlet.java +index 76ea446..6830093 100644 +--- a/java/org/apache/jasper/servlet/JspServlet.java ++++ b/java/org/apache/jasper/servlet/JspServlet.java +@@ -79,6 +79,12 @@ public class JspServlet extends HttpServlet implements PeriodicEventListener { + // Check for a custom Options implementation + String engineOptionsName = + config.getInitParameter("engineOptionsClass"); ++ if (Constants.IS_SECURITY_ENABLED && engineOptionsName != null) { ++ log.info(Localizer.getMessage( ++ "jsp.info.ignoreSetting", "engineOptionsClass", engineOptionsName)); ++ engineOptionsName = null; ++ } ++ + if (engineOptionsName != null) { + // Instantiate the indicated Options implementation + try { diff --git a/debian/patches/CVE-2016-6797.patch b/debian/patches/CVE-2016-6797.patch new file mode 100644 index 0000000..9f42f47 --- /dev/null +++ b/debian/patches/CVE-2016-6797.patch @@ -0,0 +1,211 @@ +From: Markus Koschany <[email protected]> +Date: Mon, 7 Nov 2016 13:20:10 +0100 +Subject: CVE-2016-6797 + +Origin: https://svn.apache.org/viewvc?view=revision&revision=1757285 +--- + .../catalina/core/NamingContextListener.java | 78 ++++++++++++++-------- + .../apache/naming/factory/ResourceLinkFactory.java | 60 +++++++++++++++++ + 2 files changed, 112 insertions(+), 26 deletions(-) + +diff --git a/java/org/apache/catalina/core/NamingContextListener.java b/java/org/apache/catalina/core/NamingContextListener.java +index 2b8256a..cfd612f 100644 +--- a/java/org/apache/catalina/core/NamingContextListener.java ++++ b/java/org/apache/catalina/core/NamingContextListener.java +@@ -71,6 +71,7 @@ import org.apache.naming.ResourceRef; + import org.apache.naming.ServiceRef; + import org.apache.naming.TransactionRef; + import org.apache.tomcat.util.modeler.Registry; ++import org.apache.naming.factory.ResourceLinkFactory; + + + /** +@@ -280,37 +281,48 @@ public class NamingContextListener + if (!initialized) + return; + +- // Setting the context in read/write mode +- ContextAccessController.setWritable(getName(), container); +- ContextBindings.unbindContext(container, container); ++ try { ++ // Setting the context in read/write mode ++ ContextAccessController.setWritable(getName(), container); ++ ContextBindings.unbindContext(container, container); ++ ++ if (container instanceof Context) { ++ ContextBindings.unbindClassLoader ++ (container, container, ++ ((Container) container).getLoader().getClassLoader()); ++ } + +- if (container instanceof Context) { +- ContextBindings.unbindClassLoader +- (container, container, +- ((Container) container).getLoader().getClassLoader()); +- } ++ if (container instanceof Server) { ++ namingResources.removePropertyChangeListener(this); ++ ContextBindings.unbindClassLoader ++ (container, container, ++ this.getClass().getClassLoader()); ++ } + +- if (container instanceof Server) { +- namingResources.removePropertyChangeListener(this); +- ContextBindings.unbindClassLoader +- (container, container, +- this.getClass().getClassLoader()); +- } ++ ContextAccessController.unsetSecurityToken(getName(), container); ++ ContextAccessController.unsetSecurityToken(container, container); + +- ContextAccessController.unsetSecurityToken(getName(), container); +- ContextAccessController.unsetSecurityToken(container, container); ++ // unregister mbeans. ++ if (!objectNames.isEmpty()) { ++ Collection<ObjectName> names = objectNames.values(); ++ Registry registry = Registry.getRegistry(null, null); ++ for (ObjectName objectName : names) { ++ registry.unregisterComponent(objectName); ++ } ++ } + +- // unregister mbeans. +- Collection<ObjectName> names = objectNames.values(); +- for (ObjectName objectName : names) { +- Registry.getRegistry(null, null).unregisterComponent(objectName); +- } +- objectNames.clear(); ++ javax.naming.Context global = getGlobalNamingContext(); ++ if (global != null) { ++ ResourceLinkFactory.deregisterGlobalResourceAccess(global); ++ } ++ } finally { ++ objectNames.clear(); + +- namingContext = null; +- envCtx = null; +- compCtx = null; +- initialized = false; ++ namingContext = null; ++ envCtx = null; ++ compCtx = null; ++ initialized = false; ++ } + + } + +@@ -1096,6 +1108,20 @@ public class NamingContextListener + logger.error(sm.getString("naming.bindFailed", e)); + } + ++ ResourceLinkFactory.registerGlobalResourceAccess( ++ getGlobalNamingContext(), resourceLink.getName(), resourceLink.getGlobal()); ++ } ++ ++ private javax.naming.Context getGlobalNamingContext() { ++ if (container instanceof Context) { ++ Engine e = (Engine) ((Context) container).getParent().getParent(); ++ Server s = e.getService().getServer(); ++ if (s instanceof StandardServer) { ++ return ((StandardServer) s).getGlobalNamingContext(); ++ } ++ } ++ return null; ++ + } + + +diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java b/java/org/apache/naming/factory/ResourceLinkFactory.java +index 6df82dd..56b1423 100644 +--- a/java/org/apache/naming/factory/ResourceLinkFactory.java ++++ b/java/org/apache/naming/factory/ResourceLinkFactory.java +@@ -18,7 +18,10 @@ + + package org.apache.naming.factory; + ++import java.util.HashMap; + import java.util.Hashtable; ++import java.util.Map; ++import java.util.concurrent.ConcurrentHashMap; + + import javax.naming.Context; + import javax.naming.Name; +@@ -52,6 +55,8 @@ public class ResourceLinkFactory + */ + private static Context globalContext = null; + ++ private static Map<ClassLoader,Map<String,String>> globalResourceRegistrations = ++ new ConcurrentHashMap<ClassLoader,Map<String,String>>(); + + // --------------------------------------------------------- Public Methods + +@@ -71,6 +76,56 @@ public class ResourceLinkFactory + } + + ++ public static void registerGlobalResourceAccess(Context globalContext, String localName, ++ String globalName) { ++ validateGlobalContext(globalContext); ++ ClassLoader cl = Thread.currentThread().getContextClassLoader(); ++ Map<String,String> registrations = globalResourceRegistrations.get(cl); ++ if (registrations == null) { ++ // Web application initialization is single threaded so this is ++ // safe. ++ registrations = new HashMap<String,String>(); ++ globalResourceRegistrations.put(cl, registrations); ++ } ++ registrations.put(localName, globalName); ++ } ++ ++ ++ public static void deregisterGlobalResourceAccess(Context globalContext, String localName) { ++ validateGlobalContext(globalContext); ++ ClassLoader cl = Thread.currentThread().getContextClassLoader(); ++ Map<String,String> registrations = globalResourceRegistrations.get(cl); ++ if (registrations != null) { ++ registrations.remove(localName); ++ } ++ } ++ ++ ++ public static void deregisterGlobalResourceAccess(Context globalContext) { ++ validateGlobalContext(globalContext); ++ ClassLoader cl = Thread.currentThread().getContextClassLoader(); ++ globalResourceRegistrations.remove(cl); ++ } ++ ++ ++ private static void validateGlobalContext(Context globalContext) { ++ if (ResourceLinkFactory.globalContext != null && ++ ResourceLinkFactory.globalContext != globalContext) { ++ throw new SecurityException("Caller provided invalid global context"); ++ } ++ } ++ ++ ++ private static boolean validateGlobalResourceAccess(String globalName) { ++ ClassLoader cl = Thread.currentThread().getContextClassLoader(); ++ Map<String,String> registrations = globalResourceRegistrations.get(cl); ++ if (registrations != null && registrations.containsValue(globalName)) { ++ return true; ++ } ++ return false; ++ } ++ ++ + // -------------------------------------------------- ObjectFactory Methods + + +@@ -96,6 +151,11 @@ public class ResourceLinkFactory + RefAddr refAddr = ref.get(ResourceLinkRef.GLOBALNAME); + if (refAddr != null) { + globalName = refAddr.getContent().toString(); ++ // Confirm that the current web application is currently configured ++ // to access the specified global resource ++ if (!validateGlobalResourceAccess(globalName)) { ++ return null; ++ } + Object result = null; + result = globalContext.lookup(globalName); + // FIXME: Check type diff --git a/debian/patches/CVE-2016-6816.patch b/debian/patches/CVE-2016-6816.patch new file mode 100644 index 0000000..d936b4e --- /dev/null +++ b/debian/patches/CVE-2016-6816.patch @@ -0,0 +1,1105 @@ +From: Markus Koschany <[email protected]> +Date: Fri, 25 Nov 2016 20:08:42 +0100 +Subject: CVE-2016-6816 + +Origin: http://svn.apache.org/r1767683 +--- + .../apache/coyote/http11/AbstractInputBuffer.java | 52 +--------- + .../coyote/http11/InternalAprInputBuffer.java | 77 +++++++-------- + .../apache/coyote/http11/InternalInputBuffer.java | 69 ++++++------- + .../coyote/http11/InternalNioInputBuffer.java | 110 ++++++++++----------- + .../apache/coyote/http11/LocalStrings.properties | 3 + + .../apache/tomcat/util/http/parser/HttpParser.java | 45 ++++++++- + java/org/apache/tomcat/util/res/StringManager.java | 3 + + 7 files changed, 168 insertions(+), 191 deletions(-) + +diff --git a/java/org/apache/coyote/http11/AbstractInputBuffer.java b/java/org/apache/coyote/http11/AbstractInputBuffer.java +index 05e9d34..587755f 100644 +--- a/java/org/apache/coyote/http11/AbstractInputBuffer.java ++++ b/java/org/apache/coyote/http11/AbstractInputBuffer.java +@@ -17,56 +17,8 @@ + package org.apache.coyote.http11; + + import org.apache.coyote.InputBuffer; ++import org.apache.tomcat.util.res.StringManager; + + public abstract class AbstractInputBuffer implements InputBuffer { +- +- protected static final boolean[] HTTP_TOKEN_CHAR = new boolean[128]; + +- static { +- for (int i = 0; i < 128; i++) { +- if (i < 32) { +- HTTP_TOKEN_CHAR[i] = false; +- } else if (i == 127) { +- HTTP_TOKEN_CHAR[i] = false; +- } else if (i == '(') { +- HTTP_TOKEN_CHAR[i] = false; +- } else if (i == ')') { +- HTTP_TOKEN_CHAR[i] = false; +- } else if (i == '<') { +- HTTP_TOKEN_CHAR[i] = false; +- } else if (i == '>') { +- HTTP_TOKEN_CHAR[i] = false; +- } else if (i == '@') { +- HTTP_TOKEN_CHAR[i] = false; +- } else if (i == ',') { +- HTTP_TOKEN_CHAR[i] = false; +- } else if (i == ';') { +- HTTP_TOKEN_CHAR[i] = false; +- } else if (i == ':') { +- HTTP_TOKEN_CHAR[i] = false; +- } else if (i == '\\') { +- HTTP_TOKEN_CHAR[i] = false; +- } else if (i == '\"') { +- HTTP_TOKEN_CHAR[i] = false; +- } else if (i == '/') { +- HTTP_TOKEN_CHAR[i] = false; +- } else if (i == '[') { +- HTTP_TOKEN_CHAR[i] = false; +- } else if (i == ']') { +- HTTP_TOKEN_CHAR[i] = false; +- } else if (i == '?') { +- HTTP_TOKEN_CHAR[i] = false; +- } else if (i == '=') { +- HTTP_TOKEN_CHAR[i] = false; +- } else if (i == '{') { +- HTTP_TOKEN_CHAR[i] = false; +- } else if (i == '}') { +- HTTP_TOKEN_CHAR[i] = false; +- } else if (i == ' ') { +- HTTP_TOKEN_CHAR[i] = false; +- } else { +- HTTP_TOKEN_CHAR[i] = true; +- } +- } +- } +-} ++ protected static final StringManager sm = StringManager.getManager(AbstractInputBuffer.class);} +diff --git a/java/org/apache/coyote/http11/InternalAprInputBuffer.java b/java/org/apache/coyote/http11/InternalAprInputBuffer.java +index f703719..a5f2804 100644 +--- a/java/org/apache/coyote/http11/InternalAprInputBuffer.java ++++ b/java/org/apache/coyote/http11/InternalAprInputBuffer.java +@@ -26,7 +26,7 @@ import org.apache.tomcat.jni.Status; + import org.apache.tomcat.util.buf.ByteChunk; + import org.apache.tomcat.util.buf.MessageBytes; + import org.apache.tomcat.util.http.MimeHeaders; +-import org.apache.tomcat.util.res.StringManager; ++import org.apache.tomcat.util.http.parser.HttpParser; + import org.apache.coyote.InputBuffer; + import org.apache.coyote.Request; + import org.apache.juli.logging.Log; +@@ -68,23 +68,12 @@ public class InternalAprInputBuffer extends AbstractInputBuffer { + + parsingHeader = true; + swallowInput = true; +- +- } +- +- +- // -------------------------------------------------------------- Variables + +- +- /** +- * The string manager for this package. +- */ +- protected static StringManager sm = +- StringManager.getManager(Constants.Package); ++ } + + + // ----------------------------------------------------- Instance Variables + +- + /** + * Associated Coyote request. + */ +@@ -196,7 +185,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer { + */ + public void addFilter(InputFilter filter) { + +- InputFilter[] newFilterLibrary = ++ InputFilter[] newFilterLibrary = + new InputFilter[filterLibrary.length + 1]; + for (int i = 0; i < filterLibrary.length; i++) { + newFilterLibrary[i] = filterLibrary[i]; +@@ -264,7 +253,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer { + + + /** +- * Recycle the input buffer. This should be called when closing the ++ * Recycle the input buffer. This should be called when closing the + * connection. + */ + public void recycle() { +@@ -289,7 +278,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer { + + /** + * End processing of current HTTP request. +- * Note: All bytes of the current request should have been already ++ * Note: All bytes of the current request should have been already + * consumed. This method only resets all the pointers so that we are ready + * to parse the next HTTP request. + */ +@@ -302,7 +291,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer { + if (lastValid - pos > 0 && pos > 0) { + System.arraycopy(buf, pos, buf, 0, lastValid - pos); + } +- ++ + // Recycle filters + for (int i = 0; i <= lastActiveFilter; i++) { + activeFilters[i].recycle(); +@@ -320,7 +309,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer { + + /** + * End request (consumes leftover bytes). +- * ++ * + * @throws IOException an undelying I/O error occured + */ + public void endRequest() +@@ -335,14 +324,14 @@ public class InternalAprInputBuffer extends AbstractInputBuffer { + + + /** +- * Read the request line. This function is meant to be used during the +- * HTTP request header parsing. Do NOT attempt to read the request body ++ * Read the request line. This function is meant to be used during the ++ * HTTP request header parsing. Do NOT attempt to read the request body + * using it. + * + * @throws IOException If an exception occurs during the underlying socket + * read operations, or if the given buffer is not big enough to accomodate + * the whole line. +- * @return true if data is properly fed; false if no data is available ++ * @return true if data is properly fed; false if no data is available + * immediately and thread should be freed + */ + public boolean parseRequestLine(boolean useAvailableData) +@@ -398,17 +387,19 @@ public class InternalAprInputBuffer extends AbstractInputBuffer { + throw new EOFException(sm.getString("iib.eof.error")); + } + +- // Spec says no CR or LF in method name +- if (buf[pos] == Constants.CR || buf[pos] == Constants.LF) { +- throw new IllegalArgumentException( +- sm.getString("iib.invalidmethod")); ++ // Spec says method name is a token followed by a single SP but ++ // also be tolerant of multiple SP and/or HT. ++ if (buf[pos] == Constants.SP || buf[pos] == Constants.HT) { + } + // Spec says single SP but it also says be tolerant of HT + if (buf[pos] == Constants.SP || buf[pos] == Constants.HT) { + space = true; + request.method().setBytes(buf, start, pos - start); ++ } else if (!HttpParser.isToken(buf[pos])) { ++ throw new IllegalArgumentException(sm.getString("iib.invalidmethod")); + } + ++ + pos++; + + } +@@ -450,15 +441,17 @@ public class InternalAprInputBuffer extends AbstractInputBuffer { + if (buf[pos] == Constants.SP || buf[pos] == Constants.HT) { + space = true; + end = pos; +- } else if ((buf[pos] == Constants.CR) ++ } else if ((buf[pos] == Constants.CR) + || (buf[pos] == Constants.LF)) { + // HTTP/0.9 style request + eol = true; + space = true; + end = pos; +- } else if ((buf[pos] == Constants.QUESTION) ++ } else if ((buf[pos] == Constants.QUESTION) + && (questionPos == -1)) { + questionPos = pos; ++ } else if (HttpParser.isNotRequestTarget(buf[pos])) { ++ throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget")); + } + + pos++; +@@ -467,7 +460,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer { + + request.unparsedURI().setBytes(buf, start, end - start); + if (questionPos >= 0) { +- request.queryString().setBytes(buf, questionPos + 1, ++ request.queryString().setBytes(buf, questionPos + 1, + end - questionPos - 1); + request.requestURI().setBytes(buf, start, questionPos - start); + } else { +@@ -495,7 +488,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer { + + // + // Reading the protocol +- // Protocol is always US-ASCII ++ // Protocol is always "HTTP/" DIGIT "." DIGIT + // + + while (!eol) { +@@ -512,6 +505,8 @@ public class InternalAprInputBuffer extends AbstractInputBuffer { + if (end == 0) + end = pos; + eol = true; ++ } else if (!HttpParser.isHttpProtocol(buf[pos])) { ++ throw new IllegalArgumentException(sm.getString("iib.invalidHttpProtocol")); + } + + pos++; +@@ -523,7 +518,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer { + } else { + request.protocol().setString(""); + } +- ++ + return true; + + } +@@ -546,7 +541,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer { + + /** + * Parse an HTTP header. +- * ++ * + * @return false after reading a blank line (which indicates that the + * HTTP header parsing is done + */ +@@ -604,7 +599,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer { + if (buf[pos] == Constants.COLON) { + colon = true; + headerValue = headers.addValue(buf, start, pos - start); +- } else if (!HTTP_TOKEN_CHAR[buf[pos]]) { ++ } else if (!HttpParser.isToken(buf[pos])) { + // If a non-token header is detected, skip the line and + // ignore the header + skipLine(start); +@@ -710,14 +705,14 @@ public class InternalAprInputBuffer extends AbstractInputBuffer { + + } + +- ++ + private void skipLine(int start) throws IOException { + boolean eol = false; + int lastRealByte = start; + if (pos - 1 > start) { + lastRealByte = pos - 1; + } +- ++ + while (!eol) { + + // Read new bytes if needed +@@ -741,8 +736,8 @@ public class InternalAprInputBuffer extends AbstractInputBuffer { + lastRealByte - start + 1, "ISO-8859-1"))); + } + } +- +- ++ ++ + /** + * Available bytes (note that due to encoding, this may not correspond ) + */ +@@ -763,7 +758,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer { + /** + * Read some bytes. + */ +- public int doRead(ByteChunk chunk, Request req) ++ public int doRead(ByteChunk chunk, Request req) + throws IOException { + + if (lastActiveFilter == -1) +@@ -779,7 +774,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer { + + /** + * Fill the internal buffer using data from the undelying input stream. +- * ++ * + * @return false if at end of stream + */ + protected boolean fill() +@@ -811,7 +806,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer { + } else { + + if (buf.length - end < 4500) { +- // In this case, the request header was really large, so we allocate a ++ // In this case, the request header was really large, so we allocate a + // brand new one; the old one will get GCed when subsequent requests + // clear all references + buf = new byte[buf.length]; +@@ -850,14 +845,14 @@ public class InternalAprInputBuffer extends AbstractInputBuffer { + * This class is an input buffer which will read its data from an input + * stream. + */ +- protected class SocketInputBuffer ++ protected class SocketInputBuffer + implements InputBuffer { + + + /** + * Read bytes into the specified chunk. + */ +- public int doRead(ByteChunk chunk, Request req ) ++ public int doRead(ByteChunk chunk, Request req ) + throws IOException { + + if (pos >= lastValid) { +diff --git a/java/org/apache/coyote/http11/InternalInputBuffer.java b/java/org/apache/coyote/http11/InternalInputBuffer.java +index ffad9da..94f3017 100644 +--- a/java/org/apache/coyote/http11/InternalInputBuffer.java ++++ b/java/org/apache/coyote/http11/InternalInputBuffer.java +@@ -23,8 +23,7 @@ import java.io.EOFException; + import org.apache.tomcat.util.buf.ByteChunk; + import org.apache.tomcat.util.buf.MessageBytes; + import org.apache.tomcat.util.http.MimeHeaders; +-import org.apache.tomcat.util.res.StringManager; +- ++import org.apache.tomcat.util.http.parser.HttpParser; + import org.apache.coyote.InputBuffer; + import org.apache.coyote.Request; + import org.apache.juli.logging.Log; +@@ -39,7 +38,7 @@ import org.apache.juli.logging.LogFactory; + public class InternalInputBuffer extends AbstractInputBuffer { + + private static final Log log = LogFactory.getLog(InternalInputBuffer.class); +- ++ + // -------------------------------------------------------------- Constants + + +@@ -76,19 +75,8 @@ public class InternalInputBuffer extends AbstractInputBuffer { + } + + +- // -------------------------------------------------------------- Variables +- +- +- /** +- * The string manager for this package. +- */ +- protected static StringManager sm = +- StringManager.getManager(Constants.Package); +- +- + // ----------------------------------------------------- Instance Variables + +- + /** + * Associated Coyote request. + */ +@@ -201,7 +189,7 @@ public class InternalInputBuffer extends AbstractInputBuffer { + + // FIXME: Check for null ? + +- InputFilter[] newFilterLibrary = ++ InputFilter[] newFilterLibrary = + new InputFilter[filterLibrary.length + 1]; + for (int i = 0; i < filterLibrary.length; i++) { + newFilterLibrary[i] = filterLibrary[i]; +@@ -269,7 +257,7 @@ public class InternalInputBuffer extends AbstractInputBuffer { + + + /** +- * Recycle the input buffer. This should be called when closing the ++ * Recycle the input buffer. This should be called when closing the + * connection. + */ + public void recycle() { +@@ -294,7 +282,7 @@ public class InternalInputBuffer extends AbstractInputBuffer { + + /** + * End processing of current HTTP request. +- * Note: All bytes of the current request should have been already ++ * Note: All bytes of the current request should have been already + * consumed. This method only resets all the pointers so that we are ready + * to parse the next HTTP request. + */ +@@ -325,7 +313,7 @@ public class InternalInputBuffer extends AbstractInputBuffer { + + /** + * End request (consumes leftover bytes). +- * ++ * + * @throws IOException an undelying I/O error occured + */ + public void endRequest() +@@ -340,8 +328,8 @@ public class InternalInputBuffer extends AbstractInputBuffer { + + + /** +- * Read the request line. This function is meant to be used during the +- * HTTP request header parsing. Do NOT attempt to read the request body ++ * Read the request line. This function is meant to be used during the ++ * HTTP request header parsing. Do NOT attempt to read the request body + * using it. + * + * @throws IOException If an exception occurs during the underlying socket +@@ -390,17 +378,16 @@ public class InternalInputBuffer extends AbstractInputBuffer { + throw new EOFException(sm.getString("iib.eof.error")); + } + +- // Spec says no CR or LF in method name +- if (buf[pos] == Constants.CR || buf[pos] == Constants.LF) { +- throw new IllegalArgumentException( +- sm.getString("iib.invalidmethod")); +- } +- // Spec says single SP but it also says be tolerant of HT ++ // Spec says method name is a token followed by a single SP but ++ // also be tolerant of multiple SP and/or HT. + if (buf[pos] == Constants.SP || buf[pos] == Constants.HT) { + space = true; + request.method().setBytes(buf, start, pos - start); ++ } else if (!HttpParser.isToken(buf[pos])) { ++ throw new IllegalArgumentException(sm.getString("iib.invalidmethod")); + } + ++ + pos++; + + } +@@ -443,15 +430,17 @@ public class InternalInputBuffer extends AbstractInputBuffer { + if (buf[pos] == Constants.SP || buf[pos] == Constants.HT) { + space = true; + end = pos; +- } else if ((buf[pos] == Constants.CR) ++ } else if ((buf[pos] == Constants.CR) + || (buf[pos] == Constants.LF)) { + // HTTP/0.9 style request + eol = true; + space = true; + end = pos; +- } else if ((buf[pos] == Constants.QUESTION) ++ } else if ((buf[pos] == Constants.QUESTION) + && (questionPos == -1)) { + questionPos = pos; ++ } else if (HttpParser.isNotRequestTarget(buf[pos])) { ++ throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget")); + } + + pos++; +@@ -460,7 +449,7 @@ public class InternalInputBuffer extends AbstractInputBuffer { + + request.unparsedURI().setBytes(buf, start, end - start); + if (questionPos >= 0) { +- request.queryString().setBytes(buf, questionPos + 1, ++ request.queryString().setBytes(buf, questionPos + 1, + end - questionPos - 1); + request.requestURI().setBytes(buf, start, questionPos - start); + } else { +@@ -487,7 +476,7 @@ public class InternalInputBuffer extends AbstractInputBuffer { + + // + // Reading the protocol +- // Protocol is always US-ASCII ++ // Protocol is always "HTTP/" DIGIT "." DIGIT + // + + while (!eol) { +@@ -504,6 +493,8 @@ public class InternalInputBuffer extends AbstractInputBuffer { + if (end == 0) + end = pos; + eol = true; ++ } else if (!HttpParser.isHttpProtocol(buf[pos])) { ++ throw new IllegalArgumentException(sm.getString("iib.invalidHttpProtocol")); + } + + pos++; +@@ -536,7 +527,7 @@ public class InternalInputBuffer extends AbstractInputBuffer { + + /** + * Parse an HTTP header. +- * ++ * + * @return false after reading a blank line (which indicates that the + * HTTP header parsing is done + */ +@@ -594,7 +585,7 @@ public class InternalInputBuffer extends AbstractInputBuffer { + if (buf[pos] == Constants.COLON) { + colon = true; + headerValue = headers.addValue(buf, start, pos - start); +- } else if (!HTTP_TOKEN_CHAR[buf[pos]]) { ++ } else if (!HttpParser.isToken(buf[pos])) { + // If a non-token header is detected, skip the line and + // ignore the header + skipLine(start); +@@ -708,7 +699,7 @@ public class InternalInputBuffer extends AbstractInputBuffer { + /** + * Read some bytes. + */ +- public int doRead(ByteChunk chunk, Request req) ++ public int doRead(ByteChunk chunk, Request req) + throws IOException { + + if (lastActiveFilter == -1) +@@ -727,7 +718,7 @@ public class InternalInputBuffer extends AbstractInputBuffer { + if (pos - 1 > start) { + lastRealByte = pos - 1; + } +- ++ + while (!eol) { + + // Read new bytes if needed +@@ -752,10 +743,10 @@ public class InternalInputBuffer extends AbstractInputBuffer { + } + } + +- ++ + /** + * Fill the internal buffer using data from the undelying input stream. +- * ++ * + * @return false if at end of stream + */ + protected boolean fill() +@@ -778,7 +769,7 @@ public class InternalInputBuffer extends AbstractInputBuffer { + } else { + + if (buf.length - end < 4500) { +- // In this case, the request header was really large, so we allocate a ++ // In this case, the request header was really large, so we allocate a + // brand new one; the old one will get GCed when subsequent requests + // clear all references + buf = new byte[buf.length]; +@@ -805,14 +796,14 @@ public class InternalInputBuffer extends AbstractInputBuffer { + * This class is an input buffer which will read its data from an input + * stream. + */ +- protected class InputStreamInputBuffer ++ protected class InputStreamInputBuffer + implements InputBuffer { + + + /** + * Read bytes into the specified chunk. + */ +- public int doRead(ByteChunk chunk, Request req ) ++ public int doRead(ByteChunk chunk, Request req ) + throws IOException { + + if (pos >= lastValid) { +diff --git a/java/org/apache/coyote/http11/InternalNioInputBuffer.java b/java/org/apache/coyote/http11/InternalNioInputBuffer.java +index 7289201..c050a16 100644 +--- a/java/org/apache/coyote/http11/InternalNioInputBuffer.java ++++ b/java/org/apache/coyote/http11/InternalNioInputBuffer.java +@@ -25,9 +25,9 @@ import org.apache.coyote.Request; + import org.apache.tomcat.util.buf.ByteChunk; + import org.apache.tomcat.util.buf.MessageBytes; + import org.apache.tomcat.util.http.MimeHeaders; ++import org.apache.tomcat.util.http.parser.HttpParser; + import org.apache.tomcat.util.net.NioChannel; + import org.apache.tomcat.util.net.NioSelectorPool; +-import org.apache.tomcat.util.res.StringManager; + import org.apache.tomcat.util.net.NioEndpoint; + + /** +@@ -88,7 +88,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + } + + // ----------------------------------------------------------- Constructors +- ++ + + /** + * Alternate constructor. +@@ -119,19 +119,8 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + } + + +- // -------------------------------------------------------------- Variables +- +- +- /** +- * The string manager for this package. +- */ +- protected static StringManager sm = +- StringManager.getManager(Constants.Package); +- +- + // ----------------------------------------------------- Instance Variables + +- + /** + * Associated Coyote request. + */ +@@ -193,12 +182,12 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + * Underlying socket. + */ + protected NioChannel socket; +- ++ + /** + * Selector pool, for blocking reads and blocking writes + */ + protected NioSelectorPool pool; +- ++ + + /** + * Underlying input buffer. +@@ -263,7 +252,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + buf = new byte[bufLength]; + } + } +- ++ + /** + * Get the underlying socket input stream. + */ +@@ -271,10 +260,10 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + return socket; + } + +- public void setSelectorPool(NioSelectorPool pool) { ++ public void setSelectorPool(NioSelectorPool pool) { + this.pool = pool; + } +- ++ + public NioSelectorPool getSelectorPool() { + return pool; + } +@@ -285,7 +274,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + */ + public void addFilter(InputFilter filter) { + +- InputFilter[] newFilterLibrary = ++ InputFilter[] newFilterLibrary = + new InputFilter[filterLibrary.length + 1]; + for (int i = 0; i < filterLibrary.length; i++) { + newFilterLibrary[i] = filterLibrary[i]; +@@ -357,7 +346,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + public boolean isReadable() throws IOException { + return (pos < lastValid) || (nbRead()>0); + } +- ++ + /** + * Issues a non blocking read + * @return int +@@ -368,7 +357,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + } + + /** +- * Recycle the input buffer. This should be called when closing the ++ * Recycle the input buffer. This should be called when closing the + * connection. + */ + public void recycle() { +@@ -399,7 +388,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + + /** + * End processing of current HTTP request. +- * Note: All bytes of the current request should have been already ++ * Note: All bytes of the current request should have been already + * consumed. This method only resets all the pointers so that we are ready + * to parse the next HTTP request. + */ +@@ -437,7 +426,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + + /** + * End request (consumes leftover bytes). +- * ++ * + * @throws IOException an undelying I/O error occured + */ + public void endRequest() +@@ -452,14 +441,14 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + + + /** +- * Read the request line. This function is meant to be used during the +- * HTTP request header parsing. Do NOT attempt to read the request body ++ * Read the request line. This function is meant to be used during the ++ * HTTP request header parsing. Do NOT attempt to read the request body + * using it. + * + * @throws IOException If an exception occurs during the underlying socket + * read operations, or if the given buffer is not big enough to accommodate + * the whole line. +- * @return true if data is properly fed; false if no data is available ++ * @return true if data is properly fed; false if no data is available + * immediately and thread should be freed + */ + public boolean parseRequestLine(boolean useAvailableDataOnly) +@@ -473,7 +462,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + if ( parsingRequestLinePhase == 0 ) { + byte chr = 0; + do { +- ++ + // Read new bytes if needed + if (pos >= lastValid) { + if (useAvailableDataOnly) { +@@ -510,14 +499,13 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + if (!fill(true, false)) //request line parsing + return false; + } +- // Spec says no CR or LF in method name +- if (buf[pos] == Constants.CR || buf[pos] == Constants.LF) { +- throw new IllegalArgumentException( +- sm.getString("iib.invalidmethod")); +- } ++ // Spec says method name is a token followed by a single SP but ++ // also be tolerant of multiple SP and/or HT. + if (buf[pos] == Constants.SP || buf[pos] == Constants.HT) { + space = true; + request.method().setBytes(buf, parsingRequestLineStart, pos - parsingRequestLineStart); ++ } else if (!HttpParser.isToken(buf[pos])) { ++ throw new IllegalArgumentException(sm.getString("iib.invalidmethod")); + } + pos++; + } +@@ -543,7 +531,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + } + if (parsingRequestLinePhase == 4) { + // Mark the current buffer position +- ++ + int end = 0; + // + // Reading the URI +@@ -558,21 +546,23 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + if (buf[pos] == Constants.SP || buf[pos] == Constants.HT) { + space = true; + end = pos; +- } else if ((buf[pos] == Constants.CR) ++ } else if ((buf[pos] == Constants.CR) + || (buf[pos] == Constants.LF)) { + // HTTP/0.9 style request + parsingRequestLineEol = true; + space = true; + end = pos; +- } else if ((buf[pos] == Constants.QUESTION) ++ } else if ((buf[pos] == Constants.QUESTION) + && (parsingRequestLineQPos == -1)) { + parsingRequestLineQPos = pos; ++ } else if (HttpParser.isNotRequestTarget(buf[pos])) { ++ throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget")); + } + pos++; + } + request.unparsedURI().setBytes(buf, parsingRequestLineStart, end - parsingRequestLineStart); + if (parsingRequestLineQPos >= 0) { +- request.queryString().setBytes(buf, parsingRequestLineQPos + 1, ++ request.queryString().setBytes(buf, parsingRequestLineQPos + 1, + end - parsingRequestLineQPos - 1); + request.requestURI().setBytes(buf, parsingRequestLineStart, parsingRequestLineQPos - parsingRequestLineStart); + } else { +@@ -601,10 +591,10 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + // Mark the current buffer position + end = 0; + } +- if (parsingRequestLinePhase == 6) { ++ if (parsingRequestLinePhase == 6) { + // + // Reading the protocol +- // Protocol is always US-ASCII ++ // Protocol is always "HTTP/" DIGIT "." DIGIT + // + while (!parsingRequestLineEol) { + // Read new bytes if needed +@@ -612,17 +602,19 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + if (!fill(true, false)) //request line parsing + return false; + } +- ++ + if (buf[pos] == Constants.CR) { + end = pos; + } else if (buf[pos] == Constants.LF) { + if (end == 0) + end = pos; + parsingRequestLineEol = true; ++ } else if (!HttpParser.isHttpProtocol(buf[pos])) { ++ throw new IllegalArgumentException(sm.getString("iib.invalidHttpProtocol")); + } + pos++; + } +- ++ + if ( (end - parsingRequestLineStart) > 0) { + request.protocol().setBytes(buf, parsingRequestLineStart, end - parsingRequestLineStart); + } else { +@@ -636,7 +628,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + } + throw new IllegalStateException("Invalid request line parse phase:"+parsingRequestLinePhase); + } +- ++ + private void expand(int newsize) { + if ( newsize > buf.length ) { + if (parsingHeader) { +@@ -652,7 +644,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + tmp = null; + } + } +- ++ + /** + * Perform blocking read with a timeout if desired + * @param timeout boolean - if we want to use the timeout data +@@ -673,7 +665,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + nRead = getSelectorPool().read(socket.getBufHandler().getReadBuffer(),socket,selector,att.getTimeout()); + } catch ( EOFException eof ) { + nRead = -1; +- } finally { ++ } finally { + if ( selector != null ) getSelectorPool().put(selector); + } + } else { +@@ -700,7 +692,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + public boolean parseHeaders() + throws IOException { + HeaderParseStatus status = HeaderParseStatus.HAVE_MORE_HEADERS; +- ++ + do { + status = parseHeader(); + // Checking that +@@ -729,7 +721,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + + /** + * Parse an HTTP header. +- * ++ * + * @return false after reading a blank line (which indicates that the + * HTTP header parsing is done + */ +@@ -745,7 +737,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + + // Read new bytes if needed + if (pos >= lastValid) { +- if (!fill(true,false)) {//parse header ++ if (!fill(true,false)) {//parse header + headerParsePos = HeaderParsePosition.HEADER_START; + return HeaderParseStatus.NEED_MORE_DATA; + } +@@ -770,18 +762,18 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + // Mark the current buffer position + headerData.start = pos; + headerParsePos = HeaderParsePosition.HEADER_NAME; +- } ++ } + + // + // Reading the header name + // Header name is always US-ASCII + // +- ++ + while (headerParsePos == HeaderParsePosition.HEADER_NAME) { + + // Read new bytes if needed + if (pos >= lastValid) { +- if (!fill(true,false)) { //parse header ++ if (!fill(true,false)) { //parse header + return HeaderParseStatus.NEED_MORE_DATA; + } + } +@@ -796,7 +788,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + headerData.realPos = pos; + headerData.lastSignificantChar = pos; + break; +- } else if (!HTTP_TOKEN_CHAR[chr]) { ++ } else if (!HttpParser.isToken(chr)) { + // If a non-token header is detected, skip the line and + // ignore the header + headerData.lastSignificantChar = pos; +@@ -828,7 +820,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + while (true) { + // Read new bytes if needed + if (pos >= lastValid) { +- if (!fill(true,false)) {//parse header ++ if (!fill(true,false)) {//parse header + //HEADER_VALUE_START + return HeaderParseStatus.NEED_MORE_DATA; + } +@@ -851,7 +843,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + + // Read new bytes if needed + if (pos >= lastValid) { +- if (!fill(true,false)) {//parse header ++ if (!fill(true,false)) {//parse header + //HEADER_VALUE + return HeaderParseStatus.NEED_MORE_DATA; + } +@@ -884,7 +876,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + // Read new bytes if needed + if (pos >= lastValid) { + if (!fill(true,false)) {//parse header +- ++ + //HEADER_MULTI_LINE + return HeaderParseStatus.NEED_MORE_DATA; + } +@@ -910,7 +902,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + headerData.recycle(); + return HeaderParseStatus.HAVE_MORE_HEADERS; + } +- ++ + private HeaderParseStatus skipLine() throws IOException { + headerParsePos = HeaderParsePosition.HEADER_SKIPLINE; + boolean eol = false; +@@ -945,7 +937,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + headerParsePos = HeaderParsePosition.HEADER_START; + return HeaderParseStatus.HAVE_MORE_HEADERS; + } +- ++ + private HeaderParseData headerData = new HeaderParseData(); + public static class HeaderParseData { + /** +@@ -1004,7 +996,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + /** + * Read some bytes. + */ +- public int doRead(ByteChunk chunk, Request req) ++ public int doRead(ByteChunk chunk, Request req) + throws IOException { + + if (lastActiveFilter == -1) +@@ -1019,7 +1011,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + + /** + * Fill the internal buffer using data from the undelying input stream. +- * ++ * + * @return false if at end of stream + */ + protected boolean fill(boolean timeout, boolean block) +@@ -1052,14 +1044,14 @@ public class InternalNioInputBuffer extends AbstractInputBuffer { + * This class is an input buffer which will read its data from an input + * stream. + */ +- protected class SocketInputBuffer ++ protected class SocketInputBuffer + implements InputBuffer { + + + /** + * Read bytes into the specified chunk. + */ +- public int doRead(ByteChunk chunk, Request req ) ++ public int doRead(ByteChunk chunk, Request req ) + throws IOException { + + if (pos >= lastValid) { +diff --git a/java/org/apache/coyote/http11/LocalStrings.properties b/java/org/apache/coyote/http11/LocalStrings.properties +index 542eedd..0fb5d0c 100644 +--- a/java/org/apache/coyote/http11/LocalStrings.properties ++++ b/java/org/apache/coyote/http11/LocalStrings.properties +@@ -62,5 +62,8 @@ http11processor.sendfile.error=Error sending data using sendfile. May be caused + + iib.eof.error=Unexpected EOF read on the socket + iib.requestheadertoolarge.error=Request header is too large ++iib.invalidheader=The HTTP header line [{0}] does not conform to RFC 7230 and has been ignored. ++iib.invalidRequestTarget=Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986 ++iib.invalidHttpProtocol=Invalid character found in the HTTP protocol + iib.invalidmethod=Invalid character (CR or LF) found in method name + +diff --git a/java/org/apache/tomcat/util/http/parser/HttpParser.java b/java/org/apache/tomcat/util/http/parser/HttpParser.java +index b828f71..b92d687 100644 +--- a/java/org/apache/tomcat/util/http/parser/HttpParser.java ++++ b/java/org/apache/tomcat/util/http/parser/HttpParser.java +@@ -54,8 +54,11 @@ public class HttpParser { + new HashMap<String, Integer>(); + + // Arrays used by isToken(), isHex() ++ private static final boolean[] IS_CONTROL = new boolean[128]; + private static final boolean isToken[] = new boolean[128]; + private static final boolean isHex[] = new boolean[128]; ++ private static final boolean[] IS_NOT_REQUEST_TARGET = new boolean[128]; ++ private static final boolean[] IS_HTTP_PROTOCOL = new boolean[128]; + + static { + // Digest field types. +@@ -96,6 +99,21 @@ public class HttpParser { + } else { + isHex[i] = false; + } ++ ++ // Not valid for request target. ++ // Combination of multiple rules from RFC7230 and RFC 3986. Must be ++ // ASCII, no controls plus a few additional characters excluded ++ if (IS_CONTROL[i] || i > 127 || ++ i == ' ' || i == '\"' || i == '#' || i == '<' || i == '>' || i == '\\' || ++ i == '^' || i == '`' || i == '{' || i == '|' || i == '}') { ++ IS_NOT_REQUEST_TARGET[i] = true; ++ } ++ ++ // Not valid for HTTP protocol ++ // "HTTP/" DIGIT "." DIGIT ++ if (i == 'H' || i == 'T' || i == 'P' || i == '/' || i == '.' || (i >= '0' && i <= '9')) { ++ IS_HTTP_PROTOCOL[i] = true; ++ } + } + } + +@@ -246,7 +264,7 @@ public class HttpParser { + return result.toString(); + } + +- private static boolean isToken(int c) { ++ public static boolean isToken(int c) { + // Fast for correct values, slower for incorrect ones + try { + return isToken[c]; +@@ -255,7 +273,7 @@ public class HttpParser { + } + } + +- private static boolean isHex(int c) { ++ public static boolean isHex(int c) { + // Fast for correct values, slower for incorrect ones + try { + return isHex[c]; +@@ -264,6 +282,29 @@ public class HttpParser { + } + } + ++ ++ public static boolean isNotRequestTarget(int c) { ++ // Fast for valid request target characters, slower for some incorrect ++ // ones ++ try { ++ return IS_NOT_REQUEST_TARGET[c]; ++ } catch (ArrayIndexOutOfBoundsException ex) { ++ return true; ++ } ++ } ++ ++ ++ public static boolean isHttpProtocol(int c) { ++ // Fast for valid HTTP protocol characters, slower for some incorrect ++ // ones ++ try { ++ return IS_HTTP_PROTOCOL[c]; ++ } catch (ArrayIndexOutOfBoundsException ex) { ++ return false; ++ } ++ } ++ ++ + // Skip any LWS and return the next char + private static int skipLws(StringReader input, boolean withReset) + throws IOException { +diff --git a/java/org/apache/tomcat/util/res/StringManager.java b/java/org/apache/tomcat/util/res/StringManager.java +index 67c56f0..bd0a84c 100644 +--- a/java/org/apache/tomcat/util/res/StringManager.java ++++ b/java/org/apache/tomcat/util/res/StringManager.java +@@ -179,6 +179,9 @@ public class StringManager { + private static final Map<String,Map<Locale,StringManager>> managers = + new Hashtable<String,Map<Locale,StringManager>>(); + ++ public static final StringManager getManager(Class<?> clazz) { ++ return getManager(clazz.getPackage().getName()); ++ } + /** + * Get the StringManager for a particular package. If a manager for + * a package already exists, it will be reused, else a new diff --git a/debian/patches/CVE-2016-8735.patch b/debian/patches/CVE-2016-8735.patch new file mode 100644 index 0000000..0d3a851 --- /dev/null +++ b/debian/patches/CVE-2016-8735.patch @@ -0,0 +1,24 @@ +From: Markus Koschany <[email protected]> +Date: Fri, 25 Nov 2016 20:11:08 +0100 +Subject: CVE-2016-8735 + +Origin: http://svn.apache.org/r1767684 +--- + java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java b/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java +index 7d04955..7f8ff01 100644 +--- a/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java ++++ b/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java +@@ -198,6 +198,10 @@ public class JmxRemoteLifecycleListener implements LifecycleListener { + csf = new RmiClientLocalhostSocketFactory(csf); + } + ++ env.put("jmx.remote.rmi.server.credential.types", new String[] { ++ String[].class.getName(), ++ String.class.getName() }); ++ + // Populate the env properties used to create the server + if (csf != null) { + env.put(RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE, diff --git a/debian/patches/series b/debian/patches/series index f4fb4ad..e2c4068 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,10 @@ 0007-add-OSGi-headers-to-servlet-api.patch 0008-add-OSGI-headers-to-jsp-api.patch 0010-Use-java.security.policy-file-in-catalina.sh.patch +CVE-2016-0762.patch +CVE-2016-6794.patch +CVE-2016-6797.patch +CVE-2016-5018.patch +CVE-2016-6796.patch +CVE-2016-6816.patch +CVE-2016-8735.patch diff --git a/debian/rules b/debian/rules index 864c3a4..8162d37 100755 --- a/debian/rules +++ b/debian/rules @@ -54,7 +54,7 @@ build-stamp: $(ANT_INVOKE) deploy-webapps $(ANT_INVOKE) -buildfile extras.xml jmx-remote javadoc -subpackages "javax.servlet" -d "output/api" \ - -sourcepath "java" -author -version -breakiterator -notimestamp \ + -sourcepath "java" -author -version -breakiterator \ -windowtitle "Tomcat API Documentation" -doctitle "Tomcat API" \ -bottom "Copyright © 2000-2008 Apache Software Foundation. All Rights Reserved." touch build-stamp @@ -79,7 +79,7 @@ binary-indep: build install dh_testroot dh_installchangelogs dh_installdocs - #dh_installman -ptomcat6-user debian/tomcat6-instance-create.1 + dh_installman -ptomcat6-user debian/tomcat6-instance-create.1 dh_installexamples dh_installinit --error-handler=true -- defaults 92 08 dh_installdebconf @@ -90,30 +90,30 @@ binary-indep: build install perl -p -i -e 's/\@MAVEN.DEPLOY.VERSION\@/2.1/' debian/poms/el-api.pom perl -p -i -e 's/\@MAVEN.DEPLOY.VERSION\@/2.1/' debian/poms/jsp-api.pom perl -p -i -e 's/\@MAVEN.DEPLOY.VERSION\@/$(T_VER)/' debian/poms/*.pom - #mh_installpoms -plibtomcat6-java - #for i in $(T_MAVENIZED_JARS); do \ - # mh_installjar -plibtomcat6-java -l debian/poms/$$i.pom $(BLDLIB)/$$i.jar usr/share/tomcat6/lib/$$i.jar; done - #mh_installjar -plibtomcat6-java -l --usj-name=catalina-tribes debian/poms/tribes.pom \ - # $(BLDLIB)/catalina-tribes.jar usr/share/tomcat6/lib/catalina-tribes.jar - #mh_installjar -plibtomcat6-java -l --usj-name=tomcat-coyote debian/poms/coyote.pom \ - # $(BLDLIB)/tomcat-coyote.jar usr/share/tomcat6/lib/tomcat-coyote.jar - #mh_installjar -plibtomcat6-java -l --usj-name=tomcat-juli debian/poms/juli.pom $(BLDBIN)/tomcat-juli.jar - #for i in $(T_JARS); do \ - # mv $(BLDLIB)/$$i.jar $(BLDLIB)/$$i-$(T_VER).jar && \ - # dh_install -plibtomcat6-java \ - # $(BLDLIB)/$$i-$(T_VER).jar usr/share/java && \ - # dh_link -plibtomcat6-java usr/share/java/$$i-$(T_VER).jar \ - # usr/share/java/$$i.jar && \ - # dh_link -ptomcat6-common usr/share/java/$$i-$(T_VER).jar \ - # usr/share/tomcat6/lib/$$i.jar; done - #for i in $(T_EXTRAS_JARS); do \ - # mv output/extras/$$i.jar output/extras/$$i-$(T_VER).jar && \ - # dh_install -plibtomcat6-java \ - # output/extras/$$i-$(T_VER).jar usr/share/java && \ - # dh_link -plibtomcat6-java usr/share/java/$$i-$(T_VER).jar \ - # usr/share/java/$$i.jar && \ - # dh_link -ptomcat6-extras usr/share/java/$$i-$(T_VER).jar \ - # usr/share/tomcat6/lib/$$i.jar; done + mh_installpoms -plibtomcat6-java + for i in $(T_MAVENIZED_JARS); do \ + mh_installjar -plibtomcat6-java -l debian/poms/$$i.pom $(BLDLIB)/$$i.jar usr/share/tomcat6/lib/$$i.jar; done + mh_installjar -plibtomcat6-java -l --usj-name=catalina-tribes debian/poms/tribes.pom \ + $(BLDLIB)/catalina-tribes.jar usr/share/tomcat6/lib/catalina-tribes.jar + mh_installjar -plibtomcat6-java -l --usj-name=tomcat-coyote debian/poms/coyote.pom \ + $(BLDLIB)/tomcat-coyote.jar usr/share/tomcat6/lib/tomcat-coyote.jar + mh_installjar -plibtomcat6-java -l --usj-name=tomcat-juli debian/poms/juli.pom $(BLDBIN)/tomcat-juli.jar + for i in $(T_JARS); do \ + mv $(BLDLIB)/$$i.jar $(BLDLIB)/$$i-$(T_VER).jar && \ + dh_install -plibtomcat6-java \ + $(BLDLIB)/$$i-$(T_VER).jar usr/share/java && \ + dh_link -plibtomcat6-java usr/share/java/$$i-$(T_VER).jar \ + usr/share/java/$$i.jar && \ + dh_link -ptomcat6-common usr/share/java/$$i-$(T_VER).jar \ + usr/share/tomcat6/lib/$$i.jar; done + for i in $(T_EXTRAS_JARS); do \ + mv output/extras/$$i.jar output/extras/$$i-$(T_VER).jar && \ + dh_install -plibtomcat6-java \ + output/extras/$$i-$(T_VER).jar usr/share/java && \ + dh_link -plibtomcat6-java usr/share/java/$$i-$(T_VER).jar \ + usr/share/java/$$i.jar && \ + dh_link -ptomcat6-extras usr/share/java/$$i-$(T_VER).jar \ + usr/share/tomcat6/lib/$$i.jar; done dh_install --exclude=.bat --exclude=Thumbs.db dh_link mh_installpoms -plibservlet2.5-java @@ -123,9 +123,9 @@ binary-indep: build install rm -r debian/poms rm -rf debian/tomcat6/usr/share/tomcat6/webapps/default_root/.svn \ debian/tomcat6/usr/share/tomcat6/webapps/default_root/META-INF/.svn - #chmod a+x debian/tomcat6-common/usr/share/tomcat6/bin/*.sh - #chmod a+x debian/tomcat6-user/usr/bin/tomcat6-instance-create - #chmod a+x debian/tomcat6-user/usr/share/tomcat6/skel/bin/*.sh + chmod a+x debian/tomcat6-common/usr/share/tomcat6/bin/*.sh + chmod a+x debian/tomcat6-user/usr/bin/tomcat6-instance-create + chmod a+x debian/tomcat6-user/usr/share/tomcat6/skel/bin/*.sh dh_compress dh_fixperms dh_installdeb diff --git a/debian/tomcat6.cron.daily b/debian/tomcat6.cron.daily index a585050..016018c 100644 --- a/debian/tomcat6.cron.daily +++ b/debian/tomcat6.cron.daily @@ -2,14 +2,11 @@ NAME=tomcat6 DEFAULT=/etc/default/$NAME -LOGEXT=log # The following variables can be overwritten in $DEFAULT # Default for number of days to keep old log files in /var/log/tomcatN/ LOGFILE_DAYS=14 -# Whether to compress logfiles older than today's -LOGFILE_COMPRESS=1 # End of variables that can be overwritten in $DEFAULT @@ -19,12 +16,6 @@ if [ -f "$DEFAULT" ]; then fi if [ -d /var/log/$NAME ]; then - if [ $LOGFILE_COMPRESS = 1 ]; then - find /var/log/$NAME/ -name \*.$LOGEXT -daystart -mtime +0 -print0 \ - | xargs --no-run-if-empty -0 gzip -9 - LOGEXT=log.gz - fi - - find /var/log/$NAME/ -name \*.$LOGEXT -mtime +$LOGFILE_DAYS -print0 \ + find /var/log/$NAME/ -name \*.log -mtime +$LOGFILE_DAYS -print0 \ | xargs --no-run-if-empty -0 rm -- fi diff --git a/debian/tomcat6.init b/debian/tomcat6.init index c121552..bf06d18 100644 --- a/debian/tomcat6.init +++ b/debian/tomcat6.init @@ -170,8 +170,11 @@ catalina_sh() { # Run the catalina.sh script as a daemon set +e - touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out - chown $TOMCAT6_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out + if [ ! -f "$CATALINA_BASE"/logs/catalina.out ]; then + install -o $TOMCAT6_USER -g adm -m 644 /dev/null "$CATALINA_BASE"/logs/catalina.out + fi + install -o $TOMCAT6_USER -g adm -m 644 /dev/null "$CATALINA_PID" + start-stop-daemon --start -b -u "$TOMCAT6_USER" -g "$TOMCAT6_GROUP" \ -c "$TOMCAT6_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \ -x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH" diff --git a/debian/watch b/debian/watch index a9b6a7b..740c410 100644 --- a/debian/watch +++ b/debian/watch @@ -1,3 +1,3 @@ version=3 -opts=dversionmangle=s/(\da?)[\+\.\-~](?:dfsg|debian|ds|repack|repacked)\.?\d*$/$1/,uversionmangle=s/_/./g \ +opts=uversionmangle=s/_/./g \ http://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/ TOMCAT_([0-9_]*[0-9])/ debian debian/orig-tar.sh -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat6.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
