This is an automated email from the git hooks/post-receive script. apo pushed a commit to branch stretch in repository tomcat8.
commit b2b30054606d392a0dbf653ed06fcc23abb6eaf1 Author: Markus Koschany <a...@debian.org> Date: Sun Sep 3 19:51:58 2017 +0200 Import Debian changes 8.5.14-1+deb9u2 tomcat8 (8.5.14-1+deb9u2) stretch-security; urgency=high * Team upload. * Fix CVE-2017-7674: The CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. * Fix CVE-2017-7675: The HTTP/2 implementation bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL. --- debian/changelog | 14 ++++ debian/patches/CVE-2017-7674.patch | 39 ++++++++++ debian/patches/CVE-2017-7675.patch | 153 +++++++++++++++++++++++++++++++++++++ debian/patches/series | 2 + 4 files changed, 208 insertions(+) diff --git a/debian/changelog b/debian/changelog index 49649e0..180efba 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,17 @@ +tomcat8 (8.5.14-1+deb9u2) stretch-security; urgency=high + + * Team upload. + * Fix CVE-2017-7674: + The CORS Filter did not add an HTTP Vary header indicating that the + response varies depending on Origin. This permitted client and server side + cache poisoning in some circumstances. + * Fix CVE-2017-7675: + The HTTP/2 implementation bypassed a number of security checks that + prevented directory traversal attacks. It was therefore possible to bypass + security constraints using a specially crafted URL. + + -- Markus Koschany <a...@debian.org> Sun, 03 Sep 2017 19:51:58 +0200 + tomcat8 (8.5.14-1+deb9u1) stretch-security; urgency=high * Team upload. diff --git a/debian/patches/CVE-2017-7674.patch b/debian/patches/CVE-2017-7674.patch new file mode 100644 index 0000000..3131b06 --- /dev/null +++ b/debian/patches/CVE-2017-7674.patch @@ -0,0 +1,39 @@ +From: Markus Koschany <a...@debian.org> +Date: Sat, 2 Sep 2017 14:59:09 +0200 +Subject: CVE-2017-7674 + +Bug-Debian: https://bugs.debian.org/802312 +Origin: http://svn.apache.org/r1795814 +--- + java/org/apache/catalina/filters/CorsFilter.java | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/java/org/apache/catalina/filters/CorsFilter.java b/java/org/apache/catalina/filters/CorsFilter.java +index fcb8d2d..03ef78d 100644 +--- a/java/org/apache/catalina/filters/CorsFilter.java ++++ b/java/org/apache/catalina/filters/CorsFilter.java +@@ -286,6 +286,10 @@ public class CorsFilter implements Filter { + exposedHeadersString); + } + ++ // Indicate the response depends on the origin ++ response.addHeader(CorsFilter.REQUEST_HEADER_VARY, ++ CorsFilter.REQUEST_HEADER_ORIGIN); ++ + // Forward the request down the filter chain. + filterChain.doFilter(request, response); + } +@@ -981,6 +985,13 @@ public class CorsFilter implements Filter { + "Access-Control-Allow-Headers"; + + // -------------------------------------------------- CORS Request Headers ++ ++ /** ++ * The Vary header indicates allows disabling proxy caching by indicating ++ * the the response depends on the origin. ++ */ ++ public static final String REQUEST_HEADER_VARY = "Vary"; ++ + /** + * The Origin header indicates where the cross-origin request or preflight + * request originates from. diff --git a/debian/patches/CVE-2017-7675.patch b/debian/patches/CVE-2017-7675.patch new file mode 100644 index 0000000..19e1e4a --- /dev/null +++ b/debian/patches/CVE-2017-7675.patch @@ -0,0 +1,153 @@ +From: Markus Koschany <a...@debian.org> +Date: Sat, 2 Sep 2017 15:03:42 +0200 +Subject: CVE-2017-7675 + +Bug-Debian: https://bugs.debian.org/802312 +Origin: http://svn.apache.org/r1796091 +--- + java/org/apache/coyote/http2/Stream.java | 15 +++-- + test/org/apache/coyote/http2/TestStream.java | 97 ++++++++++++++++++++++++++++ + 2 files changed, 105 insertions(+), 7 deletions(-) + create mode 100644 test/org/apache/coyote/http2/TestStream.java + +diff --git a/java/org/apache/coyote/http2/Stream.java b/java/org/apache/coyote/http2/Stream.java +index 2e3ff88..dfe4daa 100644 +--- a/java/org/apache/coyote/http2/Stream.java ++++ b/java/org/apache/coyote/http2/Stream.java +@@ -18,6 +18,7 @@ package org.apache.coyote.http2; + + import java.io.IOException; + import java.nio.ByteBuffer; ++import java.nio.charset.StandardCharsets; + import java.security.AccessController; + import java.security.PrivilegedActionException; + import java.security.PrivilegedExceptionAction; +@@ -307,18 +308,18 @@ public class Stream extends AbstractStream implements HeaderEmitter { + getConnectionId(), getIdentifier())); + } + int queryStart = value.indexOf('?'); ++ String uri; + if (queryStart == -1) { +- coyoteRequest.requestURI().setString(value); +- coyoteRequest.decodedURI().setString( +- coyoteRequest.getURLDecoder().convert(value, false)); ++ uri = value; + } else { +- String uri = value.substring(0, queryStart); ++ uri = value.substring(0, queryStart); + String query = value.substring(queryStart + 1); +- coyoteRequest.requestURI().setString(uri); +- coyoteRequest.decodedURI().setString( +- coyoteRequest.getURLDecoder().convert(uri, false)); + coyoteRequest.queryString().setString(query); + } ++ // Bug 61120. Set the URI as bytes rather than String so any path ++ // parameters are correctly processed ++ byte[] uriBytes = uri.getBytes(StandardCharsets.ISO_8859_1); ++ coyoteRequest.requestURI().setBytes(uriBytes, 0, uriBytes.length); + break; + } + case ":authority": { +diff --git a/test/org/apache/coyote/http2/TestStream.java b/test/org/apache/coyote/http2/TestStream.java +new file mode 100644 +index 0000000..52ff016 +--- /dev/null ++++ b/test/org/apache/coyote/http2/TestStream.java +@@ -0,0 +1,97 @@ ++/* ++ * Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++package org.apache.coyote.http2; ++ ++import java.io.IOException; ++import java.nio.ByteBuffer; ++ ++import javax.servlet.ServletException; ++import javax.servlet.http.HttpServlet; ++import javax.servlet.http.HttpServletRequest; ++import javax.servlet.http.HttpServletResponse; ++ ++import org.junit.Assert; ++import org.junit.Test; ++ ++import org.apache.catalina.Context; ++import org.apache.catalina.startup.Tomcat; ++ ++public class TestStream extends Http2TestBase { ++ ++ /* ++ * https://bz.apache.org/bugzilla/show_bug.cgi?id=61120 ++ */ ++ @Test ++ public void testPathParam() throws Exception { ++ ++ enableHttp2(); ++ ++ Tomcat tomcat = getTomcatInstance(); ++ ++ Context ctxt = tomcat.addContext("", null); ++ Tomcat.addServlet(ctxt, "simple", new SimpleServlet()); ++ ctxt.addServletMappingDecoded("/simple", "simple"); ++ Tomcat.addServlet(ctxt, "pathparam", new PathParam()); ++ ctxt.addServletMappingDecoded("/pathparam", "pathparam"); ++ ++ tomcat.start(); ++ ++ openClientConnection(); ++ doHttpUpgrade(); ++ sendClientPreface(); ++ validateHttp2InitialResponse(); ++ ++ byte[] frameHeader = new byte[9]; ++ ByteBuffer headersPayload = ByteBuffer.allocate(128); ++ buildGetRequest(frameHeader, headersPayload, null, 3, ++ "/pathparam;jsessionid=" + PathParam.EXPECTED_SESSION_ID); ++ writeFrame(frameHeader, headersPayload); ++ ++ readSimpleGetResponse(); ++ ++ Assert.assertEquals( ++ "3-HeadersStart\n" + ++ "3-Header-[:status]-[200]\n" + ++ "3-Header-[content-type]-[text/plain;charset=UTF-8]\n" + ++ "3-Header-[date]-[Wed, 11 Nov 2015 19:18:42 GMT]\n" + ++ "3-HeadersEnd\n" + ++ "3-Body-2\n" + ++ "3-EndOfStream\n", output.getTrace()); ++ } ++ ++ ++ private static final class PathParam extends HttpServlet { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public static final String EXPECTED_SESSION_ID = "0123456789ABCDEF"; ++ ++ @Override ++ protected void doGet(HttpServletRequest request, HttpServletResponse response) ++ throws ServletException, IOException { ++ ++ response.setContentType("text/plain"); ++ response.setCharacterEncoding("UTF-8"); ++ ++ if (EXPECTED_SESSION_ID.equals(request.getRequestedSessionId())) { ++ response.getWriter().write("OK"); ++ } else { ++ response.getWriter().write("FAIL"); ++ } ++ } ++ } ++} diff --git a/debian/patches/series b/debian/patches/series index fe0ccae..d67efd9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,3 +9,5 @@ 0019-add-distribution-to-error-page.patch 0021-dont-test-unsupported-ciphers.patch CVE-2017-5664.patch +CVE-2017-7674.patch +CVE-2017-7675.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git _______________________________________________ pkg-java-commits mailing list pkg-java-comm...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits