[tomcat7] 01/01: Add security patches for +deb8u2
Markus Koschany
apo-guest at moszumanska.debian.org
Mon Mar 28 15:14:15 UTC 2016
This is an automated email from the git hooks/post-receive script.
apo-guest pushed a commit to branch jessie
in repository tomcat7.
commit 3db3a3938950a9f8827ac0f90c109e04c2720328
Author: Markus Koschany <apo at debian.org>
Date: Mon Mar 28 17:13:57 2016 +0200
Add security patches for +deb8u2
---
debian/changelog | 47 ++++
debian/patches/CVE-2015-5174.patch | 256 ++++++++++++++++++
debian/patches/CVE-2015-5345.patch | 313 +++++++++++++++++++++
debian/patches/CVE-2015-5346.patch | 98 +++++++
debian/patches/CVE-2015-5351.patch | 116 ++++++++
debian/patches/CVE-2016-0706.patch | 40 +++
debian/patches/CVE-2016-0714.patch | 542 +++++++++++++++++++++++++++++++++++++
debian/patches/CVE-2016-0763.patch | 49 ++++
debian/patches/series | 7 +
9 files changed, 1468 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index de80e87..1f4ac1d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,50 @@
+tomcat7 (7.0.56-3+deb8u2) jessie-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2015-5174:
+ Directory traversal vulnerability in RequestUtil.java allows remote
+ authenticated users to bypass intended SecurityManager restrictions and
+ list a parent directory via a /.. (slash dot dot) in a pathname used by a
+ web application in a getResource, getResourceAsStream, or getResourcePaths
+ call, as demonstrated by the $CATALINA_BASE/webapps directory.
+ * Fix CVE-2015-5345:
+ The Mapper component in Apache Tomcat processes redirects before
+ considering security constraints and Filters, which allows remote attackers
+ to determine the existence of a directory via a URL that lacks a trailing /
+ (slash) character.
+ * Fix CVE-2015-5346:
+ Session fixation vulnerability in Apache Tomcat when different session
+ settings are used for deployments of multiple versions of the same web
+ application, might allow remote attackers to hijack web sessions by
+ leveraging use of a requestedSessionSSL field for an unintended request,
+ related to CoyoteAdapter.java and Request.java.
+ * Fix CVE-2015-5351:
+ The Manager and Host Manager applications in Apache Tomcat establish
+ sessions and send CSRF tokens for arbitrary new requests, which allows
+ remote attackers to bypass a CSRF protection mechanism by using a token.
+ * Fix CVE-2016-0706:
+ Apache Tomcat does not place
+ org.apache.catalina.manager.StatusManagerServlet on the
+ org/apache/catalina/core/RestrictedServlets.properties list, which allows
+ remote authenticated users to bypass intended SecurityManager restrictions
+ and read arbitrary HTTP requests, and consequently discover session ID
+ values, via a crafted web application.
+ * Fix CVE-2016-0714:
+ The session-persistence implementation in Apache Tomcat mishandles session
+ attributes, which allows remote authenticated users to bypass intended
+ SecurityManager restrictions and execute arbitrary code in a privileged
+ context via a web application that places a crafted object in a session.
+ * Fix CVE-2016-0763:
+ The setGlobalContext method in
+ org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
+ not consider whether ResourceLinkFactory.setGlobalContext callers are
+ authorized, which allows remote authenticated users to bypass intended
+ SecurityManager restrictions and read or write to arbitrary application
+ data, or cause a denial of service (application disruption), via a web
+ application that sets a crafted global context.
+
+ -- Markus Koschany <apo at debian.org> Sun, 27 Mar 2016 21:09:35 +0200
+
tomcat7 (7.0.56-3+deb8u1) jessie-security; urgency=medium
* Fixed CVE-2014-7810: Malicious web applications could use expression
diff --git a/debian/patches/CVE-2015-5174.patch b/debian/patches/CVE-2015-5174.patch
new file mode 100644
index 0000000..1ac046d
--- /dev/null
+++ b/debian/patches/CVE-2015-5174.patch
@@ -0,0 +1,256 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 27 Mar 2016 20:37:02 +0200
+Subject: CVE-2015-5174
+
+Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x
+before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote
+authenticated users to bypass intended SecurityManager restrictions and list a
+parent directory via a /.. (slash dot dot) in a pathname used by a web
+application in a getResource, getResourceAsStream, or getResourcePaths call, as
+demonstrated by the $CATALINA_BASE/webapps directory.
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1696284
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1700898
+---
+ java/org/apache/tomcat/util/http/RequestUtil.java | 45 ++++++----
+ .../apache/tomcat/util/http/TestRequestUtil.java | 100 +++++++++++++++++++--
+ webapps/docs/changelog.xml | 11 +++
+ 3 files changed, 135 insertions(+), 21 deletions(-)
+
+diff --git a/java/org/apache/tomcat/util/http/RequestUtil.java b/java/org/apache/tomcat/util/http/RequestUtil.java
+index ebe4f34..1ee4bca 100644
+--- a/java/org/apache/tomcat/util/http/RequestUtil.java
++++ b/java/org/apache/tomcat/util/http/RequestUtil.java
+@@ -30,6 +30,9 @@ public class RequestUtil {
+ * try to perform security checks for malicious input.
+ *
+ * @param path Relative path to be normalized
++ *
++ * @return The normalized path or <code>null</code> of the path cannot be
++ * normalized
+ */
+ public static String normalize(String path) {
+ return normalize(path, true);
+@@ -44,11 +47,15 @@ public class RequestUtil {
+ *
+ * @param path Relative path to be normalized
+ * @param replaceBackSlash Should '\\' be replaced with '/'
++ *
++ * @return The normalized path or <code>null</code> of the path cannot be
++ * normalized
+ */
+ public static String normalize(String path, boolean replaceBackSlash) {
+
+- if (path == null)
++ if (path == null) {
+ return null;
++ }
+
+ // Create a place for the normalized path
+ String normalized = path;
+@@ -56,9 +63,6 @@ public class RequestUtil {
+ if (replaceBackSlash && normalized.indexOf('\\') >= 0)
+ normalized = normalized.replace('\\', '/');
+
+- if (normalized.equals("/."))
