[tomcat7] 01/01: Import Debian changes 7.0.28-4+deb7u12
Markus Koschany
apo at moszumanska.debian.org
Fri Apr 28 21:31:37 UTC 2017
This is an automated email from the git hooks/post-receive script.
apo pushed a commit to branch wheezy
in repository tomcat7.
commit 8dd46c5cbdba12a653cab79b45ef6dec33a0c6e3
Author: Markus Koschany <apo at debian.org>
Date: Fri Apr 28 22:47:08 2017 +0200
Import Debian changes 7.0.28-4+deb7u12
tomcat7 (7.0.28-4+deb7u12) wheezy-security; urgency=high
* Team upload.
* Fix the following security vulnerabilities:
- CVE-2017-5647:
A bug in the handling of the pipelined requests when send file was used
resulted in the pipelined request being lost when send file processing of
the previous request completed. This could result in responses appearing
to be sent for the wrong request. For example, a user agent that sent
requests A, B and C could see the correct response for request A, the
response for request C for request B and no response for request C.
- CVE-2017-5648:
It was noticed that some calls to application listeners did not use the
appropriate facade object. When running an untrusted application under a
SecurityManager, it was therefore possible for that untrusted application
to retain a reference to the request or response object and thereby access
and/or modify information associated with another web application.
---
debian/changelog | 20 ++
debian/patches/CVE-2017-5647.patch | 507 +++++++++++++++++++++++++++++++++++++
debian/patches/CVE-2017-5648.patch | 117 +++++++++
debian/patches/series | 2 +
4 files changed, 646 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 9763858..9be0dd5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,23 @@
+tomcat7 (7.0.28-4+deb7u12) wheezy-security; urgency=high
+
+ * Team upload.
+ * Fix the following security vulnerabilities:
+ - CVE-2017-5647:
+ A bug in the handling of the pipelined requests when send file was used
+ resulted in the pipelined request being lost when send file processing of
+ the previous request completed. This could result in responses appearing
+ to be sent for the wrong request. For example, a user agent that sent
+ requests A, B and C could see the correct response for request A, the
+ response for request C for request B and no response for request C.
+ - CVE-2017-5648:
+ It was noticed that some calls to application listeners did not use the
+ appropriate facade object. When running an untrusted application under a
+ SecurityManager, it was therefore possible for that untrusted application
+ to retain a reference to the request or response object and thereby access
+ and/or modify information associated with another web application.
+
+ -- Markus Koschany <apo at debian.org> Fri, 28 Apr 2017 22:47:08 +0200
+
tomcat7 (7.0.28-4+deb7u11) wheezy-security; urgency=high
* Team upload.
diff --git a/debian/patches/CVE-2017-5647.patch b/debian/patches/CVE-2017-5647.patch
new file mode 100644
index 0000000..c62f222
--- /dev/null
+++ b/debian/patches/CVE-2017-5647.patch
@@ -0,0 +1,507 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 12 Apr 2017 18:12:40 +0200
+Subject: CVE-2017-5647
+
+Bug-Debian: https://bugs.debian.org/860068
+Origin: http://svn.apache.org/r1789008
+---
+ java/org/apache/coyote/AbstractProtocol.java | 6 +-
+ .../apache/coyote/http11/Http11AprProcessor.java | 36 ++++++----
+ .../apache/coyote/http11/Http11NioProcessor.java | 35 ++++++++--
+ java/org/apache/tomcat/util/net/AprEndpoint.java | 76 ++++++++++++----------
+ java/org/apache/tomcat/util/net/NioEndpoint.java | 73 +++++++++++----------
+ .../tomcat/util/net/SendfileKeepAliveState.java | 39 +++++++++++
+ java/org/apache/tomcat/util/net/SendfileState.java | 37 +++++++++++
+ 7 files changed, 209 insertions(+), 93 deletions(-)
+ create mode 100644 java/org/apache/tomcat/util/net/SendfileKeepAliveState.java
+ create mode 100644 java/org/apache/tomcat/util/net/SendfileState.java
+
+diff --git a/java/org/apache/coyote/AbstractProtocol.java b/java/org/apache/coyote/AbstractProtocol.java
+index e86eff8..81aaebd 100644
+--- a/java/org/apache/coyote/AbstractProtocol.java
++++ b/java/org/apache/coyote/AbstractProtocol.java
+@@ -606,9 +606,9 @@ public abstract class AbstractProtocol implements ProtocolHandler,
+ release(socket, processor, false, true);
+ } else if (state == SocketState.SENDFILE) {
+ // Sendfile in progress. If it fails, the socket will be
+- // closed. If it works, the socket will be re-added to the
+- // poller
+- release(socket, processor, false, false);
++ // closed. If it works, the socket either be added to the
++ // poller (or equivalent) to await more data or processed
++ // if there are any pipe-lined requests remaining.
