Emmanuel Bourg pushed to branch buster at Debian Java Maintainers / tomcat9
Commits: 674d2cf7 by Emmanuel Bourg at 2020-07-14T22:07:54+02:00 Fixed CVE-2020-13935: WebSocket Denial of Service - - - - - b9b647aa by Emmanuel Bourg at 2020-07-14T22:11:38+02:00 Fixed CVE-2020-13934: HTTP/2 Denial of Service - - - - - ca222445 by Emmanuel Bourg at 2020-07-14T22:12:14+02:00 Upload to buster-security - - - - - 4 changed files: - debian/changelog - + debian/patches/CVE-2020-13934.patch - + debian/patches/CVE-2020-13935.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,17 @@ +tomcat9 (9.0.31-1~deb10u2) buster-security; urgency=medium + + * Team upload. + * Fixed CVE-2020-13935: WebSocket Denial of Service. The payload length + in a WebSocket frame was not correctly validated. Invalid payload lengths + could trigger an infinite loop. Multiple requests with invalid payload + lengths could lead to a denial of service. + * Fixed CVE-2020-13934: HTTP/2 Denial of Service. An h2c direct connection + did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a + sufficient number of such requests were made, an OutOfMemoryException + could occur leading to a denial of service. + + -- Emmanuel Bourg <[email protected]> Tue, 14 Jul 2020 22:11:58 +0200 + tomcat9 (9.0.31-1~deb10u1) buster-security; urgency=high * Team upload. ===================================== debian/patches/CVE-2020-13934.patch ===================================== @@ -0,0 +1,30 @@ +Description: Fixes CVE-2020-13934: HTTP/2 Denial of Service. + An h2c direct connection did not release the HTTP/1.1 processor after the + upgrade to HTTP/2. If a sufficient number of such requests were made, an + OutOfMemoryException could occur leading to a denial of service. +Origin: backport, https://github.com/apache/tomcat/commit/172977f0 +--- a/java/org/apache/coyote/AbstractProtocol.java ++++ b/java/org/apache/coyote/AbstractProtocol.java +@@ -876,8 +876,10 @@ + // Assume direct HTTP/2 connection + UpgradeProtocol upgradeProtocol = getProtocol().getUpgradeProtocol("h2c"); + if (upgradeProtocol != null) { +- processor = upgradeProtocol.getProcessor( +- wrapper, getProtocol().getAdapter()); ++ // Release the Http11 processor to be re-used ++ release(processor); ++ // Create the upgrade processor ++ processor = upgradeProtocol.getProcessor(wrapper, getProtocol().getAdapter()); + wrapper.unRead(leftOverInput); + // Associate with the processor with the connection + wrapper.setCurrentProcessor(processor); +@@ -887,7 +889,8 @@ + "abstractConnectionHandler.negotiatedProcessor.fail", + "h2c")); + } +- return SocketState.CLOSED; ++ // Exit loop and trigger appropriate clean-up ++ state = SocketState.CLOSED; + } + } else { + HttpUpgradeHandler httpUpgradeHandler = upgradeToken.getHttpUpgradeHandler(); ===================================== debian/patches/CVE-2020-13935.patch ===================================== @@ -0,0 +1,32 @@ +Description: Fixes CVE-2020-13935: WebSocket Denial of Service + The payload length in a WebSocket frame was not correctly validated. + Invalid payload lengths could trigger an infinite loop. Multiple + requests with invalid payload lengths could lead to a denial of service. +Origin: backport, https://github.com/apache/tomcat/commit/40fa74c7 +Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=64563 +--- a/java/org/apache/tomcat/websocket/LocalStrings.properties ++++ b/java/org/apache/tomcat/websocket/LocalStrings.properties +@@ -71,6 +71,7 @@ + wsFrame.notMasked=The client frame was not masked but all client frames must be masked + wsFrame.oneByteCloseCode=The client sent a close frame with a single byte payload which is not valid + wsFrame.partialHeaderComplete=WebSocket frame received. fin [{0}], rsv [{1}], OpCode [{2}], payload length [{3}] ++wsFrame.payloadMsbInvalid=An invalid WebSocket frame was received - the most significant bit of a 64-bit payload was illegally set + wsFrame.sessionClosed=The client data cannot be processed because the session has already been closed + wsFrame.suspendRequested=Suspend of the message receiving has already been requested. + wsFrame.textMessageTooBig=The decoded text message was too big for the output buffer and the endpoint does not support partial messages +--- a/java/org/apache/tomcat/websocket/WsFrameBase.java ++++ b/java/org/apache/tomcat/websocket/WsFrameBase.java +@@ -261,6 +261,13 @@ + } else if (payloadLength == 127) { + payloadLength = byteArrayToLong(inputBuffer.array(), + inputBuffer.arrayOffset() + inputBuffer.position(), 8); ++ // The most significant bit of those 8 bytes is required to be zero ++ // (see RFC 6455, section 5.2). If the most significant bit is set, ++ // the resulting payload length will be negative so test for that. ++ if (payloadLength < 0) { ++ throw new WsIOException( ++ new CloseReason(CloseCodes.PROTOCOL_ERROR, sm.getString("wsFrame.payloadMsbInvalid"))); ++ } + inputBuffer.position(inputBuffer.position() + 8); + } + if (Util.isControl(opCode)) { ===================================== debian/patches/series ===================================== @@ -12,3 +12,5 @@ 0026-easymock4-compatibility.patch 0027-java11-compilation.patch JDTCompiler.patch +CVE-2020-13934.patch +CVE-2020-13935.patch View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/compare/f65e52e2087e8e852cb62d75454cfe10ed740095...ca222445de686c1ff1922ee9b0bef559ac2dcc35 -- View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/compare/f65e52e2087e8e852cb62d75454cfe10ed740095...ca222445de686c1ff1922ee9b0bef559ac2dcc35 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits
