Re: New test in TestPEMFile fails ...
Am 12.05.2022 um 22:57 schrieb Rémy Maucherat: On Thu, May 12, 2022 at 9:14 PM Rainer Jung wrote: ... for me with Java 1.8.0 332 (various OpenJDK builds) on TC 9.0.63 and 10.0.21, platform various Linuxes and also Solaris Sparc. It does not fail for Java 11 and also not for Oracle Java 1.8.0 331. The funny thing is it is the support that was already there in PEMFile that is failing, and that code is apparently completely unchanged. So I don't quite understand or maybe it simply never worked (I don't know the reason why obviously) as the test was not there before. That's likely. I didn't yet have the opportunity to run the test with older versions, but like you I don't see an obvious reason, why the problem should be new. Best regards, Rainer Rémy Testsuite: org.apache.tomcat.util.net.jsse.TestPEMFile Tests run: 5, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.947 sec Testcase: testKeyEncryptedPkcs1DesEde3Cbc took 0.59 sec Testcase: testKeyEncryptedPkcs8 took 0.196 sec Caused an ERROR Cannot retrieve the PKCS8EncodedKeySpec java.security.spec.InvalidKeySpecException: Cannot retrieve the PKCS8EncodedKeySpec at javax.crypto.EncryptedPrivateKeyInfo.getKeySpec(EncryptedPrivateKeyInfo.java:258) at org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:212) at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:143) at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:98) at org.apache.tomcat.util.net.jsse.TestPEMFile.testKey(TestPEMFile.java:74) at org.apache.tomcat.util.net.jsse.TestPEMFile.testKeyEncrypted(TestPEMFile.java:69) at org.apache.tomcat.util.net.jsse.TestPEMFile.testKeyEncryptedPkcs8(TestPEMFile.java:64) Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975) at com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056) at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853) at com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:323) at javax.crypto.Cipher.doFinal(Cipher.java:2168) at javax.crypto.EncryptedPrivateKeyInfo.getKeySpec(EncryptedPrivateKeyInfo.java:253) Testcase: testKeyPkcs1 took 0.004 sec Testcase: testKeyEncryptedPkcs1Aes256 took 0.035 sec Testcase: testKeyEncryptedPkcs1DesCbc took 0.023 sec Best regards, Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: New test in TestPEMFile fails ...
On Thu, May 12, 2022 at 9:14 PM Rainer Jung wrote: > > ... for me with Java 1.8.0 332 (various OpenJDK builds) on TC 9.0.63 and > 10.0.21, platform various Linuxes and also Solaris Sparc. It does not > fail for Java 11 and also not for Oracle Java 1.8.0 331. The funny thing is it is the support that was already there in PEMFile that is failing, and that code is apparently completely unchanged. So I don't quite understand or maybe it simply never worked (I don't know the reason why obviously) as the test was not there before. Rémy > Testsuite: org.apache.tomcat.util.net.jsse.TestPEMFile > Tests run: 5, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.947 sec > > Testcase: testKeyEncryptedPkcs1DesEde3Cbc took 0.59 sec > Testcase: testKeyEncryptedPkcs8 took 0.196 sec > Caused an ERROR > Cannot retrieve the PKCS8EncodedKeySpec > java.security.spec.InvalidKeySpecException: Cannot retrieve the > PKCS8EncodedKeySpec > at > javax.crypto.EncryptedPrivateKeyInfo.getKeySpec(EncryptedPrivateKeyInfo.java:258) > at > org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:212) > at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:143) > at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:98) > at > org.apache.tomcat.util.net.jsse.TestPEMFile.testKey(TestPEMFile.java:74) > at > org.apache.tomcat.util.net.jsse.TestPEMFile.testKeyEncrypted(TestPEMFile.java:69) > at > org.apache.tomcat.util.net.jsse.TestPEMFile.testKeyEncryptedPkcs8(TestPEMFile.java:64) > Caused by: javax.crypto.BadPaddingException: Given final block not > properly padded. Such