[Git][java-team/tomcat8][jessie] Import Debian changes 8.0.14-1+deb8u14
Markus Koschany
gitlab at salsa.debian.org
Tue Oct 23 22:00:43 BST 2018
Markus Koschany pushed to branch jessie at Debian Java Maintainers / tomcat8
Commits:
e4c5e7f8 by Markus Koschany at 2018-10-23T20:59:12Z
Import Debian changes 8.0.14-1+deb8u14
tomcat8 (8.0.14-1+deb8u14) jessie-security; urgency=high
* Non-maintainer upload by the LTS team.
* Fix CVE-2018-11784:
Sergey Bobrov discovered that when the default servlet returned a redirect
to a directory (e.g. redirecting to /foo/ when the user requested /foo) a
specially crafted URL could be used to cause the redirect to be generated
to any URI of the attackers choice.
tomcat8 (8.0.14-1+deb8u13) jessie-security; urgency=high
* Non-maintainer upload by the LTS Team.
* Fix CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder
with supplementary characters can lead to an infinite loop in the decoder
causing a Denial of Service.
* Fix CVE-2018-8034: The host name verification when using TLS with the
WebSocket client was missing. It is now enabled by default.
tomcat8 (8.0.14-1+deb8u12) jessie-security; urgency=high
* Non-maintainer upload by the LTS Team.
* Refreshed the expired SSL certificates used by the tests
* Fix CVE-2018-1304:
The URL pattern of "" (the empty string) which exactly maps to the context
root was not correctly handled when used as part of a security constraint
definition. This caused the constraint to be ignored. It was, therefore,
possible for unauthorised users to gain access to web application
resources that should have been protected. Only security constraints with
a URL pattern of the empty string were affected. (Closes: #802312)
* Fix CVE-2018-1305:
Security constraints defined by annotations of Servlets were only applied
once a Servlet had been loaded. Because security constraints defined in
this way apply to the URL pattern and any URLs below that point, it was
possible - depending on the order Servlets were loaded - for some security
constraints not to be applied. This could have exposed resources to users
who were not authorised to access them. (Closes: #802312)
tomcat8 (8.0.14-1+deb8u11) jessie-security; urgency=high
* Fix CVE-2017-7674:
The CORS Filter did not add an HTTP Vary header indicating that the
response varies depending on Origin. This permitted client and server side
cache poisoning in some circumstances.
tomcat8 (8.0.14-1+deb8u10) jessie-security; urgency=high
* Team upload.
* Fix CVE-2017-5664.
The error page mechanism of the Java Servlet Specification requires that,
when an error occurs and an error page is configured for the error that
occurred, the original request and response are forwarded to the error
page. This means that the request is presented to the error page with the
original HTTP method. If the error page is a static file, expected
behaviour is to serve content of the file as if processing a GET request,
regardless of the actual HTTP method. The Default Servlet in Apache Tomcat
did not do this. Depending on the original request this could lead to
unexpected and undesirable results for static error pages including, if the
DefaultServlet is configured to permit writes, the replacement or removal
of the custom error page. (Closes: #864447)
- - - - -
14 changed files:
- debian/certificates/localhost-cert.pem
- debian/certificates/localhost-copy1.jks
- debian/certificates/localhost.jks
- debian/certificates/user1.jks
- debian/changelog
- + debian/patches/CVE-2017-5664.patch
- + debian/patches/CVE-2017-7674.patch
- + debian/patches/CVE-2018-11784.patch
- + debian/patches/CVE-2018-1304.patch
- + debian/patches/CVE-2018-1305_1_of_2.patch
- + debian/patches/CVE-2018-1305_2_of_2.patch
- + debian/patches/CVE-2018-1336.patch
- + debian/patches/CVE-2018-8034.patch
- debian/patches/series
Changes:
=====================================
debian/certificates/localhost-cert.pem