+- return "/";
+-
+ // Add a leading "/" if necessary
+ if (!normalized.startsWith("/"))
+ normalized = "/" + normalized;
+@@ -66,34 +70,43 @@ public class RequestUtil {
+ // Resolve occurrences of "//" in the normalized path
+ while (true) {
+ int index = normalized.indexOf("//");
+- if (index < 0)
++ if (index < 0) {
+ break;
+- normalized = normalized.substring(0, index) +
+- normalized.substring(index + 1);
++ }
++ normalized = normalized.substring(0, index) + normalized.substring(index + 1);
+ }
+
+ // Resolve occurrences of "/./" in the normalized path
+ while (true) {
+ int index = normalized.indexOf("/./");
+- if (index < 0)
++ if (index < 0) {
+ break;
+- normalized = normalized.substring(0, index) +
+- normalized.substring(index + 2);
++ }
++ normalized = normalized.substring(0, index) + normalized.substring(index + 2);
+ }
+
+ // Resolve occurrences of "/../" in the normalized path
+ while (true) {
+ int index = normalized.indexOf("/../");
+- if (index < 0)
++ if (index < 0) {
+ break;
+- if (index == 0)
+- return (null); // Trying to go outside our context
++ }
++ if (index == 0) {
++ return null; // Trying to go outside our context
++ }
+ int index2 = normalized.lastIndexOf('/', index - 1);
+- normalized = normalized.substring(0, index2) +
+- normalized.substring(index + 3);
++ normalized = normalized.substring(0, index2) + normalized.substring(index + 3);
++ }
++
++ if (normalized.equals("/.")) {
++ return "/";
++ }
++
++ if (normalized.equals("/..")) {
++ return null; // Trying to go outside our context
+ }
+
+ // Return the normalized path that we have completed
+- return (normalized);
++ return normalized;
+ }
+ }
+diff --git a/test/org/apache/tomcat/util/http/TestRequestUtil.java b/test/org/apache/tomcat/util/http/TestRequestUtil.java
+index fe3115f..f50098c 100644
+--- a/test/org/apache/tomcat/util/http/TestRequestUtil.java
++++ b/test/org/apache/tomcat/util/http/TestRequestUtil.java
+@@ -23,11 +23,101 @@ import org.junit.Test;
+ public class TestRequestUtil {
+
+ @Test
+- public void testNormalizeString() {
+- assertEquals("/something",RequestUtil.normalize("//something"));
+- assertEquals("/some/thing",RequestUtil.normalize("some//thing"));
+- assertEquals("/something/",RequestUtil.normalize("something//"));
+- assertEquals("/",RequestUtil.normalize("//"));
++ public void testNormalize01() {
++ doTestNormalize("//something", "/something");
+ }
+
++ @Test
++ public void testNormalize02() {
++ doTestNormalize("some//thing", "/some/thing");
++ }
++
++ @Test
++ public void testNormalize03() {
++ doTestNormalize("something//", "/something/");
++ }
++
++ @Test
++ public void testNormalize04() {
++ doTestNormalize("//", "/");
++ }
++
++ @Test
++ public void testNormalize05() {
++ doTestNormalize("//", "/");
++ }
++
++ @Test
++ public void testNormalize06() {
++ doTestNormalize("///", "/");
++ }
++
++ @Test
++ public void testNormalize07() {
++ doTestNormalize("////", "/");
++ }
++
++ @Test
++ public void testNormalize08() {
++ doTestNormalize("/.", "/");
++ }
++
++ @Test
++ public void testNormalize09() {
++ doTestNormalize("/./", "/");
++ }
++
++ @Test
++ public void testNormalize10() {
++ doTestNormalize(".", "/");
++ }
++
++ @Test
++ public void testNormalize11() {
++ doTestNormalize("/..", null);
++ }
++
++ @Test
++ public void testNormalize12() {
++ doTestNormalize("/../", null);
++ }
++
++ @Test
++ public void testNormalize13() {
++ doTestNormalize("..", null);
++ }
++
++ @Test
++ public void testNormalize14() {
++ doTestNormalize("//..", null);
++ }
++
++ @Test
++ public void testNormalize15() {
++ doTestNormalize("//../", null);
++ }
++
++ @Test
++ public void testNormalize16() {
++ doTestNormalize("/./..", null);
++ }
++
++ @Test
++ public void testNormalize17() {
++ doTestNormalize("/./../", null);
++ }
++
++ @Test
++ public void testNormalize18() {
++ doTestNormalize("/a/../..", null);
++ }
++
++ @Test
++ public void testNormalize19() {
++ doTestNormalize("/a/../../", null);
++ }
++
++ private void doTestNormalize(String input, String expected) {
++ assertEquals(expected,RequestUtil.normalize(input));
++ }
+ }
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index dcea7bc..3c02dab 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -4865,6 +4865,10 @@
+ described in the bug is invalid since it breaks the EL specification.
+ (markt)
+ </fix>
++ <fix>
++ Correct a coupe of edge cases in <code>RequestUtil.normalize()</code>.
++ (markt)
++ </fix>
+ </changelog>
+ </subsection>
+ <subsection name="Cluster">
+@@ -4874,6 +4878,13 @@
+ </fix>
+ </changelog>
+ </subsection>
++ <subsection name="Coyote">
++ <changelog>
++ <fix>
++ Correct some edge cases in <code>RequestUtil.normalize()</code>. (markt)
++ </fix>
++ </changelog>
++ </subsection>
+ <subsection name="Web applications">
+ <changelog>
+ <fix>
diff --git a/debian/patches/CVE-2015-5345.patch b/debian/patches/CVE-2015-5345.patch
new file mode 100644
index 0000000..c298b6d
--- /dev/null
+++ b/debian/patches/CVE-2015-5345.patch
@@ -0,0 +1,313 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 27 Mar 2016 20:37:30 +0200
+Subject: CVE-2015-5345
+
+---
+ .../catalina/authenticator/FormAuthenticator.java | 14 ++++++++
+ java/org/apache/catalina/core/StandardContext.java | 37 ++++++++++++++++++++--
+ .../apache/catalina/core/mbeans-descriptors.xml | 8 +++++
+ .../apache/catalina/servlets/DefaultServlet.java | 28 +++++++++++++++-
+ .../apache/catalina/servlets/WebdavServlet.java | 5 +++
+ .../org/apache/tomcat/util/http/mapper/Mapper.java | 21 ++++++------
+ .../apache/catalina/startup/TomcatBaseTest.java | 3 +-
+ webapps/docs/changelog.xml | 10 ++++++
+ webapps/docs/config/context.xml | 16 ++++++++++
+ 9 files changed, 126 insertions(+), 16 deletions(-)
+
+diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java
+index a6846d0..d7e9eb5 100644
+--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
++++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
+@@ -263,6 +263,20 @@ public class FormAuthenticator
+
+ // No -- Save this request and redirect to the form login page
+ if (!loginAction) {
++ // If this request was to the root of the context without a trailing
++ // '/', need to redirect to add it else the submit of the login form
++ // may not go to the correct web application
++ if (request.getServletPath().length() == 0 && request.getPathInfo() == null) {
++ StringBuilder location = new StringBuilder(requestURI);
++ location.append('/');
++ if (request.getQueryString() != null) {
++ location.append('?');
++ location.append(request.getQueryString());
++ }
++ response.sendRedirect(response.encodeRedirectURL(location.toString()));
++ return false;
++ }
++
+ session = request.getSessionInternal(true);
+ if (log.isDebugEnabled()) {
+ log.debug("Save request in session '" + session.getIdInternal() + "'");
+diff --git a/java/org/apache/catalina/core/StandardContext.java b/java/org/apache/catalina/core/StandardContext.java
+index dac9ef9..40043f7 100644
+--- a/java/org/apache/catalina/core/StandardContext.java
++++ b/java/org/apache/catalina/core/StandardContext.java
+@@ -896,8 +896,41 @@ public class StandardContext extends ContainerBase
+ private Boolean failCtxIfServletStartFails;
+
+
++ boolean mapperContextRootRedirectEnabled = false;
++
++ boolean mapperDirectoryRedirectEnabled = false;
++
+ // ----------------------------------------------------- Context Properties
+-
++
++ public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled) {
++ this.mapperContextRootRedirectEnabled = mapperContextRootRedirectEnabled;
++ }
++
++
++ /**
++ * {@inheritDoc}
++ * <p>
++ * The default value for this implementation is {@code false}.
++ */
++ public boolean getMapperContextRootRedirectEnabled() {
++ return mapperContextRootRedirectEnabled;
++ }
++
++
++ public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled) {
++ this.mapperDirectoryRedirectEnabled = mapperDirectoryRedirectEnabled;
++ }
++
++
++ /**
++ * {@inheritDoc}
++ * <p>
++ * The default value for this implementation is {@code false}.