+ } else if (state == SocketState.UPGRADED) {
+ // Need to keep the connection associated with the processor
+ longPoll(socket, processor);
+diff --git a/java/org/apache/coyote/http11/Http11AprProcessor.java b/java/org/apache/coyote/http11/Http11AprProcessor.java
+index 24f7c5e..52ae9c5 100644
+--- a/java/org/apache/coyote/http11/Http11AprProcessor.java
++++ b/java/org/apache/coyote/http11/Http11AprProcessor.java
+@@ -36,6 +36,7 @@ import org.apache.tomcat.util.ExceptionUtils;
+ import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
+ import org.apache.tomcat.util.net.AprEndpoint;
+ import org.apache.tomcat.util.net.SSLSupport;
++import org.apache.tomcat.util.net.SendfileKeepAliveState;
+ import org.apache.tomcat.util.net.SocketStatus;
+ import org.apache.tomcat.util.net.SocketWrapper;
+
+@@ -221,29 +222,36 @@ public class Http11AprProcessor extends AbstractHttp11Processor<Long> {
+ // Do sendfile as needed: add socket to sendfile and end
+ if (sendfileData != null && !error) {
+ sendfileData.socket = socketWrapper.getSocket().longValue();
+- sendfileData.keepAlive = keepAlive;
+- if (!((AprEndpoint)endpoint).getSendfile().add(sendfileData)) {
+- // Didn't send all of the data to sendfile.
+- if (sendfileData.socket == 0) {
+- // The socket is no longer set. Something went wrong.
+- // Close the connection. Too late to set status code.
+- if (log.isDebugEnabled()) {
+- log.debug(sm.getString(
+- "http11processor.sendfile.error"));
+- }
+- error = true;
++ if (keepAlive) {
++ if (getInputBuffer().available() == 0) {
++ sendfileData.keepAliveState = SendfileKeepAliveState.OPEN;
+ } else {
++ sendfileData.keepAliveState = SendfileKeepAliveState.PIPELINED;
++ }
++ } else {
++ sendfileData.keepAliveState = SendfileKeepAliveState.NONE;
++ }
++ switch (((AprEndpoint)endpoint).getSendfile().add(sendfileData)) {
++ case DONE:
++ return false;
++ case PENDING:
+ // The sendfile Poller will add the socket to the main
+ // Poller once sendfile processing is complete
+ sendfileInProgress = true;
++ return true;
++ case ERROR:
++ // Something went wrong.
++ // Close the connection. Too late to set status code.
++ if (log.isDebugEnabled()) {
++ log.debug(sm.getString(
++ "http11processor.sendfile.error"));
++ }
++ return true;
+ }
+- return true;
+- }
+ }
+ return false;
+ }
+
+-
+ @Override
+ protected void resetTimeouts() {
+ // NOOP for APR
+diff --git a/java/org/apache/coyote/http11/Http11NioProcessor.java b/java/org/apache/coyote/http11/Http11NioProcessor.java
+index 32b0bc6..acc1b96 100644
+--- a/java/org/apache/coyote/http11/Http11NioProcessor.java
++++ b/java/org/apache/coyote/http11/Http11NioProcessor.java
+@@ -35,6 +35,7 @@ import org.apache.tomcat.util.net.NioEndpoint;
+ import org.apache.tomcat.util.net.NioEndpoint.KeyAttachment;
+ import org.apache.tomcat.util.net.SSLSupport;
+ import org.apache.tomcat.util.net.SecureNioChannel;
++import org.apache.tomcat.util.net.SendfileKeepAliveState;
+ import org.apache.tomcat.util.net.SocketStatus;
+ import org.apache.tomcat.util.net.SocketWrapper;
+
+@@ -276,19 +277,41 @@ public class Http11NioProcessor extends AbstractHttp11Processor<NioChannel> {
+ @Override
+ protected boolean breakKeepAliveLoop(
+ SocketWrapper<NioChannel> socketWrapper) {
++ openSocket = keepAlive;
+ // Do sendfile as needed: add socket to sendfile and end
+ if (sendfileData != null && !error) {
+ ((KeyAttachment) socketWrapper).setSendfileData(sendfileData);
+- sendfileData.keepAlive = keepAlive;
++ if (keepAlive) {
++ if (getInputBuffer().available() == 0) {
++ sendfileData.keepAliveState = SendfileKeepAliveState.OPEN;
++ } else {
++ sendfileData.keepAliveState = SendfileKeepAliveState.PIPELINED;
++ }
++ } else {
++ sendfileData.keepAliveState = SendfileKeepAliveState.NONE;
++ }
+ SelectionKey key = socketWrapper.getSocket().getIOChannel().keyFor(
+ socketWrapper.getSocket().getPoller().getSelector());
+ //do the first write on this thread, might as well
+- openSocket = socketWrapper.getSocket().getPoller().processSendfile(key,
+- (KeyAttachment) socketWrapper, true);
+- return true;
++ switch (socketWrapper.getSocket().getPoller().processSendfile(
++ key, (KeyAttachment) socketWrapper, true)) {
++ case DONE:
++ // If sendfile is complete, no need to break keep-alive loop
++ sendfileData = null;
++ return false;
++ case PENDING:
++ sendfileInProgress = true;
++ return true;
++ case ERROR:
++ // Write failed
++ if (log.isDebugEnabled()) {
++ log.debug(sm.getString("http11processor.sendfile.error"));
++ }
++ return true;
++ }
++ }
++ return false;
+ }
+- return false;
+- }
+
+
+ @Override
+diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java b/java/org/apache/tomcat/util/net/AprEndpoint.java
+index 3ac6283..91de4d7 100644
+--- a/java/org/apache/tomcat/util/net/AprEndpoint.java
++++ b/java/org/apache/tomcat/util/net/AprEndpoint.java
+@@ -1353,7 +1353,7 @@ public class AprEndpoint extends AbstractEndpoint {
+ // Position
+ public long pos;
+ // KeepAlive flag
+- public boolean keepAlive;
++ public SendfileKeepAliveState keepAliveState = SendfileKeepAliveState.NONE;
+ }
+
+
+@@ -1439,17 +1439,11 @@ public class AprEndpoint extends AbstractEndpoint {
+ * @return true if all the data has been sent right away, and false
+ * otherwise
+ */
+- public boolean add(SendfileData data) {
++
++ public SendfileState add(SendfileData data) {
+ // Initialize fd from data given
+ try {
+ data.fdpool = Socket.pool(data.socket);
+- } catch (Exception e) {
+- // Pool not created so no need to destroy it.
+- log.error(sm.getString("endpoint.sendfile.error"), e);
+- data.socket = 0;
+- return false;
+- }
+- try {
+ data.fd = File.open
+ (data.fileName, File.APR_FOPEN_READ
+ | File.APR_FOPEN_SENDFILE_ENABLED | File.APR_FOPEN_BINARY,
+@@ -1463,39 +1457,35 @@ public class AprEndpoint extends AbstractEndpoint {
+ if (nw < 0) {
+ if (!(-nw == Status.EAGAIN)) {
+ Pool.destroy(data.fdpool);
+- // No need to close socket, this will be done by
+- // calling code since data.socket == 0
+ data.socket = 0;
+- return false;
++ return SendfileState.ERROR;
+ } else {
+ // Break the loop and add the socket to poller.
+ break;
+ }
+- }
+-
+- data.pos = data.pos + nw;
+- if (data.pos >= data.end) {
+- // Entire file has been sent
+- Pool.destroy(data.fdpool);
+- // Set back socket to blocking mode
+- Socket.timeoutSet(data.socket, socketProperties.getSoTimeout() * 1000);
+- return true;
++ } else {
++ data.pos = data.pos + nw;
++ if (data.pos >= data.end) {
++ // Entire file has been sent
++ Pool.destroy(data.fdpool);
++ // Set back socket to blocking mode
++ Socket.timeoutSet(
++ data.socket, getSoTimeout() * 1000);
++ return SendfileState.DONE;
++ }
+ }
+ }
+ } catch (Exception e) {
+- log.error(sm.getString("endpoint.sendfile.error"), e);
+- Pool.destroy(data.fdpool);
+- data.socket = 0;
+- return false;
++ log.warn(sm.getString("endpoint.sendfile.error"), e);
++ return SendfileState.ERROR;
+ }
+ // Add socket to the list. Newly added sockets will wait
+ // at most for pollTime before being polled
+ synchronized (this) {
+ addS.add(data);
+- addCount++;
+ this.notify();
+ }
+- return false;
++ return SendfileState.PENDING;
+ }
+
+ /**
+@@ -1611,18 +1601,32 @@ public class AprEndpoint extends AbstractEndpoint {
+ state.pos = state.pos + nw;
+ if (state.pos >= state.end) {
+ remove(state);
+- if (state.keepAlive) {
++ switch (state.keepAliveState) {
++ case NONE: {
++ // Close the socket since this is
++ // the end of the not keep-alive request.
++ destroySocket(state.socket);
++ break;
++ }
++ case PIPELINED: {
+ // Destroy file descriptor pool, which should close the file
+ Pool.destroy(state.fdpool);
+- Socket.timeoutSet(state.socket, socketProperties.getSoTimeout() * 1000);
+- // If all done put the socket back in the poller for
++ Socket.timeoutSet(state.socket, getSoTimeout() * 1000);
++ // Process the pipelined request data
++ if (!processSocket(state.socket, SocketStatus.OPEN)) {
++ destroySocket(state.socket);
++ }
++ break;
++ }
++ case OPEN: {
++ // Destroy file descriptor pool, which should close the file
++ Pool.destroy(state.fdpool);
++ Socket.timeoutSet(state.socket, getSoTimeout() * 1000);
++ // Put the socket back in the poller for
+ // processing of further requests
+- getPoller().add(state.socket,
+- getKeepAliveTimeout());
+- } else {
+- // Close the socket since this is
+- // the end of not keep-alive request.
+- destroySocket(state.socket);
++ getPoller().add(state.socket, getKeepAliveTimeout());
++ break;
++ }
+ }
+ }
+ }
+diff --git a/java/org/apache/tomcat/util/net/NioEndpoint.java b/java/org/apache/tomcat/util/net/NioEndpoint.java
+index a2f7a12..9b5f25e 100644
+--- a/java/org/apache/tomcat/util/net/NioEndpoint.java
++++ b/java/org/apache/tomcat/util/net/NioEndpoint.java
+@@ -1276,17 +1276,8 @@ public class NioEndpoint extends AbstractEndpoint {
+ return result;
+ }
+
+- /**
+- * @deprecated Replaced by processSendfile(sk, attachment, event)
+- */
+- @Deprecated
+- public boolean processSendfile(SelectionKey sk,
+- KeyAttachment attachment,
+- @SuppressWarnings("unused") boolean reg, boolean event) {
+- return processSendfile(sk, attachment, event);
+- }
+-
+- public boolean processSendfile(SelectionKey sk, KeyAttachment attachment, boolean event) {
++ public SendfileState processSendfile(SelectionKey sk, KeyAttachment attachment,
++ boolean calledByProcessor) {
+ NioChannel sc = null;
+ try {
+ unreg(sk, attachment, sk.readyOps());
+@@ -1301,14 +1292,15 @@ public class NioEndpoint extends AbstractEndpoint {
+ File f = new File(sd.fileName);
+ if ( !f.exists() ) {
+ cancelledKey(sk,SocketStatus.ERROR,false);
+- return false;
++ return SendfileState.ERROR;
+ }
+- sd.fchannel = new FileInputStream(f).getChannel();
++ @SuppressWarnings("resource") // Closed when channel is closed
++ FileInputStream fis = new FileInputStream(f);
++ sd.fchannel = fis.getChannel();
+ }
+
+ //configure output channel
+ sc = attachment.getChannel();
+- sc.setSendFile(true);
+ //ssl channel is slightly different
+ WritableByteChannel wc = ((sc instanceof SecureNioChannel)?sc:sc.getIOChannel());
+
+@@ -1341,48 +1333,61 @@ public class NioEndpoint extends AbstractEndpoint {
+ sd.fchannel.close();
+ } catch (Exception ignore) {
+ }
+- if ( sd.keepAlive ) {
++ // For calls from outside the Poller, the caller is
++ // responsible for registering the socket for the
++ // appropriate event(s) if sendfile completes.
++ if (!calledByProcessor) {
++ switch (sd.keepAliveState) {
++ case NONE: {
+ if (log.isDebugEnabled()) {
+- log.debug("Connection is keep alive, registering back for OP_READ");
++ log.debug("Send file connection is being closed");
+ }
+- if (event) {
+- this.add(attachment.getChannel(),SelectionKey.OP_READ);
+- } else {
+- reg(sk,attachment,SelectionKey.OP_READ);
++ cancelledKey(sk,SocketStatus.STOP,false);
++ break;
++ }
++ case PIPELINED: {
++ if (log.isDebugEnabled()) {
++ log.debug("Connection is keep alive, processing pipe-lined data");
+ }
+- } else {
+- if (log.isDebugEnabled()) {
+- log.debug("Send file connection is being closed");
++ if (!processSocket(sc, SocketStatus.OPEN, true)) {
++ cancelledKey(sk, SocketStatus.DISCONNECT, false);
++ }
++ break;
++ }
++ case OPEN: {
++ if (log.isDebugEnabled()) {
++ log.debug("Connection is keep alive, registering back for OP_READ");
++ }
++ reg(sk, attachment, SelectionKey.OP_READ);
++ break;
++ }
+ }
+- cancelledKey(sk,SocketStatus.STOP,false);
+- return false;
+ }
++ return SendfileState.DONE;
+ } else {
+ if (log.isDebugEnabled()) {
+ log.debug("OP_WRITE for sendfile: " + sd.fileName);
+ }
+- if (event) {
++ if (calledByProcessor) {
+ add(attachment.getChannel(),SelectionKey.OP_WRITE);
+ } else {
+ reg(sk,attachment,SelectionKey.OP_WRITE);
+ }
++ return SendfileState.PENDING;
+ }
+ }catch ( IOException x ) {
+ if ( log.isDebugEnabled() ) log.debug("Unable to complete sendfile request:", x);
+- if (!event) {
++ if (!calledByProcessor) {
+ cancelledKey(sk,SocketStatus.ERROR,false);
+ }
+- return false;
++ return SendfileState.ERROR;
+ }catch ( Throwable t ) {
+ log.error("",t);
+- if (!event) {
++ if (!calledByProcessor) {
+ cancelledKey(sk, SocketStatus.ERROR, false);
+ }
+- return false;
+- }finally {
+- if (sc!=null) sc.setSendFile(false);
++ return SendfileState.ERROR;
+ }
+- return true;
+ }
+
+ protected void unreg(SelectionKey sk, KeyAttachment attachment, int readyOps) {
+@@ -1746,6 +1751,6 @@ public class NioEndpoint extends AbstractEndpoint {
+ public long pos;
+ public long length;
+ // KeepAlive flag
+- public boolean keepAlive;
++ public SendfileKeepAliveState keepAliveState = SendfileKeepAliveState.NONE;
+ }
+ }
+diff --git a/java/org/apache/tomcat/util/net/SendfileKeepAliveState.java b/java/org/apache/tomcat/util/net/SendfileKeepAliveState.java
+new file mode 100644
+index 0000000..b27a9f1
+--- /dev/null
++++ b/java/org/apache/tomcat/util/net/SendfileKeepAliveState.java
+@@ -0,0 +1,39 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.tomcat.util.net;
++
++public enum SendfileKeepAliveState {
++
++ /**
++ * Keep-alive is not in use. The socket can be closed when the response has
++ * been written.
++ */
++ NONE,
++
++ /**
++ * Keep-alive is in use and there is pipelined data in the input buffer to
++ * be read as soon as the current response has been written.
++ */
++ PIPELINED,
++
++ /**
++ * Keep-alive is in use. The socket should be added to the poller (or
++ * equivalent) to await more data as soon as the current response has been
++ * written.
++ */
++ OPEN
++}
+diff --git a/java/org/apache/tomcat/util/net/SendfileState.java b/java/org/apache/tomcat/util/net/SendfileState.java
+new file mode 100644
+index 0000000..b354e2f
+--- /dev/null
++++ b/java/org/apache/tomcat/util/net/SendfileState.java
+@@ -0,0 +1,37 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.tomcat.util.net;
++
++public enum SendfileState {
++
++ /**
++ * The sending of the file has started but has not completed. Sendfile is
++ * still using the socket.
++ */
++ PENDING,
++
++ /**
++ * The file has been fully sent. Sendfile is no longer using the socket.
++ */
++ DONE,
++
++ /**
++ * Something went wrong. The file may or may not have been sent. The socket
++ * is in an unknown state.
++ */
++ ERROR
++}
diff --git a/debian/patches/CVE-2017-5648.patch b/debian/patches/CVE-2017-5648.patch
new file mode 100644
index 0000000..0610c0b
--- /dev/null
+++ b/debian/patches/CVE-2017-5648.patch
@@ -0,0 +1,117 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 12 Apr 2017 19:56:59 +0200
+Subject: CVE-2017-5648
+
+Comment: The test TestAsyncContextImpl fails with a ClassCastException. I think
+this is to be expected since we now ensure the use of the request and response
+facades while the responsible test code still uses a (Request) cast. Tomcat 7
+in Jessie uses the same patch and passes all tests. I have not spotted any
+regressions during testing hence I will assume that the test failure can be
+ignored.
+
+Bug-Debian: https://bugs.debian.org/860068
+Origin: http://svn.apache.org/r1785776
+---
+ .../apache/catalina/authenticator/FormAuthenticator.java | 11 +++++------
+ java/org/apache/catalina/core/StandardHostValve.java | 14 +++++++-------
+ 2 files changed, 12 insertions(+), 13 deletions(-)
+
+diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java
+index f71e508..5e5b7b8 100644
+--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
++++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
+@@ -433,9 +433,9 @@ public class FormAuthenticator
+ RequestDispatcher disp =
+ context.getServletContext().getRequestDispatcher(loginPage);
+ try {
+- if (context.fireRequestInitEvent(request)) {
++ if (context.fireRequestInitEvent(request.getRequest())) {
+ disp.forward(request.getRequest(), response);
+- context.fireRequestDestroyEvent(request);
++ context.fireRequestDestroyEvent(request.getRequest());
+ }
+ } catch (Throwable t) {
+ ExceptionUtils.handleThrowable(t);
+@@ -477,12 +477,11 @@ public class FormAuthenticator
+ }
+
+ RequestDispatcher disp =
+- context.getServletContext().getRequestDispatcher
+- (config.getErrorPage());
++ context.getServletContext().getRequestDispatcher(config.getErrorPage());
+ try {
+- if (context.fireRequestInitEvent(request)) {
++ if (context.fireRequestInitEvent(request.getRequest())) {
+ disp.forward(request.getRequest(), response);
+- context.fireRequestDestroyEvent(request);
++ context.fireRequestDestroyEvent(request.getRequest());
+ }
+ } catch (Throwable t) {
+ ExceptionUtils.handleThrowable(t);
+diff --git a/java/org/apache/catalina/core/StandardHostValve.java b/java/org/apache/catalina/core/StandardHostValve.java
+index eefa27b..65042ab 100644
+--- a/java/org/apache/catalina/core/StandardHostValve.java
++++ b/java/org/apache/catalina/core/StandardHostValve.java
+@@ -66,7 +66,7 @@ final class StandardHostValve extends ValveBase {
+
+ static {
+ STRICT_SERVLET_COMPLIANCE = Globals.STRICT_SERVLET_COMPLIANCE;
+-
++
+ String accessSession = System.getProperty(
+ "org.apache.catalina.core.StandardHostValve.ACCESS_SESSION");
+ if (accessSession == null) {
+@@ -147,7 +147,7 @@ final class StandardHostValve extends ValveBase {
+ if (Globals.IS_SECURITY_ENABLED) {
+ PrivilegedAction<Void> pa = new PrivilegedSetTccl(
+ context.getLoader().getClassLoader());
+- AccessController.doPrivileged(pa);
++ AccessController.doPrivileged(pa);
+ } else {
+ Thread.currentThread().setContextClassLoader
+ (context.getLoader().getClassLoader());
+@@ -161,7 +161,7 @@ final class StandardHostValve extends ValveBase {
+ // If a request init listener throws an exception, the request is
+ // aborted
+ boolean asyncAtStart = request.isAsync();
+- if (asyncAtStart || context.fireRequestInitEvent(request)) {
++ if (asyncAtStart || context.fireRequestInitEvent(request.getRequest())) {
+
+ // Ask this Context to process this request
+ try {
+@@ -193,7 +193,7 @@ final class StandardHostValve extends ValveBase {
+ status(request, response);
+ }
+
+- context.fireRequestDestroyEvent(request);
++ context.fireRequestDestroyEvent(request.getRequest());
+ }
+ }
+ }
+@@ -208,7 +208,7 @@ final class StandardHostValve extends ValveBase {
+ if (Globals.IS_SECURITY_ENABLED) {
+ PrivilegedAction<Void> pa = new PrivilegedSetTccl(
+ StandardHostValve.class.getClassLoader());
+- AccessController.doPrivileged(pa);
++ AccessController.doPrivileged(pa);
+ } else {
+ Thread.currentThread().setContextClassLoader
+ (StandardHostValve.class.getClassLoader());
+@@ -244,7 +244,7 @@ final class StandardHostValve extends ValveBase {
+ // Ask this Context to process this request
+ context.getPipeline().getFirst().event(request, response, event);
+
+-
++
+ // Error page processing
+ response.setSuspended(false);
+
+@@ -444,7 +444,7 @@ final class StandardHostValve extends ValveBase {
+
+ if (response.isCommitted()) {
+ // Response is committed - including the error page is the
+- // best we can do
++ // best we can do
+ rd.include(request.getRequest(), response.getResponse());
+ } else {
+ // Reset the response (keeping the real error code and message)
diff --git a/debian/patches/series b/debian/patches/series
index 0377f0a..4664e69 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -49,3 +49,5 @@ CVE-2016-6797-part2.patch
CVE-2016-8745.patch
BZ57544-infinite-loop.patch
BZ57544-infinite-loop-part2.patch
+CVE-2017-5647.patch
+CVE-2017-5648.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git
More information about the pkg-java-commits
mailing list