issues can arise if a bad key is used during > decryption. > at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975) > at > com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056) > at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853) > at > com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:323) > at javax.crypto.Cipher.doFinal(Cipher.java:2168) > at > javax.crypto.EncryptedPrivateKeyInfo.getKeySpec(EncryptedPrivateKeyInfo.java:253) > > Testcase: testKeyPkcs1 took 0.004 sec > Testcase: testKeyEncryptedPkcs1Aes256 took 0.035 sec > Testcase: testKeyEncryptedPkcs1DesCbc took 0.023 sec > > Best regards, > > Rainer > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2022-25762 Apache Tomcat - Request Mix-up
CVE-2022-25762 Apache Tomcat - Request Mix-up Severity: High Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.20 Apache Tomcat 8.5.0 to 8.5.75 Description: If a web application sends a WebSocket message concurrently with the WebSocket connection closing, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.21 or later - Upgrade to Apache Tomcat 8.5.76 or later History: 2022-05-12 Original advisory Credit: This issue was identified by the Apache Tomcat security team. References: [1] https://tomcat.apache.org/security-9.html [2] https://tomcat.apache.org/security-8.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1900842 - in /tomcat/site/trunk: docs/security-8.html docs/security-9.html xdocs/security-8.xml xdocs/security-9.xml
Author: markt Date: Thu May 12 19:56:43 2022 New Revision: 1900842 URL: http://svn.apache.org/viewvc?rev=1900842&view=rev Log: Publish CVE-2022-25762 Modified: tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/docs/security-9.html tomcat/site/trunk/xdocs/security-8.xml tomcat/site/trunk/xdocs/security-9.xml Modified: tomcat/site/trunk/docs/security-8.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1900842&r1=1900841&r2=1900842&view=diff == --- tomcat/site/trunk/docs/security-8.html (original) +++ tomcat/site/trunk/docs/security-8.html Thu May 12 19:56:43 2022 @@ -42,7 +42,7 @@ Table of Contents -Fixed in Apache Tomcat 8.5.79Fixed in Apache Tomcat 8.5.75Fixed in Apache Tomcat 8.5.72Fixed in Apache Tomcat 8.5.68Fixed in Apache Tomcat 8.5.66Fixed in Apache Tomcat 8.5.65Fixed in Apache Tomcat 8.5.64Fixed in Apache Tomcat 8.5.63Fixed in Apache Tomcat 8.5.60Fixed in Apache Tomcat 8.5.58Fixed in Apache Tomcat 8.5.57Fixed in Apache Tomcat 8.5.56Fixed in Apache Tomcat 8.5.55Fixed in Apache Tomcat 8.5.51Fixed in Apache Tomcat 8.5.50Fixed in Apache Tomcat 8.5.49Fixed in Apache Tomcat 8.5.41Fixed in Apache Tomcat 8.5.40Fixed in Apache Tomcat 8.5.38Fixed in Apache Tomcat 8.5.34Fixed in Apache Tomcat 8.0.53Fixed in Apache Tomcat 8.5.32Fixed in Apache Tomcat 8.0.52Fixed in Apache Tomcat 8.5.31Fixed in Apache Tomcat >8.0.50Fixed in Apache >Tomcat 8.5.28Fixed in >Apache Tomcat 8.0.48href="#Fixed_in_Apache_Tomcat_8.5.24">Fixed in Apache Tomcat >8.5.24Fixed in Apache >Tomcat 8.0.47Fixed in >Apache Tomcat 8.5.23href="#Fixed_in_Apache_Tomcat_8.0.45">Fixed in Apache Tomcat >8.0.45Fixed in Apache >Tomcat 8.5.16Fixed in >Apache Tomcat 8.0.44href="#Fixed_in_Apache_Tomcat_8.5.15">Fixed in Apache Tomcat >8.5.15Fixed in Apache >Tomcat 8.0.43Fixed in >Apache Tomcat 8.5.13 Fixed in Apache Tomcat 8.0.42Fixed in Apache Tomcat 8.5.12Fixed in Apache Tomcat 8.0.41Fixed in Apache Tomcat 8.5.11Fixed in Apache Tomcat 8.5.9Fixed in Apache Tomcat 8.0.39Fixed in Apache Tomcat 8.5.8Fixed in Apache Tomcat 8.5.5 and 8.0.37Fixed in Apache Tomcat 8.5.3 and 8.0.36Fixed in Apache Tomcat 8.0.32Fixed in Apache Tomcat 8.0.30Fixed in Apache Tomcat 8.0.27Fixed in Apache Tomcat 8.0.17Fixed in Apache Tomcat 8.0.9Fixed in Apache Tomcat 8.0.8Fixed in Apache Tomcat 8.0.5Fixed in Apache Tomcat 8.0.3Fixed in Apache Tomcat 8.0.0-RC10Fixed in Apache Tomcat 8.0.0-RC3Not a vulnerability in TomcatNot a vulnerability in Tomcat +Fixed in Apache Tomcat 8.5.79Fixed in Apache Tomcat 8.5.76Fixed in Apache Tomcat 8.5.75Fixed in Apache Tomcat 8.5.72Fixed in Apache Tomcat 8.5.68Fixed in Apache Tomcat 8.5.66Fixed in Apache Tomcat 8.5.65Fixed in Apache Tomcat 8.5.64Fixed in Apache Tomcat 8.5.63Fixed in Apache Tomcat 8.5.60Fixed in Apache Tomcat 8.5.58Fixed in Apache Tomcat 8.5.57Fixed in Apache Tomcat 8.5.56Fixed in Apache Tomcat 8.5.55Fixed in Apache Tomcat 8.5.51Fixed in Apache Tomcat 8.5.50Fixed in Apache Tomcat 8.5.49Fixed in Apache Tomcat 8.5.41Fixed in Apache Tomcat 8.5.40Fixed in Apache Tomcat 8.5.38Fixed in Apache Tomcat 8.5.34Fixed in Apache Tomcat 8.0.53Fixed in Apache Tomcat 8.5.32Fixed in Apache Tomcat 8.0.52Fixed in Apache Tomcat >8.5.31Fixed in Apache >Tomcat 8.0.50Fixed in >Apache Tomcat 8.5.28href="#Fixed_in_Apache_Tomcat_8.0.48">Fixed in Apache Tomcat >8.0.48Fixed in Apache >Tomcat 8.5.24Fixed in >Apache Tomcat 8.0.47href="#Fixed_in_Apache_Tomcat_8.5.23">Fixed in Apache Tomcat >8.5.23Fixed in Apache >Tomcat 8.0.45Fixed in >Apache Tomcat 8.5.16href="#Fixed_in_Apache_Tomcat_8.0.44">Fixed in Apache Tomcat >8.0.44Fixed in Apache >Tomcat 8.5.15Fixed in >Apache Tomcat 8.0.43 Fixed in Apache Tomcat 8.5.13Fixed in Apache Tomcat 8.0.42Fixed in Apache Tomcat 8.5.12Fixed in Apache Tomcat 8.0.41Fixed in Apache Tomcat 8.5.11Fixed in Apache Tomcat 8.5.9Fixed in Apache Tomcat 8.0.39Fixed in Apache Tomcat 8.5.8Fixed in Apache Tomcat 8.5.5 and 8.0.37Fixed in Apache Tomcat 8.5.3 and 8.0.36Fixed in Apache Tomcat 8.0.32Fixed in Apache Tomcat 8.0.30Fixed in Apache Tomcat 8.0.27Fixed in Apache Tomcat 8.0.17Fixed in Apache Tomcat 8.0.9Fixed in Apache Tomcat 8.0.8Fixed in Apache Tomcat 8.0.5Fixed in Apache Tomcat 8.0.3Fixed in Apache Tomcat 8.0.0-RC10Fixed in Apache Tomcat 8.0.0-RC3Not a vulnerability in TomcatNot a vulnerability in Tomcat not yet released Fixed in Apache Tomcat 8.5.79 Low: Apache Tomcat EncryptInterceptor DoS @@ -62,6 +62,27 @@ Affects: 8.5.38 to 8.5.78 + 28 February 2022 Fixed in Apache Tomcat 8.5.76 + +Important: Request mix-up + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25762"; rel="nofollow">CVE-2022-25762 + +If a web application sends a WebSocket message concurrently with the + WebSocket connection closing, it is possi
New test in TestPEMFile fails ...
... for me with Java 1.8.0 332 (various OpenJDK builds) on TC 9.0.63 and 10.0.21, platform various Linuxes and also Solaris Sparc. It does not fail for Java 11 and also not for Oracle Java 1.8.0 331. Testsuite: org.apache.tomcat.util.net.jsse.TestPEMFile Tests run: 5, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.947 sec Testcase: testKeyEncryptedPkcs1DesEde3Cbc took 0.59 sec Testcase: testKeyEncryptedPkcs8 took 0.196 sec Caused an ERROR Cannot retrieve the PKCS8EncodedKeySpec java.security.spec.InvalidKeySpecException: Cannot retrieve the PKCS8EncodedKeySpec at javax.crypto.EncryptedPrivateKeyInfo.getKeySpec(EncryptedPrivateKeyInfo.java:258) at org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:212) at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:143) at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:98) at org.apache.tomcat.util.net.jsse.TestPEMFile.testKey(TestPEMFile.java:74) at org.apache.tomcat.util.net.jsse.TestPEMFile.testKeyEncrypted(TestPEMFile.java:69) at org.apache.tomcat.util.net.jsse.TestPEMFile.testKeyEncryptedPkcs8(TestPEMFile.java:64) Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975) at com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056) at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853) at com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:323) at javax.crypto.Cipher.doFinal(Cipher.java:2168) at javax.crypto.EncryptedPrivateKeyInfo.getKeySpec(EncryptedPrivateKeyInfo.java:253) Testcase: testKeyPkcs1 took 0.004 sec Testcase: testKeyEncryptedPkcs1Aes256 took 0.035 sec Testcase: testKeyEncryptedPkcs1DesCbc took 0.023 sec Best regards, Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Minor version number updates
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 2d92be245d Minor version number updates 2d92be245d is described below commit 2d92be245ddad1d239c7fab3909b066fad342c3f Author: remm AuthorDate: Thu May 12 10:28:16 2022 +0200 Minor version number updates --- modules/cxf/pom.xml | 6 +++--- modules/owb/pom.xml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/cxf/pom.xml b/modules/cxf/pom.xml index 4df9a4b4cc..1a8dec50cb 100644 --- a/modules/cxf/pom.xml +++ b/modules/cxf/pom.xml @@ -21,7 +21,7 @@ org.apache apache -23 +26 org.apache.tomcat @@ -29,14 +29,14 @@ Apache CXF for Apache Tomcat CDI Apache CXF packaged for Apache Tomcat CDI -3.5.0 +3.5.2 jar 1.3 1.1.4 1.0 -1.2.15 +1.2.18 diff --git a/modules/owb/pom.xml b/modules/owb/pom.xml index b2220580c7..6c16c8d8e7 100644 --- a/modules/owb/pom.xml +++ b/modules/owb/pom.xml @@ -21,7 +21,7 @@ org.apache apache -23 +26 org.apache.tomcat @@ -36,7 +36,7 @@ 1.2 1.2 1.3 -9.0.58 +9.0.62 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated: Minor version number updates
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.0.x by this push: new 57bdf5866a Minor version number updates 57bdf5866a is described below commit 57bdf5866acad9679b71e1875e92a3ef9fe83d90 Author: remm AuthorDate: Thu May 12 10:28:16 2022 +0200 Minor version number updates --- modules/cxf/pom.xml | 6 +++--- modules/owb/pom.xml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/cxf/pom.xml b/modules/cxf/pom.xml index 0de6090ebe..7b121694e9 100644 --- a/modules/cxf/pom.xml +++ b/modules/cxf/pom.xml @@ -21,7 +21,7 @@ org.apache apache -23 +26 org.apache.tomcat @@ -29,14 +29,14 @@ Apache CXF for Apache Tomcat CDI Apache CXF packaged for Apache Tomcat CDI -3.5.0 +3.5.2 jar 1.3 1.1.4 1.0 -1.2.15 +1.2.18 diff --git a/modules/owb/pom.xml b/modules/owb/pom.xml index 0799bd5398..4099afc547 100644 --- a/modules/owb/pom.xml +++ b/modules/owb/pom.xml @@ -21,7 +21,7 @@ org.apache apache -23 +26 org.apache.tomcat @@ -36,7 +36,7 @@ 1.2 1.2 1.3 -10.0.16 +10.0.20 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Minor version number updates
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 0a9d25908e Minor version number updates 0a9d25908e is described below commit 0a9d25908e2f92e5197f2a48948e2cd879266c6a Author: remm AuthorDate: Thu May 12 10:40:02 2022 +0200 Minor version number updates --- modules/openssl-java17/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/openssl-java17/pom.xml b/modules/openssl-java17/pom.xml index 09e239ae89..f21cbb4acd 100644 --- a/modules/openssl-java17/pom.xml +++ b/modules/openssl-java17/pom.xml @@ -21,7 +21,7 @@ org.apache apache -24 +26 org.apache.tomcat - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Minor version number updates
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new a4c63200e9 Minor version number updates a4c63200e9 is described below commit a4c63200e929533fde6dcff44d97259e8b753a5c Author: remm AuthorDate: Thu May 12 10:28:16 2022 +0200 Minor version number updates --- modules/cxf/pom.xml | 6 +++--- modules/owb/pom.xml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/cxf/pom.xml b/modules/cxf/pom.xml index 0de6090ebe..7b121694e9 100644 --- a/modules/cxf/pom.xml +++ b/modules/cxf/pom.xml @@ -21,7 +21,7 @@ org.apache apache -23 +26 org.apache.tomcat @@ -29,14 +29,14 @@ Apache CXF for Apache Tomcat CDI Apache CXF packaged for Apache Tomcat CDI -3.5.0 +3.5.2 jar 1.3 1.1.4 1.0 -1.2.15 +1.2.18 diff --git a/modules/owb/pom.xml b/modules/owb/pom.xml index 0799bd5398..4099afc547 100644 --- a/modules/owb/pom.xml +++ b/modules/owb/pom.xml @@ -21,7 +21,7 @@ org.apache apache -23 +26 org.apache.tomcat @@ -36,7 +36,7 @@ 1.2 1.2 1.3 -10.0.16 +10.0.20 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