=====================================
@@ -1,35 +1,35 @@
Certificate:
Data:
Version: 3 (0x2)
- Serial Number: 4102 (0x1006)
- Signature Algorithm: sha1WithRSAEncryption
+ Serial Number: 4109 (0x100d)
+ Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, CN=ca-test.tomcat.apache.org
Validity
- Not Before: Feb 28 16:57:14 2015 GMT
- Not After : Feb 27 16:57:14 2017 GMT
+ Not Before: Feb 27 23:25:29 2017 GMT
+ Not After : Feb 27 23:25:29 2019 GMT
Subject: C=US, CN=localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
- 00:e7:6f:79:3f:18:87:91:dd:27:98:34:24:79:58:
- 47:f9:c2:69:2b:d8:5b:c0:e0:bb:4a:57:d6:00:b5:
- bb:6a:b0:66:84:5c:b8:f0:12:0a:27:27:32:9c:82:
- 2a:2f:0f:69:77:a6:e9:0d:df:64:31:51:c0:41:1e:
- dc:d4:74:51:9c:a3:b8:51:13:58:73:ee:21:9c:f9:
- 63:82:1b:c2:2c:49:c3:09:70:ff:a9:f3:af:a2:0c:
- 0b:60:2f:6a:db:a5:01:45:3e:34:90:8e:67:69:eb:
- 45:f3:34:29:85:db:39:8a:99:c2:0f:72:15:21:fd:
- 54:35:a6:7b:a7:30:cb:1e:4d:3d:32:24:c6:4b:84:
- 4f:5f:60:ff:64:5e:68:ca:d8:fa:de:98:7d:40:04:
- 60:b7:ae:50:ec:c8:8c:ae:dd:94:81:41:18:5b:03:
- 63:0f:2b:02:63:0a:95:6a:ed:7e:68:e6:b6:d5:56:
- e9:4e:60:ea:1d:95:58:33:be:a2:12:55:cb:7f:9c:
- c4:97:0b:db:c0:94:09:2a:b3:9f:e1:6b:78:0d:63:
- 1a:41:d5:6b:db:d8:48:59:04:88:d1:11:d5:e7:45:
- 28:0e:7c:1b:78:75:20:7d:ff:7f:e1:d6:ea:e4:c5:
- 51:77:41:42:30:4b:ff:29:33:3d:89:58:94:69:5b:
- 70:27
+ 00:ba:d6:b2:32:de:10:53:1f:5d:af:da:d4:3f:64:
+ b3:22:37:fd:4e:16:a3:f0:d6:9e:6e:d3:ee:47:ec:
+ 15:b4:b3:0d:80:bf:fc:21:96:8b:1d:40:16:6d:89:
+ 35:03:8a:45:8c:c6:6e:2b:66:67:0f:1c:19:cf:62:
+ d5:e6:08:48:a8:df:10:da:4c:47:79:7c:02:97:54:
+ f9:a8:e9:59:50:33:cd:a0:72:fd:e1:e7:5e:3a:43:
+ 5c:ff:0c:69:9e:f6:c2:86:71:07:a5:eb:b5:c7:61:
+ f9:e9:fe:3f:26:55:2c:f4:04:7c:c0:bd:cd:2b:88:
+ 9c:69:4d:ce:3c:1e:ad:2e:18:96:aa:a0:eb:72:2b:
+ 95:99:47:16:90:b5:59:ed:f1:78:cc:8b:01:33:40:
+ c4:e9:b0:3f:ec:89:04:13:5c:9b:22:01:cc:25:cf:
+ 40:c1:40:fa:04:a0:b9:b7:f7:d8:73:91:7f:b8:7e:
+ e9:82:20:1f:e9:9c:89:25:28:b5:fa:6f:b7:4a:88:
+ 28:68:59:d5:30:52:f9:e4:5b:a6:b4:f8:e4:ed:2f:
+ 03:d8:50:61:9a:53:86:1f:ad:aa:0d:5f:f8:52:b5:
+ 27:dd:05:82:25:13:a0:d0:10:3c:dd:c0:70:15:24:
+ 63:89:22:0e:f0:5a:9a:fa:b0:75:56:06:aa:7f:b0:
+ f7:9b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
@@ -37,43 +37,43 @@ Certificate:
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
- 30:DB:AB:70:94:34:CA:FD:75:46:AB:CE:E2:4A:A9:9E:74:BC:69:BB
+ 0B:37:2F:D6:48:9C:11:2F:28:AE:DC:47:E6:5E:3A:1D:24:12:0F:1A
X509v3 Authority Key Identifier:
keyid:B0:3B:BC:C9:FA:28:5F:3E:04:1F:9B:6C:C7:8B:68:D8:01:B0:F8:3D
- Signature Algorithm: sha1WithRSAEncryption
- ac:e9:89:a0:fd:83:a7:aa:39:0b:08:f2:89:bc:64:e4:fa:3f:
- 7d:7a:5e:6d:79:98:34:31:19:ec:fb:e3:07:2b:ff:ab:2f:58:
- 7f:49:33:ca:d1:bb:36:9c:bd:3d:e2:3b:39:e9:a9:c2:b7:9e:
- 58:7d:5c:f4:9f:02:80:0b:e2:e2:d8:b8:3a:c0:76:c7:3b:33:
- 29:2a:61:02:ac:e0:23:aa:3e:a7:0d:0a:e9:8b:2d:4d:2a:ed:
- 59:0c:05:2d:40:86:ed:63:ad:fd:3c:a0:5e:4e:77:a6:f5:fe:
- 16:19:e5:bf:66:2f:c0:a3:21:25:65:a8:30:0b:25:9e:b4:67:
- ad:9d:7a:33:c2:c7:c0:18:80:ef:f0:ea:1f:33:6b:f5:d6:b6:
- 7c:47:8d:99:b5:be:77:cd:61:ba:27:11:a0:8e:19:0f:8b:2d:
- 3d:70:ac:44:b3:f7:f5:a1:a7:a9:36:93:89:e4:63:cc:89:50:
- ea:cc:c0:5a:c1:a7:41:7b:2f:64:c3:1e:e2:7f:62:72:3a:a1:
- d5:9f:8d:83:bf:f4:10:5f:3b:e3:48:fd:2c:7c:55:7f:81:e2:
- e3:2f:95:53:67:20:40:97:2a:cf:cf:f2:e0:13:0d:02:fe:9f:
- 43:93:01:55:22:5b:d9:b6:fd:a6:55:6c:c8:68:dc:3c:73:e7:
- 29:14:78:29
+ Signature Algorithm: sha256WithRSAEncryption
+ 3b:0a:ad:f2:27:26:d4:db:bc:97:e7:4e:52:8b:6c:08:4d:7b:
+ e7:66:ec:81:0b:0c:04:f8:b9:92:35:12:c9:b9:ed:d2:5e:b7:
+ ac:89:67:72:7e:2b:4f:5b:e3:3a:d1:09:fe:e8:cf:33:ac:a5:
+ 84:95:7f:48:4d:af:59:87:0b:4c:6f:6a:bf:6b:07:af:33:13:
+ 19:fd:70:0d:fc:1c:92:04:be:05:b9:96:46:d5:82:a4:f8:3b:
+ b0:11:2d:f0:19:25:ba:d6:ce:1c:7a:17:76:c6:80:d2:73:a0:
+ 1a:01:48:d6:0b:12:a9:3f:50:66:81:1b:e9:9f:1e:5b:6f:d1:
+ 19:12:14:70:d3:de:4c:ab:d3:83:d6:e5:4f:bb:b3:e5:c6:87:
+ 16:47:f7:59:4d:9d:52:9d:00:f0:24:7a:1e:6e:14:01:0d:07:
+ 0c:b6:f7:4e:c0:40:77:65:fd:ac:c7:aa:73:77:f0:44:b1:30:
+ ad:65:83:1a:cc:bd:fa:9d:80:29:61:e9:b3:26:e8:3b:55:c7:
+ 12:79:3e:4d:31:f1:21:d0:4e:5f:1f:73:c3:9f:ce:f9:6c:7e:
+ 8e:11:10:8e:f6:60:d2:11:ae:0f:24:6e:10:71:42:05:ed:ea:
+ 4b:41:86:86:84:26:74:ed:46:81:48:34:16:40:e6:df:64:c9:
+ c2:7d:6b:1b
-----BEGIN CERTIFICATE-----
-MIIDSTCCAjGgAwIBAgICEAYwDQYJKoZIhvcNAQEFBQAwMTELMAkGA1UEBhMCVVMx
-IjAgBgNVBAMTGWNhLXRlc3QudG9tY2F0LmFwYWNoZS5vcmcwHhcNMTUwMjI4MTY1
-NzE0WhcNMTcwMjI3MTY1NzE0WjAhMQswCQYDVQQGEwJVUzESMBAGA1UEAxMJbG9j
-YWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5295PxiHkd0n
-mDQkeVhH+cJpK9hbwOC7SlfWALW7arBmhFy48BIKJycynIIqLw9pd6bpDd9kMVHA
-QR7c1HRRnKO4URNYc+4hnPljghvCLEnDCXD/qfOvogwLYC9q26UBRT40kI5naetF
-8zQphds5ipnCD3IVIf1UNaZ7pzDLHk09MiTGS4RPX2D/ZF5oytj63ph9QARgt65Q
-7MiMrt2UgUEYWwNjDysCYwqVau1+aOa21VbpTmDqHZVYM76iElXLf5zElwvbwJQJ
-KrOf4Wt4DWMaQdVr29hIWQSI0RHV50UoDnwbeHUgff9/4dbq5MVRd0FCMEv/KTM9
-iViUaVtwJwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVu
-U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUMNurcJQ0yv11RqvO
-4kqpnnS8abswHwYDVR0jBBgwFoAUsDu8yfooXz4EH5tsx4to2AGw+D0wDQYJKoZI
-hvcNAQEFBQADggEBAKzpiaD9g6eqOQsI8om8ZOT6P316Xm15mDQxGez74wcr/6sv
-WH9JM8rRuzacvT3iOznpqcK3nlh9XPSfAoAL4uLYuDrAdsc7MykqYQKs4COqPqcN
-CumLLU0q7VkMBS1Ahu1jrf08oF5Od6b1/hYZ5b9mL8CjISVlqDALJZ60Z62dejPC
-x8AYgO/w6h8za/XWtnxHjZm1vnfNYbonEaCOGQ+LLT1wrESz9/Whp6k2k4nkY8yJ
-UOrMwFrBp0F7L2TDHuJ/YnI6odWfjYO/9BBfO+NI/Sx8VX+B4uMvlVNnIECXKs/P
-8uATDQL+n0OTAVUiW9m2/aZVbMho3Dxz5ykUeCk=
+MIIDSTCCAjGgAwIBAgICEA0wDQYJKoZIhvcNAQELBQAwMTELMAkGA1UEBhMCVVMx
+IjAgBgNVBAMMGWNhLXRlc3QudG9tY2F0LmFwYWNoZS5vcmcwHhcNMTcwMjI3MjMy
+NTI5WhcNMTkwMjI3MjMyNTI5WjAhMQswCQYDVQQGEwJVUzESMBAGA1UEAxMJbG9j
+YWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAutayMt4QUx9d
+r9rUP2SzIjf9Thaj8NaebtPuR+wVtLMNgL/8IZaLHUAWbYk1A4pFjMZuK2ZnDxwZ
+z2LV5ghIqN8Q2kxHeXwCl1T5qOlZUDPNoHL94edeOkNc/wxpnvbChnEHpeu1x2H5
+6f4/JlUs9AR8wL3NK4icaU3OPB6tLhiWqqDrciuVmUcWkLVZ7fF4zIsBM0DE6bA/
+7IkEE1ybIgHMJc9AwUD6BKC5t/fYc5F/uH7pgiAf6ZyJJSi1+m+3SogoaFnVMFL5
+5FumtPjk7S8D2FBhmlOGH62qDV/4UrUn3QWCJROg0BA83cBwFSRjiSIO8Fqa+rB1
+Vgaqf7D3mwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVu
+U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUCzcv1kicES8ortxH
+5l46HSQSDxowHwYDVR0jBBgwFoAUsDu8yfooXz4EH5tsx4to2AGw+D0wDQYJKoZI
+hvcNAQELBQADggEBADsKrfInJtTbvJfnTlKLbAhNe+dm7IELDAT4uZI1Esm57dJe
+t6yJZ3J+K09b4zrRCf7ozzOspYSVf0hNr1mHC0xvar9rB68zExn9cA38HJIEvgW5
+lkbVgqT4O7ARLfAZJbrWzhx6F3bGgNJzoBoBSNYLEqk/UGaBG+mfHltv0RkSFHDT
+3kyr04PW5U+7s+XGhxZH91lNnVKdAPAkeh5uFAENBwy2907AQHdl/azHqnN38ESx
+MK1lgxrMvfqdgClh6bMm6DtVxxJ5Pk0x8SHQTl8fc8Ofzvlsfo4REI72YNIRrg8k
+bhBxQgXt6ktBhoaEJnTtRoFINBZA5t9kycJ9axs=
-----END CERTIFICATE-----
=====================================
debian/certificates/localhost-copy1.jks
=====================================
Binary files a/debian/certificates/localhost-copy1.jks and b/debian/certificates/localhost-copy1.jks differ
=====================================
debian/certificates/localhost.jks
=====================================
Binary files a/debian/certificates/localhost.jks and b/debian/certificates/localhost.jks differ
=====================================
debian/certificates/user1.jks
=====================================
Binary files a/debian/certificates/user1.jks and b/debian/certificates/user1.jks differ
=====================================
debian/changelog
=====================================
@@ -1,3 +1,73 @@
+tomcat8 (8.0.14-1+deb8u14) jessie-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * Fix CVE-2018-11784:
+ Sergey Bobrov discovered that when the default servlet returned a redirect
+ to a directory (e.g. redirecting to /foo/ when the user requested /foo) a
+ specially crafted URL could be used to cause the redirect to be generated
+ to any URI of the attackers choice.
+
+ -- Markus Koschany <apo at debian.org> Mon, 15 Oct 2018 14:03:25 +0200
+
+tomcat8 (8.0.14-1+deb8u13) jessie-security; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * Fix CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder
+ with supplementary characters can lead to an infinite loop in the decoder
+ causing a Denial of Service.
+ * Fix CVE-2018-8034: The host name verification when using TLS with the
+ WebSocket client was missing. It is now enabled by default.
+
+ -- Roberto C. Sanchez <roberto at debian.org> Sat, 01 Sep 2018 11:13:51 -0400
+
+tomcat8 (8.0.14-1+deb8u12) jessie-security; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * Refreshed the expired SSL certificates used by the tests
+ * Fix CVE-2018-1304:
+ The URL pattern of "" (the empty string) which exactly maps to the context
+ root was not correctly handled when used as part of a security constraint
+ definition. This caused the constraint to be ignored. It was, therefore,
+ possible for unauthorised users to gain access to web application
+ resources that should have been protected. Only security constraints with
+ a URL pattern of the empty string were affected. (Closes: #802312)
+ * Fix CVE-2018-1305:
+ Security constraints defined by annotations of Servlets were only applied
+ once a Servlet had been loaded. Because security constraints defined in
+ this way apply to the URL pattern and any URLs below that point, it was
+ possible - depending on the order Servlets were loaded - for some security
+ constraints not to be applied. This could have exposed resources to users
+ who were not authorised to access them. (Closes: #802312)
+
+ -- Roberto C. Sanchez <roberto at debian.org> Sun, 22 Jul 2018 23:07:52 -0400
+
+tomcat8 (8.0.14-1+deb8u11) jessie-security; urgency=high
+
+ * Fix CVE-2017-7674:
+ The CORS Filter did not add an HTTP Vary header indicating that the
+ response varies depending on Origin. This permitted client and server side
+ cache poisoning in some circumstances.
+
+ -- Sebastien Delafond <seb at debian.org> Fri, 15 Sep 2017 13:18:33 +0200
+
+tomcat8 (8.0.14-1+deb8u10) jessie-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2017-5664.
+ The error page mechanism of the Java Servlet Specification requires that,
+ when an error occurs and an error page is configured for the error that
+ occurred, the original request and response are forwarded to the error
+ page. This means that the request is presented to the error page with the
+ original HTTP method. If the error page is a static file, expected
+ behaviour is to serve content of the file as if processing a GET request,
+ regardless of the actual HTTP method. The Default Servlet in Apache Tomcat
+ did not do this. Depending on the original request this could lead to
+ unexpected and undesirable results for static error pages including, if the
+ DefaultServlet is configured to permit writes, the replacement or removal
+ of the custom error page. (Closes: #864447)
+
+ -- Markus Koschany <apo at debian.org> Tue, 20 Jun 2017 20:26:44 +0200
+
tomcat8 (8.0.14-1+deb8u9) jessie-security; urgency=high
* Team upload.
=====================================
debian/patches/CVE-2017-5664.patch
=====================================
@@ -0,0 +1,75 @@
+From: Markus Koschany <apo at debian.org>
+Date: Tue, 13 Jun 2017 13:12:39 +0200
+Subject: CVE-2017-5664
+
+Origin: https://svn.apache.org/r1793470
+Origin: http://svn.apache.org/r1793489
+---
+ java/org/apache/catalina/servlets/DefaultServlet.java | 15 ++++++++++++++-
+ java/org/apache/catalina/servlets/WebdavServlet.java | 6 ++++++
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java
+index 2dede21..60c6f5e 100644
+--- a/java/org/apache/catalina/servlets/DefaultServlet.java
++++ b/java/org/apache/catalina/servlets/DefaultServlet.java
+@@ -39,6 +39,7 @@ import java.util.Iterator;
+ import java.util.Locale;
+ import java.util.StringTokenizer;
+
++import javax.servlet.DispatcherType;
+ import javax.servlet.RequestDispatcher;
+ import javax.servlet.ServletContext;
+ import javax.servlet.ServletException;
+@@ -391,6 +392,18 @@ public class DefaultServlet extends HttpServlet {
+ }
+
+
++ @Override
++ protected void service(HttpServletRequest req, HttpServletResponse resp)
++ throws ServletException, IOException {
++
++ if (req.getDispatcherType() == DispatcherType.ERROR) {
++ doGet(req, resp);
++ } else {
++ super.service(req, resp);
++ }
++ }
++
++
+ /**
+ * Process a GET request for the specified resource.
+ *
+@@ -771,7 +784,7 @@ public class DefaultServlet extends HttpServlet {
+ return;
+ }
+
+- boolean isError = response.getStatus() >= HttpServletResponse.SC_BAD_REQUEST;
++ boolean isError = DispatcherType.ERROR == request.getDispatcherType();
+
+ boolean included = false;
+ // Check if the conditions specified in the optional If headers are
+diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java b/java/org/apache/catalina/servlets/WebdavServlet.java
+index 1303d99..7e1f6e7 100644
+--- a/java/org/apache/catalina/servlets/WebdavServlet.java
++++ b/java/org/apache/catalina/servlets/WebdavServlet.java
+@@ -29,6 +29,7 @@ import java.util.Stack;
+ import java.util.TimeZone;
+ import java.util.Vector;
+
++import javax.servlet.DispatcherType;
+ import javax.servlet.RequestDispatcher;
+ import javax.servlet.ServletContext;
+ import javax.servlet.ServletException;
+@@ -310,6 +311,11 @@ public class WebdavServlet
+ return;
+ }
+
++ if (req.getDispatcherType() == DispatcherType.ERROR) {
++ doGet(req, resp);
++ return;
++ }
++
+ final String method = req.getMethod();
+
+ if (debug > 0) {
=====================================
debian/patches/CVE-2017-7674.patch
=====================================
@@ -0,0 +1,39 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 2 Sep 2017 14:59:09 +0200
+Subject: CVE-2017-7674
+
+Bug-Debian: https://bugs.debian.org/802312
+Origin: http://svn.apache.org/r1795814
+---
+ java/org/apache/catalina/filters/CorsFilter.java | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/java/org/apache/catalina/filters/CorsFilter.java b/java/org/apache/catalina/filters/CorsFilter.java
+index fcb8d2d..03ef78d 100644
+--- a/java/org/apache/catalina/filters/CorsFilter.java
++++ b/java/org/apache/catalina/filters/CorsFilter.java
+@@ -286,6 +286,10 @@ public class CorsFilter implements Filter {
+ exposedHeadersString);
+ }
+
++ // Indicate the response depends on the origin
++ response.addHeader(CorsFilter.REQUEST_HEADER_VARY,
++ CorsFilter.REQUEST_HEADER_ORIGIN);
++
+ // Forward the request down the filter chain.
+ filterChain.doFilter(request, response);
+ }
+@@ -981,6 +985,13 @@ public class CorsFilter implements Filter {
+ "Access-Control-Allow-Headers";
+
+ // -------------------------------------------------- CORS Request Headers
++
++ /**
++ * The Vary header indicates allows disabling proxy caching by indicating
++ * the the response depends on the origin.
++ */
++ public static final String REQUEST_HEADER_VARY = "Vary";
++
+ /**
+ * The Origin header indicates where the cross-origin request or preflight
+ * request originates from.
=====================================
debian/patches/CVE-2018-11784.patch
=====================================
@@ -0,0 +1,24 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 15 Oct 2018 14:00:31 +0200
+Subject: CVE-2018-11784
+
+Origin: https://svn.apache.org/r1840056
+---
+ java/org/apache/catalina/servlets/DefaultServlet.java | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java
+index 60c6f5e..4318490 100644
+--- a/java/org/apache/catalina/servlets/DefaultServlet.java
++++ b/java/org/apache/catalina/servlets/DefaultServlet.java
+@@ -1063,6 +1063,10 @@ public class DefaultServlet extends HttpServlet {
+ location.append('?');
+ location.append(request.getQueryString());
+ }
++ // Avoid protocol relative redirects
++ while (location.length() > 1 && location.charAt(1) == '/') {
++ location.deleteCharAt(0);
++ }
+ response.sendRedirect(response.encodeRedirectURL(location.toString()));
+ }
+
=====================================
debian/patches/CVE-2018-1304.patch
=====================================
@@ -0,0 +1,44 @@
+From 9e700b93e3bf5c605267d20568a964169f9e0b79 Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt at apache.org>
+Date: Tue, 6 Feb 2018 11:40:42 +0000
+Subject: [PATCH] Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=62067
+ Correctly apply security constraints mapped to the context root using a URL
+ pattern of ""
+
+git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk@1823308 13f79535-47bb-0310-9956-ffa450edef68
+
+bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=62067
+bug-debian: https://bugs.debian.org/802312
+origin: https://svn.apache.org/r1823308
+
+(cherry picked from commit 9e700b93e3bf5c605267d20568a964169f9e0b79)
+[rcs: Backported to jessie]
+---
+ java/org/apache/catalina/realm/RealmBase.java | 7 ++++---
+ webapps/docs/changelog.xml | 4 ++++
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+--- tomcat8.git.orig/java/org/apache/catalina/realm/RealmBase.java
++++ tomcat8.git/java/org/apache/catalina/realm/RealmBase.java
+@@ -591,9 +591,9 @@
+
+ // Check each defined security constraint
+ String uri = request.getRequestPathMB().toString();
+- // Bug47080 - in rare cases this may be null
++ // Bug47080 - in rare cases this may be null or ""
+ // Mapper treats as '/' do the same to prevent NPE
+- if (uri == null) {
++ if (uri == null || uri.length() == 0) {
+ uri = "/";
+ }
+
+@@ -625,7 +625,8 @@
+ }
+
+ for(int k=0; k < patterns.length; k++) {
+- if(uri.equals(patterns[k])) {
++ // Exact match including special case for the context root.
++ if(uri.equals(patterns[k]) || patterns[k].length() == 0 && uri.equals("/")) {
+ found = true;
+ if(collection[j].findMethod(method)) {
+ if(results == null) {
=====================================
debian/patches/CVE-2018-1305_1_of_2.patch
=====================================
@@ -0,0 +1,383 @@
+From 9e1bc0f4725495f981a55c621475a9419281501a Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt at apache.org>
+Date: Tue, 6 Feb 2018 12:26:13 +0000
+Subject: [PATCH] Process all ServletSecurity annotations at web application
+ start rather than at servlet load time to ensure constraints are applied
+ consistently.
+
+git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk@1823319 13f79535-47bb-0310-9956-ffa450edef68
+
+bug-debian: https://bugs.debian.org/802312
+origin: https://svn.apache.org/r1823319
+
+(cherry picked from commit 9e1bc0f4725495f981a55c621475a9419281501a)
+[rcs: Backported to jessie]
+---
+ java/org/apache/catalina/Wrapper.java | 18 +++++----
+ .../catalina/authenticator/AuthenticatorBase.java | 8 ----
+ .../apache/catalina/core/ApplicationContext.java | 18 ++++++++-
+ .../core/ApplicationServletRegistration.java | 7 ++++
+ java/org/apache/catalina/core/StandardContext.java | 29 +++++++++------
+ java/org/apache/catalina/core/StandardWrapper.java | 43 +---------------------
+ .../org/apache/catalina/startup/ContextConfig.java | 9 ++---
+ java/org/apache/catalina/startup/Tomcat.java | 3 ++
+ .../apache/catalina/startup/WebAnnotationSet.java | 17 +++++++--
+ webapps/docs/changelog.xml | 5 +++
+ 10 files changed, 81 insertions(+), 76 deletions(-)
+
+--- tomcat8.git.orig/java/org/apache/catalina/Wrapper.java
++++ tomcat8.git/java/org/apache/catalina/Wrapper.java
+@@ -370,19 +370,23 @@
+ public void setEnabled(boolean enabled);
+
+ /**
+- * Set the flag that indicates
+- * {@link javax.servlet.annotation.ServletSecurity} annotations must be
+- * scanned when the Servlet is first used.
++ * This method is no longer used. All implementations should be NO-OPs.
+ *
+- * @param b The new value of the flag
++ * @param b Unused.
++ *
++ * @deprecated This will be removed in Tomcat 9.
+ */
++ @Deprecated
+ public void setServletSecurityAnnotationScanRequired(boolean b);
+
+ /**
+- * Scan for (if necessary) and process (if found) the
+- * {@link javax.servlet.annotation.ServletSecurity} annotations for the
+- * Servlet associated with this wrapper.
++ * This method is no longer used. All implementations should be NO-OPs.
++ *
++ * @throws ServletException Never thrown
++ *
++ * @deprecated This will be removed in Tomcat 9.
+ */
++ @Deprecated
+ public void servletSecurityAnnotationScan() throws ServletException;
+
+ /**
+--- tomcat8.git.orig/java/org/apache/catalina/authenticator/AuthenticatorBase.java
++++ tomcat8.git/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+@@ -37,7 +37,6 @@
+ import org.apache.catalina.Realm;
+ import org.apache.catalina.Session;
+ import org.apache.catalina.Valve;
+-import org.apache.catalina.Wrapper;
+ import org.apache.catalina.connector.Request;
+ import org.apache.catalina.connector.Response;
+ import org.apache.catalina.util.SessionIdGeneratorBase;
+@@ -487,13 +486,6 @@
+ }
+ }
+
+- // The Servlet may specify security constraints through annotations.
+- // Ensure that they have been processed before constraints are checked
+- Wrapper wrapper = request.getMappingData().wrapper;
+- if (wrapper != null) {
+- wrapper.servletSecurityAnnotationScan();
+- }
+-
+ Realm realm = this.context.getRealm();
+ // Is this request URI subject to a security constraint?
+ SecurityConstraint [] constraints
+--- tomcat8.git.orig/java/org/apache/catalina/core/ApplicationContext.java
++++ tomcat8.git/java/org/apache/catalina/core/ApplicationContext.java
+@@ -46,8 +46,10 @@
+ import javax.servlet.ServletRegistration;
+ import javax.servlet.ServletRequestAttributeListener;
+ import javax.servlet.ServletRequestListener;
++import javax.servlet.ServletSecurityElement;
+ import javax.servlet.SessionCookieConfig;
+ import javax.servlet.SessionTrackingMode;
++import javax.servlet.annotation.ServletSecurity;
+ import javax.servlet.descriptor.JspConfigDescriptor;
+ import javax.servlet.http.HttpSessionAttributeListener;
+ import javax.servlet.http.HttpSessionIdListener;
+@@ -64,6 +66,7 @@
+ import org.apache.catalina.Wrapper;
+ import org.apache.catalina.connector.Connector;
+ import org.apache.catalina.mapper.MappingData;
++import org.apache.catalina.util.Introspection;
+ import org.apache.catalina.util.ServerInfo;
+ import org.apache.tomcat.util.ExceptionUtils;
+ import org.apache.tomcat.util.buf.CharChunk;
+@@ -1060,14 +1063,27 @@
+ }
+ }
+
++ ServletSecurity annotation = null;
+ if (servlet == null) {
+ wrapper.setServletClass(servletClass);
++ Class<?> clazz = Introspection.loadClass(context, servletClass);
++ if (clazz != null) {
++ annotation = clazz.getAnnotation(ServletSecurity.class);
++ }
+ } else {
+ wrapper.setServletClass(servlet.getClass().getName());
+ wrapper.setServlet(servlet);
++ if (context.wasCreatedDynamicServlet(servlet)) {
++ annotation = servlet.getClass().getAnnotation(ServletSecurity.class);
++ }
+ }
+
+- return context.dynamicServletAdded(wrapper);
++ ServletRegistration.Dynamic registration =
++ new ApplicationServletRegistration(wrapper, context);
++ if (annotation != null) {
++ registration.setServletSecurity(new ServletSecurityElement(annotation));
++ }
++ return registration;
+ }
+
+
+--- tomcat8.git.orig/java/org/apache/catalina/core/ApplicationServletRegistration.java
++++ tomcat8.git/java/org/apache/catalina/core/ApplicationServletRegistration.java
+@@ -44,6 +44,7 @@
+
+ private final Wrapper wrapper;
+ private final Context context;
++ private ServletSecurityElement constraint;
+
+ public ApplicationServletRegistration(Wrapper wrapper,
+ Context context) {
+@@ -158,6 +159,7 @@
+ getName(), context.getName()));
+ }
+
++ this.constraint = constraint;
+ return context.addServletSecurity(this, constraint);
+ }
+
+@@ -191,6 +193,11 @@
+ for (String urlPattern : urlPatterns) {
+ context.addServletMapping(urlPattern, wrapper.getName());
+ }
++
++ if (constraint != null) {
++ context.addServletSecurity(this, constraint);
++ }
++
+ return Collections.emptySet();
+ }
+
+--- tomcat8.git.orig/java/org/apache/catalina/core/StandardContext.java
++++ tomcat8.git/java/org/apache/catalina/core/StandardContext.java
+@@ -4529,27 +4529,36 @@
+ }
+
+ /**
+- * hook to register that we need to scan for security annotations.
+- * @param wrapper The wrapper for the Servlet that was added
++ * Create a servlet registration.
++ *
++ * @param wrapper The wrapper for which the registration should be created.
++ *
++ * @return An appropriate registration
++ *
++ * @deprecated This will be removed in Tomcat 9. The registration should be
++ * created directly.
+ */
++ @Deprecated
+ public ServletRegistration.Dynamic dynamicServletAdded(Wrapper wrapper) {
+- Servlet s = wrapper.getServlet();
+- if (s != null && createdServlets.contains(s)) {
+- // Mark the wrapper to indicate annotations need to be scanned
+- wrapper.setServletSecurityAnnotationScanRequired(true);
+- }
+ return new ApplicationServletRegistration(wrapper, this);
+ }
+
+ /**
+- * hook to track which registrations need annotation scanning
+- * @param servlet
++ * Hook to track which Servlets were created via
++ * {@link ServletContext#createServlet(Class)}.
++ *
++ * @param servlet the created Servlet
+ */
+ public void dynamicServletCreated(Servlet servlet) {
+ createdServlets.add(servlet);
+ }
+
+
++ public boolean wasCreatedDynamicServlet(Servlet servlet) {
++ return createdServlets.contains(servlet);
++ }
++
++
+ /**
+ * A helper class to manage the filter mappings in a Context.
