Author: jamespage-guest Date: 2011-09-15 08:29:14 +0000 (Thu, 15 Sep 2011) New Revision: 14906
Added: trunk/tomcat6/debian/patches/0013-CVE-2011-3190.patch Modified: trunk/tomcat6/debian/changelog trunk/tomcat6/debian/patches/series Log: Added patch for CVE-2011-3190 (LP: #843701). Modified: trunk/tomcat6/debian/changelog =================================================================== --- trunk/tomcat6/debian/changelog 2011-09-15 08:18:54 UTC (rev 14905) +++ trunk/tomcat6/debian/changelog 2011-09-15 08:29:14 UTC (rev 14906) @@ -10,6 +10,9 @@ [ Niels Thykier ] * Removed myself from uploaders. + [ James Page ] + * Added patch for CVE-2011-3190 (LP: #843701). + -- tony mancill <tmanc...@debian.org> Sun, 14 Aug 2011 08:20:45 -0700 tomcat6 (6.0.32-5) unstable; urgency=low Added: trunk/tomcat6/debian/patches/0013-CVE-2011-3190.patch =================================================================== --- trunk/tomcat6/debian/patches/0013-CVE-2011-3190.patch (rev 0) +++ trunk/tomcat6/debian/patches/0013-CVE-2011-3190.patch 2011-09-15 08:29:14 UTC (rev 14906) @@ -0,0 +1,72 @@ +Description: [PATCH] Fix CVE-2011-3190 Fix + https://issues.apache.org/bugzilla/show_bug.cgi?id=51698 + Prevent AJP request forgery via unread request body packet +Origin: https://github.com/apache/tomcat60/commit/1a04877e07c8ac9f924b130cbc372a11c273de66 + +Index: tomcat6/java/org/apache/coyote/ajp/AjpAprProcessor.java +=================================================================== +--- tomcat6.orig/java/org/apache/coyote/ajp/AjpAprProcessor.java 2011-09-08 14:25:11.619833000 +0100 ++++ tomcat6/java/org/apache/coyote/ajp/AjpAprProcessor.java 2011-09-08 14:44:12.771697501 +0100 +@@ -390,11 +390,13 @@ + } + continue; + } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) { +- // Usually the servlet didn't read the previous request body +- if(log.isDebugEnabled()) { +- log.debug("Unexpected message: "+type); ++ // Unexpected packet type. Unread body packets should have ++ // been swallowed in finish(). ++ if (log.isDebugEnabled()) { ++ log.debug("Unexpected message: " + type); + } +- continue; ++ error = true; ++ break; + } + + keptAlive = true; +@@ -1033,6 +1035,11 @@ + + finished = true; + ++ // Swallow the unread body packet if present ++ if (first && request.getContentLengthLong() > 0) { ++ receive(); ++ } ++ + // Add the end message + if (outputBuffer.position() + endMessageArray.length > outputBuffer.capacity()) { + flush(); +Index: tomcat6/java/org/apache/coyote/ajp/AjpProcessor.java +=================================================================== +--- tomcat6.orig/java/org/apache/coyote/ajp/AjpProcessor.java 2011-09-08 14:25:11.619833000 +0100 ++++ tomcat6/java/org/apache/coyote/ajp/AjpProcessor.java 2011-09-08 14:44:12.771697501 +0100 +@@ -408,11 +408,13 @@ + } + continue; + } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) { +- // Usually the servlet didn't read the previous request body +- if(log.isDebugEnabled()) { +- log.debug("Unexpected message: "+type); ++ // Unexpected packet type. Unread body packets should have ++ // been swallowed in finish(). ++ if (log.isDebugEnabled()) { ++ log.debug("Unexpected message: " + type); + } +- continue; ++ error = true; ++ break; + } + + request.setStartTime(System.currentTimeMillis()); +@@ -1038,6 +1040,11 @@ + + finished = true; + ++ // Swallow the unread body packet if present ++ if (first && request.getContentLengthLong() > 0) { ++ receive(); ++ } ++ + // Add the end message + output.write(endMessageArray); Modified: trunk/tomcat6/debian/patches/series =================================================================== --- trunk/tomcat6/debian/patches/series 2011-09-15 08:18:54 UTC (rev 14905) +++ trunk/tomcat6/debian/patches/series 2011-09-15 08:29:14 UTC (rev 14906) @@ -9,3 +9,4 @@ 0010-Use-java.security.policy-file-in-catalina.sh.patch 0011-623242.patch 0012-CVE-2011-2204.patch +0013-CVE-2011-3190.patch _______________________________________________ pkg-java-commits mailing list pkg-java-comm...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits