This is an automated email from the git hooks/post-receive script. apo pushed a commit to branch wheezy in repository tomcat7.
commit bd5f1b19f454fcec850ff7eb1416993b5f1d67df Author: Markus Koschany <[email protected]> Date: Tue Jan 10 22:09:47 2017 +0100 Import Debian patch 7.0.28-4+deb7u9 --- debian/changelog | 15 ++++++ debian/patches/CVE-2016-6816.patch | 99 +++++++++++++++++++++++++++++++++++++- debian/patches/CVE-2016-8745.patch | 39 +++++++++++++++ debian/patches/series | 1 + 4 files changed, 153 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 4ca8873..d5d03a3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,18 @@ +tomcat7 (7.0.28-4+deb7u9) wheezy-security; urgency=high + + * Fix CVE-2016-8745: + A bug in the error handling of the send file code for the NIO HTTP + connector resulted in the current Processor object being added to the + Processor cache multiple times. This in turn meant that the same Processor + could be used for concurrent requests. Sharing a Processor can result in + information leakage between requests including, not not limited to, session + ID and the response body. + * Update CVE-2016-6816.patch and backport changes to SecurityClassLoad.java + as well. This fixes ClassNotFoundException when running with + SecurityManager enabled. (Closes: #849949) + + -- Markus Koschany <[email protected]> Tue, 10 Jan 2017 22:09:47 +0100 + tomcat7 (7.0.28-4+deb7u8) wheezy-security; urgency=high * Non-maintainer upload by the LTS team. diff --git a/debian/patches/CVE-2016-6816.patch b/debian/patches/CVE-2016-6816.patch index 5bf6a04..fb89f9b 100644 --- a/debian/patches/CVE-2016-6816.patch +++ b/debian/patches/CVE-2016-6816.patch @@ -7,6 +7,7 @@ Backport new HttpParser implementation to Wheezy and fix CVE-2016-6816. Origin: http://svn.apache.org/r1767675 --- java/org/apache/catalina/connector/Response.java | 19 +- + .../catalina/security/SecurityClassLoad.java | 41 +- java/org/apache/coyote/Response.java | 13 +- .../apache/coyote/http11/AbstractInputBuffer.java | 56 +- .../coyote/http11/InternalAprInputBuffer.java | 52 +- @@ -36,7 +37,7 @@ Origin: http://svn.apache.org/r1767675 .../tomcat/util/http/parser/TokenMgrError.java | 148 ---- .../util/http/parser/TestAuthorizationDigest.java | 324 ++++++++ .../tomcat/util/http/parser/TestMediaType.java | 190 ++--- - 30 files changed, 1323 insertions(+), 2779 deletions(-) + 31 files changed, 1340 insertions(+), 2803 deletions(-) create mode 100644 java/org/apache/tomcat/util/collections/ConcurrentCache.java delete mode 100644 java/org/apache/tomcat/util/http/parser/AstAttribute.java delete mode 100644 java/org/apache/tomcat/util/http/parser/AstMediaType.java @@ -115,6 +116,102 @@ index b4b5b95..72d183e 100644 isCharacterEncodingSet = true; } } +diff --git a/java/org/apache/catalina/security/SecurityClassLoad.java b/java/org/apache/catalina/security/SecurityClassLoad.java +index d39d251..ba0dda0 100644 +--- a/java/org/apache/catalina/security/SecurityClassLoad.java ++++ b/java/org/apache/catalina/security/SecurityClassLoad.java +@@ -25,9 +25,7 @@ package org.apache.catalina.security; + * + * @author Glenn L. Nielsen + * @author Jean-Francois Arcand +- * @version $Id: SecurityClassLoad.java 1347036 2012-06-06 18:32:43Z markt $ + */ +- + public final class SecurityClassLoad { + + public static void securityClassLoad(ClassLoader loader) +@@ -44,6 +42,7 @@ public final class SecurityClassLoad { + loadServletsPackage(loader); + loadSessionPackage(loader); + loadUtilPackage(loader); ++ loadValvesPackage(loader); + loadJavaxPackage(loader); + loadConnectorPackage(loader); + loadTomcatPackage(loader); +@@ -55,6 +54,9 @@ public final class SecurityClassLoad { + final String basePackage = "org.apache.catalina.core."; + loader.loadClass + (basePackage + ++ "AccessLogAdapter"); ++ loader.loadClass ++ (basePackage + + "ApplicationContextFacade$1"); + loader.loadClass + (basePackage + +@@ -133,8 +135,6 @@ public final class SecurityClassLoad { + loader.loadClass + (basePackage + "StandardSession"); + loader.loadClass +- (basePackage + "StandardSession$PrivilegedSetTccl"); +- loader.loadClass + (basePackage + "StandardSession$1"); + loader.loadClass + (basePackage + "StandardManager$PrivilegedDoUnload"); +@@ -149,6 +149,13 @@ public final class SecurityClassLoad { + } + + ++ private static final void loadValvesPackage(ClassLoader loader) ++ throws Exception { ++ final String basePackage = "org.apache.catalina.valves."; ++ loader.loadClass(basePackage + "AccessLogValve$3"); ++ } ++ ++ + private static final void loadCoyotePackage(ClassLoader loader) + throws Exception { + final String basePackage = "org.apache.coyote."; +@@ -264,23 +271,10 @@ public final class SecurityClassLoad { + basePackage + "util.http.FastHttpDateFormat"); + clazz.newInstance(); + loader.loadClass(basePackage + "util.http.HttpMessages"); +- loader.loadClass(basePackage + "util.http.parser.AstAttribute"); +- loader.loadClass(basePackage + "util.http.parser.AstMediaType"); +- loader.loadClass(basePackage + "util.http.parser.AstParameter"); +- loader.loadClass(basePackage + "util.http.parser.AstSubType"); +- loader.loadClass(basePackage + "util.http.parser.AstType"); +- loader.loadClass(basePackage + "util.http.parser.AstValue"); + loader.loadClass(basePackage + "util.http.parser.HttpParser"); +- loader.loadClass(basePackage + "util.http.parser.HttpParserConstants"); +- loader.loadClass(basePackage + "util.http.parser.HttpParserTokenManager"); +- loader.loadClass(basePackage + "util.http.parser.HttpParserTreeConstants"); +- loader.loadClass(basePackage + "util.http.parser.JJTHttpParserState"); +- loader.loadClass(basePackage + "util.http.parser.Node"); +- loader.loadClass(basePackage + "util.http.parser.ParseException"); +- loader.loadClass(basePackage + "util.http.parser.SimpleCharStream"); +- loader.loadClass(basePackage + "util.http.parser.SimpleNode"); +- loader.loadClass(basePackage + "util.http.parser.Token"); +- loader.loadClass(basePackage + "util.http.parser.TokenMgrError"); ++ loader.loadClass(basePackage + "util.http.parser.HttpParser$SkipConstantResult"); ++ loader.loadClass(basePackage + "util.http.parser.MediaType"); ++ loader.loadClass(basePackage + "util.http.parser.MediaTypeCache"); + // net + loader.loadClass(basePackage + "util.net.Constants"); + loader.loadClass(basePackage + +@@ -290,10 +284,9 @@ public final class SecurityClassLoad { + loader.loadClass(basePackage + + "util.net.NioBlockingSelector$BlockPoller$3"); + loader.loadClass(basePackage + "util.net.SSLSupport$CipherData"); +- loader.loadClass +- (basePackage + "util.net.JIoEndpoint$PrivilegedSetTccl"); +- loader.loadClass +- (basePackage + "util.net.AprEndpoint$PrivilegedSetTccl"); ++ // security ++ loader.loadClass(basePackage + "util.security.PrivilegedGetTccl"); ++ loader.loadClass(basePackage + "util.security.PrivilegedSetTccl"); + } + } + diff --git a/java/org/apache/coyote/Response.java b/java/org/apache/coyote/Response.java index df35070..e9f1a61 100644 --- a/java/org/apache/coyote/Response.java diff --git a/debian/patches/CVE-2016-8745.patch b/debian/patches/CVE-2016-8745.patch new file mode 100644 index 0000000..448c52a --- /dev/null +++ b/debian/patches/CVE-2016-8745.patch @@ -0,0 +1,39 @@ +From: Markus Koschany <[email protected]> +Date: Tue, 10 Jan 2017 22:05:28 +0100 +Subject: CVE-2016-8745 + +A bug in the error handling of the send file code for the NIO HTTP +connector resulted in the current Processor object being added to the +Processor cache multiple times. This in turn meant that the same +Processor could be used for concurrent requests. Sharing a Processor can +result in information leakage between requests including, not not +limited to, session ID and the response body. + +Bug-Upstream: https://bz.apache.org/bugzilla/show_bug.cgi?id=60409 +Origin: https://svn.apache.org/viewvc?view=revision&revision=1777471 +--- + java/org/apache/tomcat/util/net/NioEndpoint.java | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/java/org/apache/tomcat/util/net/NioEndpoint.java b/java/org/apache/tomcat/util/net/NioEndpoint.java +index 3c10bf3..a2f7a12 100644 +--- a/java/org/apache/tomcat/util/net/NioEndpoint.java ++++ b/java/org/apache/tomcat/util/net/NioEndpoint.java +@@ -1369,11 +1369,15 @@ public class NioEndpoint extends AbstractEndpoint { + } + }catch ( IOException x ) { + if ( log.isDebugEnabled() ) log.debug("Unable to complete sendfile request:", x); +- cancelledKey(sk,SocketStatus.ERROR,false); ++ if (!event) { ++ cancelledKey(sk,SocketStatus.ERROR,false); ++ } + return false; + }catch ( Throwable t ) { + log.error("",t); +- cancelledKey(sk, SocketStatus.ERROR, false); ++ if (!event) { ++ cancelledKey(sk, SocketStatus.ERROR, false); ++ } + return false; + }finally { + if (sc!=null) sc.setSendFile(false); diff --git a/debian/patches/series b/debian/patches/series index 3c59fa1..df71d34 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -46,3 +46,4 @@ CVE-2016-6816.patch CVE-2016-8735.patch CVE-2016-5018-part2.patch CVE-2016-6797-part2.patch +CVE-2016-8745.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