++ */
++ public boolean getMapperDirectoryRedirectEnabled() {
++ return mapperDirectoryRedirectEnabled;
++ }
++
+ @Override
+ public void setContainerSciFilter(String containerSciFilter) {
+ this.containerSciFilter = containerSciFilter;
+@@ -1091,7 +1124,7 @@ public class StandardContext extends ContainerBase
+ this.instanceManager = instanceManager;
+ }
+
+-
++
+ @Override
+ public String getEncodedPath() {
+ return encodedPath;
+diff --git a/java/org/apache/catalina/core/mbeans-descriptors.xml b/java/org/apache/catalina/core/mbeans-descriptors.xml
+index b4a5845..7f3b776 100644
+--- a/java/org/apache/catalina/core/mbeans-descriptors.xml
++++ b/java/org/apache/catalina/core/mbeans-descriptors.xml
+@@ -221,6 +221,14 @@
+ description="The object used for mapping"
+ type="java.lang.Object"/>
+
++ <attribute name="mapperContextRootRedirectEnabled"
++ description="Should the Mapper be used for context root redirects"
++ type="boolean" />
++
++ <attribute name="mapperDirectoryRedirectEnabled"
++ description="Should the Mapper be used for directory redirects"
++ type="boolean" />
++
+ <attribute name="namingContextListener"
+ description="Associated naming context listener."
+ type="org.apache.catalina.core.NamingContextListener" />
+diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java
+index 8be47b3..0ed549c 100644
+--- a/java/org/apache/catalina/servlets/DefaultServlet.java
++++ b/java/org/apache/catalina/servlets/DefaultServlet.java
+@@ -373,6 +373,10 @@ public class DefaultServlet
+ * @param request The servlet request we are processing
+ */
+ protected String getRelativePath(HttpServletRequest request) {
++ return getRelativePath(request, false);
++ }
++
++ protected String getRelativePath(HttpServletRequest request, boolean allowEmptyPath) {
+ // IMPORTANT: DefaultServlet can be mapped to '/' or '/path/*' but always
+ // serves resources from the web app root with context rooted paths.
+ // i.e. it can not be used to mount the web app root under a sub-path
+@@ -782,7 +786,8 @@ public class DefaultServlet
+ boolean serveContent = content;
+
+ // Identify the requested resource path
+- String path = getRelativePath(request);
++ String path = getRelativePath(request, true);
++
+ if (debug > 0) {
+ if (serveContent)
+ log("DefaultServlet.serveResource: Serving resource '" +
+@@ -792,6 +797,12 @@ public class DefaultServlet
+ path + "' headers only");
+ }
+
++ if (path.length() == 0) {
++ // Context root redirect
++ doDirectoryRedirect(request, response);
++ return;
++ }
++
+ CacheEntry cacheEntry = resources.lookupCache(path);
+
+ if (!cacheEntry.exists) {
+@@ -860,6 +871,11 @@ public class DefaultServlet
+
+ if (cacheEntry.context != null) {
+
++ if (!path.endsWith("/")) {
++ doDirectoryRedirect(request, response);
++ return;
++ }
++
+ // Skip directory listings if we have been configured to
+ // suppress them
+ if (!listings) {
+@@ -1067,6 +1083,16 @@ public class DefaultServlet
+
+ }
+
++ private void doDirectoryRedirect(HttpServletRequest request, HttpServletResponse response)
++ throws IOException {
++ StringBuilder location = new StringBuilder(request.getRequestURI());
++ location.append('/');
++ if (request.getQueryString() != null) {
++ location.append('?');
++ location.append(request.getQueryString());
++ }
++ response.sendRedirect(response.encodeRedirectURL(location.toString()));
++ }
+
+ /**
+ * Parse the content-range header.
+diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java b/java/org/apache/catalina/servlets/WebdavServlet.java
+index 6ced423..7fe6064 100644
+--- a/java/org/apache/catalina/servlets/WebdavServlet.java
++++ b/java/org/apache/catalina/servlets/WebdavServlet.java
+@@ -430,6 +430,11 @@ public class WebdavServlet
+ */
+ @Override
+ protected String getRelativePath(HttpServletRequest request) {
++ return getRelativePath(request, false);
++ }
++
++ @Override
++ protected String getRelativePath(HttpServletRequest request, boolean allowEmptyPath) {
+ // Are we being processed by a RequestDispatcher.include()?
+ if (request.getAttribute(
+ RequestDispatcher.INCLUDE_REQUEST_URI) != null) {
+diff --git a/java/org/apache/tomcat/util/http/mapper/Mapper.java b/java/org/apache/tomcat/util/http/mapper/Mapper.java
+index ef6e0b1..78adabe 100644
+--- a/java/org/apache/tomcat/util/http/mapper/Mapper.java
++++ b/java/org/apache/tomcat/util/http/mapper/Mapper.java
+@@ -856,20 +856,13 @@ public final class Mapper {
+
+ int pathOffset = path.getOffset();
+ int pathEnd = path.getEnd();
+- int servletPath = pathOffset;
+ boolean noServletPath = false;
+
+ int length = contextVersion.path.length();
+- if (length != (pathEnd - pathOffset)) {
+- servletPath = pathOffset + length;
+- } else {
++ if (length == (pathEnd - pathOffset)) {
+ noServletPath = true;
+- path.append('/');
+- pathOffset = path.getOffset();
+- pathEnd = path.getEnd();
+- servletPath = pathOffset+length;
+ }
+-
++ int servletPath = pathOffset + length;
+ path.setOffset(servletPath);
+
+ // Rule 1 -- Exact Match
+@@ -906,8 +899,10 @@ public final class Mapper {
+
+ if(mappingData.wrapper == null && noServletPath) {
+ // The path is empty, redirect to "/"
++ path.append('/');
++ pathEnd = path.getEnd();
+ mappingData.redirectPath.setChars
+- (path.getBuffer(), pathOffset, pathEnd-pathOffset);
++ (path.getBuffer(), pathOffset, pathEnd - pathOffset);
+ path.setEnd(pathEnd - 1);
+ return;
+ }
+@@ -1028,7 +1023,11 @@ public final class Mapper {
+ Object file = null;
+ String pathStr = path.toString();
+ try {
+- file = contextVersion.resources.lookup(pathStr);
++ if (pathStr.length() == 0) {
++ file = contextVersion.resources.lookup("/");
++ } else {
++ file = contextVersion.resources.lookup(pathStr);
++ }
+ } catch(NamingException nex) {
+ // Swallow, since someone else handles the 404
+ }
+diff --git a/test/org/apache/catalina/startup/TomcatBaseTest.java b/test/org/apache/catalina/startup/TomcatBaseTest.java
+index 7ad04ee..38ffd5b 100644
+--- a/test/org/apache/catalina/startup/TomcatBaseTest.java
++++ b/test/org/apache/catalina/startup/TomcatBaseTest.java
+@@ -231,8 +231,7 @@ public abstract class TomcatBaseTest extends LoggingBaseTest {
+ String method) throws IOException {
+
+ URL url = new URL(path);
+- HttpURLConnection connection =
+- (HttpURLConnection) url.openConnection();
++ HttpURLConnection connection = (HttpURLConnection) url.openConnection();
+ connection.setUseCaches(false);
+ connection.setReadTimeout(readTimeout);
+ connection.setRequestMethod(method);
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index 3c02dab..3f77b6a 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -244,6 +244,16 @@
+ Fix a potential resource leak in JDTCompiler when checking wether
+ a resource is a package. Reported by Coverity Scan. (fschumacher)
+ </fix>
++ <add>
++ Move the functionality that provides redirects for context roots and
++ directories where a trailing <code>/</code> is added from the Mapper to
++ the <code>DefaultServlet</code>. This enables such requests to be
++ processed by any configured Valves and Filters before the redirect is
++ made. This behaviour is configurable via the
++ <code>mapperContextRootRedirectEnabled</code> and
++ <code>mapperDirectoryRedirectEnabled</code> attributes of the Context
++ which may be used to restore the previous behaviour. (markt)
++ </add>
+ </changelog>
+ </subsection>
+ <subsection name="WebSocket">
+diff --git a/webapps/docs/config/context.xml b/webapps/docs/config/context.xml
+index 10b34f1..3679837 100644
+--- a/webapps/docs/config/context.xml
++++ b/webapps/docs/config/context.xml
+@@ -360,6 +360,22 @@
+ default value of <code>false</code> is used.</p>
+ </attribute>
+
++ <attribute name="mapperContextRootRedirectEnabled" required="false">
++ <p>If enabled, requests for a web application context root will be
++ redirected (adding a trailing slash) if necessary by the Mapper rather
++ than the default Servlet. This is more efficient but has the side effect
++ of confirming that the context path exists. If not specified, the
++ default value of <code>false</code> is used.</p>
++ </attribute>
++
++ <attribute name="mapperDirectoryRedirectEnabled" required="false">
++ <p>If enabled, requests for a web application directory will be
++ redirected (adding a trailing slash) if necessary by the Mapper rather
++ than the default Servlet. This is more efficient but has the side effect
++ of confirming that the directory is exists. If not specified, the
++ default value of <code>false</code> is used.</p>
++ </attribute>
++
+ <attribute name="override" required="false">
+ <p>Set to <code>true</code> to ignore any settings in both the global
+ or <a href="host.html">Host</a> default contexts. By default, settings
diff --git a/debian/patches/CVE-2015-5346.patch b/debian/patches/CVE-2015-5346.patch
new file mode 100644
index 0000000..9cd13f5
--- /dev/null
+++ b/debian/patches/CVE-2015-5346.patch
@@ -0,0 +1,98 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 27 Mar 2016 20:40:42 +0200
+Subject: CVE-2015-5346
+
+Session fixation vulnerability in Apache Tomcat when different session settings
+are used for deployments of multiple versions of the same web application,
+might allow remote attackers to hijack web sessions by leveraging use of a
+requestedSessionSSL field for an unintended request, related to
+CoyoteAdapter.java and Request.java.
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1713187
+---
+ .../apache/catalina/connector/CoyoteAdapter.java | 1 +
+ java/org/apache/catalina/connector/Request.java | 36 ++++++++++++----------
+ webapps/docs/changelog.xml | 4 +++
+ 3 files changed, 24 insertions(+), 17 deletions(-)
+
+diff --git a/java/org/apache/catalina/connector/CoyoteAdapter.java b/java/org/apache/catalina/connector/CoyoteAdapter.java
+index d47e01d..2dd52f9 100644
+--- a/java/org/apache/catalina/connector/CoyoteAdapter.java
++++ b/java/org/apache/catalina/connector/CoyoteAdapter.java
+@@ -791,6 +791,7 @@ public class CoyoteAdapter implements Adapter {
+ // Reset mapping
+ request.getMappingData().recycle();
+ mapRequired = true;
++ request.recycleSessionInfo();
+ }
+ break;
+ }
+diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java
+index 619885a..a99c75b 100644
+--- a/java/org/apache/catalina/connector/Request.java
++++ b/java/org/apache/catalina/connector/Request.java
+@@ -494,18 +494,7 @@ public class Request
+ notes.clear();
+ cookies = null;
+
+- if (session != null) {
+- try {
+- session.endAccess();
+- } catch (Throwable t) {
+- ExceptionUtils.handleThrowable(t);
+- log.warn(sm.getString("coyoteRequest.sessionEndAccessFail"), t);
+- }
+- }
+- session = null;
+- requestedSessionCookie = false;
+- requestedSessionId = null;
+- requestedSessionURL = false;
++ recycleSessionInfo();
+
+ if (Globals.IS_SECURITY_ENABLED || Connector.RECYCLE_FACADES) {
+ parameterMap = new ParameterMap<String, String[]>();
+@@ -553,11 +542,24 @@ public class Request
+ }
+
+
+- /**
+- * Clear cached encoders (to save memory for Comet requests).
+- */
+- public boolean read()
+- throws IOException {
++ protected void recycleSessionInfo() {
++ if (session != null) {
++ try {
++ session.endAccess();
++ } catch (Throwable t) {
++ ExceptionUtils.handleThrowable(t);
++ log.warn(sm.getString("coyoteRequest.sessionEndAccessFail"), t);
++ }
++ }
++ session = null;
++ requestedSessionCookie = false;
++ requestedSessionId = null;
++ requestedSessionURL = false;
++ requestedSessionSSL = false;
++ }
++
++
++ public boolean read() throws IOException {
+ return (inputBuffer.realReadBytes(null, 0, 0) > 0);
+ }
+
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index 3f77b6a..8a2b878 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -350,6 +350,10 @@
+ creates a separate linked project that compiles websocket classes
+ of Tomcat 7 with Java 7 compiler. (kkolinko)
+ </fix>
++ <fix>
++ Handle the unlikely case where different versions of a web application
++ are deployed with different session settings. (markt)
++ </fix>
+ </changelog>
+ </subsection>
+ </section>
diff --git a/debian/patches/CVE-2015-5351.patch b/debian/patches/CVE-2015-5351.patch
new file mode 100644
index 0000000..86a4a8c
--- /dev/null
+++ b/debian/patches/CVE-2015-5351.patch
@@ -0,0 +1,116 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 27 Mar 2016 20:41:13 +0200
+Subject: CVE-2015-5351
+
+The Manager and Host Manager applications in Apache Tomcat establish
+sessions and send CSRF tokens for arbitrary new requests, which allows remote
+attackers to bypass a CSRF protection mechanism by using a token.
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1720663
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1720661
+---
+ webapps/docs/changelog.xml | 7 +++++++
+ webapps/host-manager/WEB-INF/jsp/401.jsp | 1 +
+ webapps/host-manager/WEB-INF/jsp/403.jsp | 1 +
+ webapps/host-manager/WEB-INF/jsp/404.jsp | 3 ++-
+ webapps/host-manager/index.jsp | 4 ++--
+ webapps/manager/WEB-INF/web.xml | 1 -
+ webapps/manager/index.jsp | 4 ++--
+ 7 files changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index 8a2b878..a97163d 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -354,6 +354,13 @@
+ Handle the unlikely case where different versions of a web application
+ are deployed with different session settings. (markt)
+ </fix>
++ <fix>
++ Don't create sessions unnecessarily in the Manager application. (markt)
++ </fix>
++ <fix>
++ Don't create sessions unnecessarily in the Host Manager application.
++ (markt)
++ </fix>
+ </changelog>
+ </subsection>
+ </section>
+diff --git a/webapps/host-manager/WEB-INF/jsp/401.jsp b/webapps/host-manager/WEB-INF/jsp/401.jsp
+index 83c8c6f..047766b 100644
+--- a/webapps/host-manager/WEB-INF/jsp/401.jsp
++++ b/webapps/host-manager/WEB-INF/jsp/401.jsp
+@@ -14,6 +14,7 @@
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ --%>
++<%@ page session="false" trimDirectiveWhitespaces="true" %>
+ <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+ <html>
+ <head>
+diff --git a/webapps/host-manager/WEB-INF/jsp/403.jsp b/webapps/host-manager/WEB-INF/jsp/403.jsp
+index 2dbb448..5eff6f0 100644
+--- a/webapps/host-manager/WEB-INF/jsp/403.jsp
++++ b/webapps/host-manager/WEB-INF/jsp/403.jsp
+@@ -14,6 +14,7 @@
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ --%>
++<%@ page session="false" trimDirectiveWhitespaces="true" %>
+ <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+ <html>
+ <head>
+diff --git a/webapps/host-manager/WEB-INF/jsp/404.jsp b/webapps/host-manager/WEB-INF/jsp/404.jsp
+index d1b5b0b..9816df5 100644
+--- a/webapps/host-manager/WEB-INF/jsp/404.jsp
++++ b/webapps/host-manager/WEB-INF/jsp/404.jsp
+@@ -14,7 +14,8 @@
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ --%>
+-<%@ page import="org.apache.catalina.util.RequestUtil" %>
++<%@ page import="org.apache.catalina.util.RequestUtil" session="false"
++ trimDirectiveWhitespaces="true" %>
+ <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+ <html>
+ <head>
+diff --git a/webapps/host-manager/index.jsp b/webapps/host-manager/index.jsp
+index d4816e5..2806b76 100644
+--- a/webapps/host-manager/index.jsp
++++ b/webapps/host-manager/index.jsp
+@@ -14,5 +14,5 @@
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ --%>
+-<% response.sendRedirect(response.encodeRedirectURL(request.getContextPath() +
+- "/html")); %>
+\ No newline at end of file
++<%@ page session="false" trimDirectiveWhitespaces="true" %>
++<% response.sendRedirect(request.getContextPath() + "/html"); %>
+\ No newline at end of file
+diff --git a/webapps/manager/WEB-INF/web.xml b/webapps/manager/WEB-INF/web.xml
+index 8fb7728..a47162e 100644
+--- a/webapps/manager/WEB-INF/web.xml
++++ b/webapps/manager/WEB-INF/web.xml
+@@ -116,7 +116,6 @@
+ <filter-mapping>
+ <filter-name>CSRF</filter-name>
+ <servlet-name>HTMLManager</servlet-name>
+- <servlet-name>jsp</servlet-name>
+ </filter-mapping>
+
+ <!-- Define a Security Constraint on this Application -->
+diff --git a/webapps/manager/index.jsp b/webapps/manager/index.jsp
+index d4816e5..ff4f47b 100644
+--- a/webapps/manager/index.jsp
++++ b/webapps/manager/index.jsp
+@@ -14,5 +14,5 @@
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ --%>
+-<% response.sendRedirect(response.encodeRedirectURL(request.getContextPath() +
+- "/html")); %>
+\ No newline at end of file
++<%@ page session="false" %>
++<% response.sendRedirect(request.getContextPath() + "/html"); %>
+\ No newline at end of file
diff --git a/debian/patches/CVE-2016-0706.patch b/debian/patches/CVE-2016-0706.patch
new file mode 100644
index 0000000..f0764a7
--- /dev/null
+++ b/debian/patches/CVE-2016-0706.patch
@@ -0,0 +1,40 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 27 Mar 2016 20:41:41 +0200
+Subject: CVE-2016-0706
+
+Apache Tomcat does not place org.apache.catalina.manager.StatusManagerServlet
+on the org/apache/catalina/core/RestrictedServlets.properties list, which
+allows remote authenticated users to bypass intended SecurityManager
+restrictions and read arbitrary HTTP requests, and consequently discover
+session ID values, via a crafted web application.
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1722801
+---
+ java/org/apache/catalina/core/RestrictedServlets.properties | 1 +
+ webapps/docs/changelog.xml | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/java/org/apache/catalina/core/RestrictedServlets.properties b/java/org/apache/catalina/core/RestrictedServlets.properties
+index d336968..cefa249 100644
+--- a/java/org/apache/catalina/core/RestrictedServlets.properties
++++ b/java/org/apache/catalina/core/RestrictedServlets.properties
+@@ -16,3 +16,4 @@
+ org.apache.catalina.ssi.SSIServlet=restricted
+ org.apache.catalina.servlets.CGIServlet=restricted
+ org.apache.catalina.manager.JMXProxyServlet=restricted
++org.apache.catalina.manager.StatusManagerServlet=restricted
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index a97163d..63b5662 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -361,6 +361,10 @@
+ Don't create sessions unnecessarily in the Host Manager application.
+ (markt)
+ </fix>
++ <fix>
++ Add the <code>StatusManagerServlet</code> to the list of Servlets that
++ can only be loaded by privileged applications. (markt)
++ </fix>
+ </changelog>
+ </subsection>
+ </section>
diff --git a/debian/patches/CVE-2016-0714.patch b/debian/patches/CVE-2016-0714.patch
new file mode 100644
index 0000000..38b15cd
--- /dev/null
+++ b/debian/patches/CVE-2016-0714.patch
@@ -0,0 +1,542 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 27 Mar 2016 20:42:05 +0200
+Subject: CVE-2016-0714
+
+The session-persistence implementation in Apache Tomcat mishandles session
+attributes, which allows remote authenticated users to bypass intended
+SecurityManager restrictions and execute arbitrary code in a privileged context
+via a web application that places a crafted object in a session.
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1726923
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1727034
+---
+ .../catalina/ha/session/ClusterManagerBase.java | 2 +
+ .../catalina/ha/session/mbeans-descriptors.xml | 16 +++
+ .../catalina/session/LocalStrings.properties | 2 +
+ java/org/apache/catalina/session/ManagerBase.java | 156 ++++++++++++++++++++-
+ .../apache/catalina/session/StandardManager.java | 7 +-
+ .../apache/catalina/session/mbeans-descriptors.xml | 12 ++
+ .../catalina/util/CustomObjectInputStream.java | 69 ++++++++-
+ .../apache/catalina/util/LocalStrings.properties | 2 +
+ webapps/docs/changelog.xml | 8 ++
+ webapps/docs/config/cluster-manager.xml | 53 +++++++
+ 10 files changed, 320 insertions(+), 7 deletions(-)
+
+diff --git a/java/org/apache/catalina/ha/session/ClusterManagerBase.java b/java/org/apache/catalina/ha/session/ClusterManagerBase.java
+index 39437b3..65fc965 100644
+--- a/java/org/apache/catalina/ha/session/ClusterManagerBase.java
++++ b/java/org/apache/catalina/ha/session/ClusterManagerBase.java
+@@ -199,6 +199,8 @@ public abstract class ClusterManagerBase extends ManagerBase
+ copy.setProcessExpiresFrequency(getProcessExpiresFrequency());
+ copy.setNotifyListenersOnReplication(isNotifyListenersOnReplication());
+ copy.setSessionAttributeFilter(getSessionAttributeFilter());
++ copy.setSessionAttributeValueClassNameFilter(getSessionAttributeValueClassNameFilter());
++ copy.setWarnOnSessionAttributeFilterFailure(getWarnOnSessionAttributeFilterFailure());
+ copy.setSecureRandomClass(getSecureRandomClass());
+ copy.setSecureRandomProvider(getSecureRandomProvider());
+ copy.setSecureRandomAlgorithm(getSecureRandomAlgorithm());
+diff --git a/java/org/apache/catalina/ha/session/mbeans-descriptors.xml b/java/org/apache/catalina/ha/session/mbeans-descriptors.xml
+index bfdbe0d..adea9a7 100644
+--- a/java/org/apache/catalina/ha/session/mbeans-descriptors.xml
++++ b/java/org/apache/catalina/ha/session/mbeans-descriptors.xml
+@@ -562,6 +562,22 @@
+ name="secureRandomProvider"
+ description="The secure random number generator provider name"
+ type="java.lang.String"/>
++ <attribute
++ name="sessionAttributeValueClassNameFilter"
++ description="The regular expression used to filter session attributes based on the implementation class of the value. The regular expression is anchored and must match the fully qualified class name."
++ type="java.lang.String"/>
++ <attribute
++ name="warnOnSessionAttributeFilterFailure"
++ description="Should a WARN level log message be generated if a session attribute fails to match sessionAttributeNameFilter or sessionAttributeClassNameFilter?"
++ type="boolean"/>
++ <attribute
++ name="sessionAttributeValueClassNameFilter"
++ description="The regular expression used to filter session attributes based on the implementation class of the value. The regular expression is anchored and must match the fully qualified class name."
++ type="java.lang.String"/>
++ <attribute
++ name="warnOnSessionAttributeFilterFailure"
++ description="Should a WARN level log message be generated if a session attribute fails to match sessionAttributeNameFilter or sessionAttributeClassNameFilter?"
++ type="boolean"/>
+ <operation
+ name="expireSession"
+ description="Expired the given session"
+diff --git a/java/org/apache/catalina/session/LocalStrings.properties b/java/org/apache/catalina/session/LocalStrings.properties
+index 7db05d4..89a68dc 100644
+--- a/java/org/apache/catalina/session/LocalStrings.properties
++++ b/java/org/apache/catalina/session/LocalStrings.properties
+@@ -34,6 +34,8 @@ JDBCStore.missingDataSourceName=No valid JNDI name was given.
+ JDBCStore.commitSQLException=SQLException committing connection before closing
+ managerBase.createRandom=Created random number generator for session ID generation in {0}ms.
+ managerBase.createSession.ise=createSession: Too many active sessions
++managerBase.sessionAttributeNameFilter=Skipped session attribute named [{0}] because it did not match the name filter [{1}]
++managerBase.sessionAttributeValueClassNameFilter=Skipped session attribute named [{0}] because the value type [{1}] did not match the filter [{2}]
+ managerBase.sessionTimeout=Invalid session timeout setting {0}
+ serverSession.value.iae=null value
+ standardManager.expireException=processsExpire: Exception during session expiration
+diff --git a/java/org/apache/catalina/session/ManagerBase.java b/java/org/apache/catalina/session/ManagerBase.java
+index d7a30ac..e20c689 100644
+--- a/java/org/apache/catalina/session/ManagerBase.java
++++ b/java/org/apache/catalina/session/ManagerBase.java
+@@ -38,6 +38,7 @@ import java.util.concurrent.atomic.AtomicLong;
+ import org.apache.catalina.Container;
+ import org.apache.catalina.Context;
+ import org.apache.catalina.Engine;
++import org.apache.catalina.Globals;
+ import org.apache.catalina.LifecycleException;
+ import org.apache.catalina.Manager;
+ import org.apache.catalina.Session;
+@@ -47,6 +48,9 @@ import org.apache.catalina.util.SessionIdGenerator;
+ import org.apache.juli.logging.Log;
+ import org.apache.juli.logging.LogFactory;
+ import org.apache.tomcat.util.res.StringManager;
++import java.util.regex.Pattern;
++import java.util.regex.PatternSyntaxException;
++
+
+
+ /**
+@@ -211,10 +215,109 @@ public abstract class ManagerBase extends LifecycleMBeanBase
+ */
+ protected final PropertyChangeSupport support =
+ new PropertyChangeSupport(this);
+-
++
++ // ------------------------------------------------------------- Constructors
++ public ManagerBase() {
++ if (Globals.IS_SECURITY_ENABLED) {
++ // Minimum set required for default distribution/persistence to work
++ // plus String
++ setSessionAttributeValueClassNameFilter(
++ "java\\.lang\\.(?:Boolean|Integer|Long|Number|String)");
++ setWarnOnSessionAttributeFilterFailure(true);
++ }
++ }
++
++
+
+ // ------------------------------------------------------------- Properties
+
++ private Pattern sessionAttributeNamePattern;
++
++ protected Pattern getSessionAttributeNamePattern() {
++ return sessionAttributeNamePattern;
++ }
++
++ /**
++ * Obtain the regular expression used to filter session attribute based on
++ * the implementation class of the value. The regular expression is anchored
++ * and must match the fully qualified class name.
++ *
++ * @return The regular expression currently used to filter class names.
++ * {@code null} means no filter is applied. If an empty string is
++ * specified then no names will match the filter and all attributes
++ * will be blocked.
++ */
++ public String getSessionAttributeValueClassNameFilter() {
++ if (sessionAttributeValueClassNamePattern == null) {
++ return null;
++ }
++ return sessionAttributeValueClassNamePattern.toString();
++ }
++
++
++ /**
++ * Provides {@link #getSessionAttributeValueClassNameFilter()} as a
++ * pre-compiled regular expression pattern.
++ *
++ * @return The pre-compiled pattern used to filter session attributes based
++ * on the implementation class name of the value. {@code null} means
++ * no filter is applied.
++ */
++ protected Pattern getSessionAttributeValueClassNamePattern() {
++ return sessionAttributeValueClassNamePattern;
++ }
++
++
++ /**
++ * Set the regular expression to use to filter classes used for session
++ * attributes. The regular expression is anchored and must match the fully
++ * qualified class name.
++ *
++ * @param sessionAttributeValueClassNameFilter The regular expression to use
++ * to filter session attributes based on class name. Use {@code
++ * null} if no filtering is required. If an empty string is
++ * specified then no names will match the filter and all
++ * attributes will be blocked.
++ *
++ * @throws PatternSyntaxException If the expression is not valid
++ */
++ public void setSessionAttributeValueClassNameFilter(String sessionAttributeValueClassNameFilter)
++ throws PatternSyntaxException {
++ if (sessionAttributeValueClassNameFilter == null ||
++ sessionAttributeValueClassNameFilter.length() == 0) {
++ sessionAttributeValueClassNamePattern = null;
++ } else {
++ sessionAttributeValueClassNamePattern =
++ Pattern.compile(sessionAttributeValueClassNameFilter);
++ }
++ }
++
++
++ /**
++ * Should a warn level log message be generated if a session attribute is
++ * not persisted / replicated / restored.
++ *
++ * @return {@code true} if a warn level log message should be generated
++ */
++ public boolean getWarnOnSessionAttributeFilterFailure() {
++ return warnOnSessionAttributeFilterFailure;
++ }
++
++
++ /**
++ * Configure whether or not a warn level log message should be generated if
++ * a session attribute is not persisted / replicated / restored.
++ *
++ * @param warnOnSessionAttributeFilterFailure {@code true} if the
++ * warn level message should be generated
++ *
++ */
++ public void setWarnOnSessionAttributeFilterFailure(
++ boolean warnOnSessionAttributeFilterFailure) {
++ this.warnOnSessionAttributeFilterFailure = warnOnSessionAttributeFilterFailure;
++ }
++
++
+ /**
+ * Return the Container with which this Manager is associated.
+ */
+@@ -225,6 +328,10 @@ public abstract class ManagerBase extends LifecycleMBeanBase
+
+ }
+
++ private Pattern sessionAttributeValueClassNamePattern;
++
++ private boolean warnOnSessionAttributeFilterFailure;
++
+
+ /**
+ * Set the Container with which this Manager is associated.
+@@ -774,8 +881,51 @@ public abstract class ManagerBase extends LifecycleMBeanBase
+ container.fireContainerEvent(Context.CHANGE_SESSION_ID_EVENT,
+ new String[] {oldId, newId});
+ }
+-
+-
++/**
++ * {@inheritDoc}
++ * <p>
++ * This implementation excludes session attributes from distribution if the:
++ * <ul>
++ * <li>attribute name matches {@link #getSessionAttributeNameFilter()}</li>
++ * </ul>
++ */
++ public boolean willAttributeDistribute(String name, Object value) {
++ Pattern sessionAttributeNamePattern = getSessionAttributeNamePattern();
++ if (sessionAttributeNamePattern != null) {
++ if (!sessionAttributeNamePattern.matcher(name).matches()) {
++ if (getWarnOnSessionAttributeFilterFailure() || log.isDebugEnabled()) {
++ String msg = sm.getString("managerBase.sessionAttributeNameFilter",
++ name, sessionAttributeNamePattern);
++ if (getWarnOnSessionAttributeFilterFailure()) {
++ log.warn(msg);
++ } else {
++ log.debug(msg);
++ }
++ }
++ return false;
++ }
++ }
++
++ Pattern sessionAttributeValueClassNamePattern = getSessionAttributeValueClassNamePattern();
++ if (value != null && sessionAttributeValueClassNamePattern != null) {
++ if (!sessionAttributeValueClassNamePattern.matcher(
++ value.getClass().getName()).matches()) {
++ if (getWarnOnSessionAttributeFilterFailure() || log.isDebugEnabled()) {
++ String msg = sm.getString("managerBase.sessionAttributeValueClassNameFilter",
++ name, value.getClass().getName(), sessionAttributeNamePattern);
++ if (getWarnOnSessionAttributeFilterFailure()) {
++ log.warn(msg);
++ } else {
++ log.debug(msg);
++ }
++ }
++ return false;
++ }
++ }
++
++ return true;
++ }
++
+ // ------------------------------------------------------ Protected Methods
+
+
+diff --git a/java/org/apache/catalina/session/StandardManager.java b/java/org/apache/catalina/session/StandardManager.java
+index 0174094..e69b9ba 100644
+--- a/java/org/apache/catalina/session/StandardManager.java
++++ b/java/org/apache/catalina/session/StandardManager.java
+@@ -231,17 +231,20 @@ public class StandardManager extends ManagerBase {
+ ObjectInputStream ois = null;
+ Loader loader = null;
+ ClassLoader classLoader = null;
++ Log logger = null;
+ try {
+ fis = new FileInputStream(file.getAbsolutePath());
+ bis = new BufferedInputStream(fis);
+ if (container != null)
+- loader = container.getLoader();
++ logger = container.getLogger();
+ if (loader != null)
+ classLoader = loader.getClassLoader();
+ if (classLoader != null) {
+ if (log.isDebugEnabled())
+ log.debug("Creating custom object input stream for class loader ");
+- ois = new CustomObjectInputStream(bis, classLoader);
++ ois = new CustomObjectInputStream(bis, classLoader, logger,
++ getSessionAttributeValueClassNamePattern(),
++ getWarnOnSessionAttributeFilterFailure());
+ } else {
+ if (log.isDebugEnabled())
+ log.debug("Creating standard object input stream");
+diff --git a/java/org/apache/catalina/session/mbeans-descriptors.xml b/java/org/apache/catalina/session/mbeans-descriptors.xml
+index 16a90a0..0c65645 100644
+--- a/java/org/apache/catalina/session/mbeans-descriptors.xml
++++ b/java/org/apache/catalina/session/mbeans-descriptors.xml
+@@ -321,6 +321,18 @@
+ type="int"
+ writeable="false"/>
+
++ <attribute name="sessionAttributeNameFilter"
++ descritpion="The string pattern used for including session attributes in distribution. Null means all attributes are included."
++ type="java.lang.String"/>
++
++ <attribute name="sessionAttributeValueClassNameFilter"
++ description="The regular expression used to filter session attributes based on the implementation class of the value. The regular expression is anchored and must match the fully qualified class name."
++ type="java.lang.String"/>
++
++ <attribute name="warnOnSessionAttributeFilterFailure"
++ description="Should a WARN level log message be generated if a session attribute fails to match sessionAttributeNameFilter or sessionAttributeClassNameFilter?"
++ type="boolean"/>
++
+ <operation name="backgroundProcess"
+ description="Invalidate all sessions that have expired."
+ impact="ACTION"
+diff --git a/java/org/apache/catalina/util/CustomObjectInputStream.java b/java/org/apache/catalina/util/CustomObjectInputStream.java
+index 8074064..b837564 100644
+--- a/java/org/apache/catalina/util/CustomObjectInputStream.java
++++ b/java/org/apache/catalina/util/CustomObjectInputStream.java
+@@ -19,9 +19,18 @@ package org.apache.catalina.util;
+
+ import java.io.IOException;
+ import java.io.InputStream;
++import java.io.InvalidClassException;
+ import java.io.ObjectInputStream;
+ import java.io.ObjectStreamClass;
+ import java.lang.reflect.Proxy;
++import java.util.Collections;
++import java.util.Set;
++import java.util.WeakHashMap;
++import java.util.concurrent.ConcurrentHashMap;
++import java.util.regex.Pattern;
++
++import org.apache.juli.logging.Log;
++import org.apache.tomcat.util.res.StringManager;
+
+ /**
+ * Custom subclass of <code>ObjectInputStream</code> that loads from the
+@@ -35,14 +44,26 @@ public final class CustomObjectInputStream
+ extends ObjectInputStream {
+
+
++ private static final StringManager sm = StringManager.getManager("org.apache.catalina.util");
++
++ private static final WeakHashMap<ClassLoader, Set<String>> reportedClassCache =
++ new WeakHashMap<ClassLoader, Set<String>>();
++
+ /**
+ * The class loader we will use to resolve classes.
+ */
+ private ClassLoader classLoader = null;
++ private final Set<String> reportedClasses;
++ private final Log log;
++
++ private final Pattern allowedClassNamePattern;
++ private final String allowedClassNameFilter;
++ private final boolean warnOnFailure;
+
+
+ /**
+- * Construct a new instance of CustomObjectInputStream
++ * Construct a new instance of CustomObjectInputStream without any filtering
++ * of deserialized classes.
+ *
+ * @param stream The input stream we will read from
+ * @param classLoader The class loader used to instantiate objects
+@@ -53,8 +74,36 @@ public final class CustomObjectInputStream
+ ClassLoader classLoader)
+ throws IOException {
+
++ this(stream, classLoader, null, null, false);
++ }
++
++ public CustomObjectInputStream(InputStream stream, ClassLoader classLoader,
++ Log log, Pattern allowedClassNamePattern, boolean warnOnFailure)
++ throws IOException {
+ super(stream);
++ if (log == null && allowedClassNamePattern != null && warnOnFailure) {
++ throw new IllegalArgumentException(
++ sm.getString("customObjectInputStream.logRequired"));
++ }
+ this.classLoader = classLoader;
++ this.log = log;
++ this.allowedClassNamePattern = allowedClassNamePattern;
++ if (allowedClassNamePattern == null) {
++ this.allowedClassNameFilter = null;
++ } else {
++ this.allowedClassNameFilter = allowedClassNamePattern.toString();
++ }
++ this.warnOnFailure = warnOnFailure;
++
++ Set<String> reportedClasses;
++ synchronized (reportedClassCache) {
++ reportedClasses = reportedClassCache.get(classLoader);
++ if (reportedClasses == null) {
++ reportedClasses = Collections.newSetFromMap(new ConcurrentHashMap<String,Boolean>());
++ reportedClassCache.put(classLoader, reportedClasses);
++ }
++ }
++ this.reportedClasses = reportedClasses;
+ }
+
+
+@@ -70,8 +119,24 @@ public final class CustomObjectInputStream
+ @Override
+ public Class<?> resolveClass(ObjectStreamClass classDesc)
+ throws ClassNotFoundException, IOException {
++
++ String name = classDesc.getName();
++ if (allowedClassNamePattern != null) {
++ boolean allowed = allowedClassNamePattern.matcher(name).matches();
++ if (!allowed) {
++ boolean doLog = warnOnFailure && reportedClasses.add(name);
++ String msg = sm.getString("customObjectInputStream.nomatch", name, allowedClassNameFilter);
++ if (doLog) {
++ log.warn(msg);
++ } else if (log.isDebugEnabled()) {
++ log.debug(msg);
++ }
++ throw new InvalidClassException(msg);
++ }
++ }
++
+ try {
+- return Class.forName(classDesc.getName(), false, classLoader);
++ return Class.forName(name, false, classLoader);
+ } catch (ClassNotFoundException e) {
+ try {
+ // Try also the superclass because of primitive types
+diff --git a/java/org/apache/catalina/util/LocalStrings.properties b/java/org/apache/catalina/util/LocalStrings.properties
+index 012a9dd..ac37457 100644
+--- a/java/org/apache/catalina/util/LocalStrings.properties
++++ b/java/org/apache/catalina/util/LocalStrings.properties
+@@ -17,6 +17,8 @@ parameterMap.locked=No modifications are allowed to a locked ParameterMap
+ resourceSet.locked=No modifications are allowed to a locked ResourceSet
+ hexUtil.bad=Bad hexadecimal digit
+ hexUtil.odd=Odd number of hexadecimal digits
++customObjectInputStream.logRequired=A valid logger is required for class name filtering with logging
++customObjectInputStream.nomatch=The class [{0}] did not match the regular expression [{1}] for classes allowed to be deserialized
+ #Default Messages Utilized by the ExtensionValidator
+ extensionValidator.web-application-manifest=Web Application Manifest
+ extensionValidator.extension-not-found-error=ExtensionValidator[{0}][{1}]: Required extension [{2}] not found.
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index 63b5662..def6a13 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -254,6 +254,14 @@
+ <code>mapperDirectoryRedirectEnabled</code> attributes of the Context
+ which may be used to restore the previous behaviour. (markt)
+ </add>
++ <add>
++ Extend the session attribute filtering options to include filtering
++ based on the implementation class of the value and optional
++ <code>WARN</code> level logging if an attribute is filtered. These
++ options are avaialble for all of the Manager implementations that ship
++ with Tomcat. When a <code>SecurityManager</code> is used filtering will
++ be enabled by default. (markt)
++ </add>
+ </changelog>
+ </subsection>
+ <subsection name="WebSocket">
+diff --git a/webapps/docs/config/cluster-manager.xml b/webapps/docs/config/cluster-manager.xml
+index 3f1cafc..6051985 100644
+--- a/webapps/docs/config/cluster-manager.xml
++++ b/webapps/docs/config/cluster-manager.xml
+@@ -165,6 +165,28 @@
+ Set to <code>true</code> if you wish to have container listeners notified
+ across Tomcat nodes in the cluster.
+ </attribute>
++ <attribute name="sessionAttributeNameFilter" required="false">
++ <p>A regular expression used to filter which session attributes will be
++ replicated. An attribute will only be replicated if its name matches
++ this pattern. If the pattern is zero length or <code>null</code>, all
++ attributes are eligible for replication. The pattern is anchored so the
++ session attribute name must fully match the pattern. As an example, the
++ value <code>(userName|sessionHistory)</code> will only replicate the
++ two session attributes named <code>userName</code> and
++ <code>sessionHistory</code>. If not specified, the default value of
++ <code>null</code> will be used unless a <code>SecurityManager</code> is
++ enabled in which case the default will be
++ <code>java\\.lang\\.(?:Boolean|Integer|Long|Number|String)</code>.</p>
++ </attribute>
++ <attribute name="sessionAttributeValueClassNameFilter" required="false">
++ <p>A regular expression used to filter which session attributes will be
++ replicated. An attribute will only be replicated if the implementation
++ class name of the value matches this pattern. If the pattern is zero
++ length or <code>null</code>, all attributes are eligible for
++ replication. The pattern is anchored so the fully qualified class name
++ must fully match the pattern. If not specified, the default value of
++ <code>null</code> will be used.</p>
++ </attribute>
+ <attribute name="stateTransferTimeout" required="false">
+ The time in seconds to wait for a session state transfer to complete
+ from another node when a node is starting up.
+@@ -197,6 +219,37 @@
+ If set to <code>false</code>, all queued session messages are handled.
+ Default is <code>true</code>.
+ </attribute>
++ <attribute name="sessionAttributeNameFilter" required="false">
++ <p>A regular expression used to filter which session attributes will be
++ replicated. An attribute will only be replicated if its name matches
++ this pattern. If the pattern is zero length or <code>null</code>, all
++ attributes are eligible for replication. The pattern is anchored so the
++ session attribute name must fully match the pattern. As an example, the
++ value <code>(userName|sessionHistory)</code> will only replicate the
++ two session attributes named <code>userName</code> and
++ <code>sessionHistory</code>. If not specified, the default value of
++ <code>null</code> will be used.</p>
++ </attribute>
++ <attribute name="sessionAttributeValueClassNameFilter" required="false">
++ <p>A regular expression used to filter which session attributes will be
++ replicated. An attribute will only be replicated if the implementation
++ class name of the value matches this pattern. If the pattern is zero
++ length or <code>null</code>, all attributes are eligible for
++ replication. The pattern is anchored so the fully qualified class name
++ must fully match the pattern. If not specified, the default value of
++ <code>null</code> will be used unless a <code>SecurityManager</code> is
++ enabled in which case the default will be
++ <code>java\\.lang\\.(?:Boolean|Integer|Long|Number|String)</code>.</p>
++ </attribute>
++ <attribute name="warnOnSessionAttributeFilterFailure" required="false">
++ <p>If <strong>sessionAttributeNameFilter</strong> or
++ <strong>sessionAttributeValueClassNameFilter</strong> blocks an
++ attribute, should this be logged at <code>WARN</code> level? If
++ <code>WARN</code> level logging is disabled then it will be logged at
++ <code>DEBUG</code>. The default value of this attribute is
++ <code>false</code> unless a <code>SecurityManager</code> is enabled in
++ which case the default will be <code>true</code>.</p>
++ </attribute>
+ </attributes>
+ </subsection>
+ <subsection name="org.apache.catalina.ha.session.BackupManager Attributes">
diff --git a/debian/patches/CVE-2016-0763.patch b/debian/patches/CVE-2016-0763.patch
new file mode 100644
index 0000000..c9dc141
--- /dev/null
+++ b/debian/patches/CVE-2016-0763.patch
@@ -0,0 +1,49 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 27 Mar 2016 20:42:33 +0200
+Subject: CVE-2016-0763
+
+The setGlobalContext method in
+org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does not
+consider whether ResourceLinkFactory.setGlobalContext callers are authorized,
+which allows remote authenticated users to bypass intended SecurityManager
+restrictions and read or write to arbitrary application data, or cause a denial
+of service (application disruption), via a web application that sets a crafted
+global context.
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1725931
+---
+ java/org/apache/naming/factory/ResourceLinkFactory.java | 5 +++++
+ webapps/docs/changelog.xml | 4 ++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java b/java/org/apache/naming/factory/ResourceLinkFactory.java
+index e98a153..8606a8f 100644
+--- a/java/org/apache/naming/factory/ResourceLinkFactory.java
++++ b/java/org/apache/naming/factory/ResourceLinkFactory.java
+@@ -60,6 +60,11 @@ public class ResourceLinkFactory
+ * @param newGlobalContext new global context value
+ */
+ public static void setGlobalContext(Context newGlobalContext) {
++ SecurityManager sm = System.getSecurityManager();
++ if (sm != null) {
++ sm.checkPermission(new RuntimePermission(
++ ResourceLinkFactory.class.getName() + ".setGlobalContext"));
++ }
+ globalContext = newGlobalContext;
+ }
+
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index def6a13..e84c181 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -373,6 +373,10 @@
+ Add the <code>StatusManagerServlet</code> to the list of Servlets that
+ can only be loaded by privileged applications. (markt)
+ </fix>
++ <fix>
++ Protect initialization of <code>ResourceLinkFactory</code> when
++ running with a SecurityManager. (kkolinko)
++ </fix>
+ </changelog>
+ </subsection>
+ </section>
diff --git a/debian/patches/series b/debian/patches/series
index ba761f4..e1e7cdb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -19,3 +19,10 @@
0023-update-test-certificates.patch
0024-disable-unit-tests-depending-on-network-access.path
CVE-2014-7810.patch
+CVE-2015-5174.patch
+CVE-2015-5346.patch
+CVE-2015-5345.patch
+CVE-2015-5351.patch
+CVE-2016-0706.patch
+CVE-2016-0714.patch
+CVE-2016-0763.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git
More information about the pkg-java-commits
mailing list