+ */
+@@ -5795,8 +5804,6 @@
+ newSecurityConstraints) {
+ addConstraint(securityConstraint);
+ }
+-
+- checkConstraintsForUncoveredMethods(newSecurityConstraints);
+ }
+ }
+
+--- tomcat8.git.orig/java/org/apache/catalina/core/StandardWrapper.java
++++ tomcat8.git/java/org/apache/catalina/core/StandardWrapper.java
+@@ -14,8 +14,6 @@
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-
+-
+ package org.apache.catalina.core;
+
+ import java.io.PrintStream;
+@@ -42,11 +40,9 @@
+ import javax.servlet.ServletConfig;
+ import javax.servlet.ServletContext;
+ import javax.servlet.ServletException;
+-import javax.servlet.ServletSecurityElement;
+ import javax.servlet.SingleThreadModel;
+ import javax.servlet.UnavailableException;
+ import javax.servlet.annotation.MultipartConfig;
+-import javax.servlet.annotation.ServletSecurity;
+
+ import org.apache.catalina.Container;
+ import org.apache.catalina.ContainerServlet;
+@@ -264,8 +260,6 @@
+ */
+ protected boolean enabled = true;
+
+- protected volatile boolean servletSecurityAnnotationScanRequired = false;
+-
+ private boolean overridable = false;
+
+ /**
+@@ -657,7 +651,7 @@
+ */
+ @Override
+ public void setServletSecurityAnnotationScanRequired(boolean b) {
+- this.servletSecurityAnnotationScanRequired = b;
++ // NO-OP
+ }
+
+ // --------------------------------------------------------- Public Methods
+@@ -1133,8 +1127,6 @@
+ }
+ }
+
+- processServletSecurityAnnotation(servlet.getClass());
+-
+ // Special handling for ContainerServlet instances
+ if ((servlet instanceof ContainerServlet) &&
+ (isContainerProvidedServlet(servletClass) ||
+@@ -1177,40 +1169,9 @@
+ */
+ @Override
+ public void servletSecurityAnnotationScan() throws ServletException {
+- if (getServlet() == null) {
+- Class<?> clazz = null;
+- try {
+- clazz = ((Context) getParent()).getLoader().getClassLoader().loadClass(
+- getServletClass());
+- processServletSecurityAnnotation(clazz);
+- } catch (ClassNotFoundException e) {
+- // Safe to ignore. No class means no annotations to process
+- }
+- } else {
+- if (servletSecurityAnnotationScanRequired) {
+- processServletSecurityAnnotation(getServlet().getClass());
+- }
+- }
++ // NO-OP
+ }
+
+- private void processServletSecurityAnnotation(Class<?> clazz) {
+- // Calling this twice isn't harmful so no syncs
+- servletSecurityAnnotationScanRequired = false;
+-
+- Context ctxt = (Context) getParent();
+-
+- if (ctxt.getIgnoreAnnotations()) {
+- return;
+- }
+-
+- ServletSecurity secAnnotation =
+- clazz.getAnnotation(ServletSecurity.class);
+- if (secAnnotation != null) {
+- ctxt.addServletSecurity(
+- new ApplicationServletRegistration(this, ctxt),
+- new ServletSecurityElement(secAnnotation));
+- }
+- }
+
+ private synchronized void initServlet(Servlet servlet)
+ throws ServletException {
+--- tomcat8.git.orig/java/org/apache/catalina/startup/ContextConfig.java
++++ tomcat8.git/java/org/apache/catalina/startup/ContextConfig.java
+@@ -350,15 +350,14 @@
+ LoginConfig loginConfig = context.getLoginConfig();
+
+ SecurityConstraint constraints[] = context.findConstraints();
+- if (context.getIgnoreAnnotations() &&
+- (constraints == null || constraints.length ==0) &&
++ if ((constraints == null || constraints.length ==0) &&
+ !context.getPreemptiveAuthentication()) {
++ // No need for an authenticator
+ return;
+ } else {
+ if (loginConfig == null) {
+- // Not metadata-complete or security constraints present, need
+- // an authenticator to support @ServletSecurity annotations
+- // and/or constraints
++ // Security constraints present. Need an authenticator to
++ // support them.
+ loginConfig = DUMMY_LOGIN_CONFIG;
+ context.setLoginConfig(loginConfig);
+ }
+--- tomcat8.git.orig/java/org/apache/catalina/startup/Tomcat.java
++++ tomcat8.git/java/org/apache/catalina/startup/Tomcat.java
+@@ -791,6 +791,8 @@
+ Context context = (Context) event.getLifecycle();
+ if (event.getType().equals(Lifecycle.CONFIGURE_START_EVENT)) {
+ context.setConfigured(true);
++ // Process annotations
++ WebAnnotationSet.loadApplicationAnnotations(context);
+ }
+ // LoginConfig is required to process @ServletSecurity
+ // annotations
+--- tomcat8.git.orig/java/org/apache/catalina/startup/WebAnnotationSet.java
++++ tomcat8.git/java/org/apache/catalina/startup/WebAnnotationSet.java
+@@ -23,10 +23,13 @@
+ import javax.annotation.Resources;
+ import javax.annotation.security.DeclareRoles;
+ import javax.annotation.security.RunAs;
++import javax.servlet.ServletSecurityElement;
++import javax.servlet.annotation.ServletSecurity;
+
+ import org.apache.catalina.Container;
+ import org.apache.catalina.Context;
+ import org.apache.catalina.Wrapper;
++import org.apache.catalina.core.ApplicationServletRegistration;
+ import org.apache.catalina.util.Introspection;
+ import org.apache.tomcat.util.descriptor.web.ContextEnvironment;
+ import org.apache.tomcat.util.descriptor.web.ContextResource;
+@@ -136,9 +139,17 @@
+ * Ref JSR 250, equivalent to the run-as element in
+ * the deployment descriptor
+ */
+- RunAs annotation = classClass.getAnnotation(RunAs.class);
+- if (annotation != null) {
+- wrapper.setRunAs(annotation.value());
++ RunAs runAs = classClass.getAnnotation(RunAs.class);
++ if (runAs != null) {
++ wrapper.setRunAs(runAs.value());
++ }
++
++ // Process ServletSecurity annotation
++ ServletSecurity servletSecurity = classClass.getAnnotation(ServletSecurity.class);
++ if (servletSecurity != null) {
++ context.addServletSecurity(
++ new ApplicationServletRegistration(wrapper, context),
++ new ServletSecurityElement(servletSecurity));
+ }
+ }
+ }
=====================================
debian/patches/CVE-2018-1305_2_of_2.patch
=====================================
@@ -0,0 +1,45 @@
+From 014e21e7ac8cf76d93129672cbf799e979d91806 Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt at apache.org>
+Date: Thu, 15 Feb 2018 20:20:42 +0000
+Subject: [PATCH] Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=62104 Fix
+ programmatic login regression as the NonLoginAuthenticator has to be set for
+ it to work (if no login method is specified).
+
+git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk@1824359 13f79535-47bb-0310-9956-ffa450edef68
+
+bug-debian: https://bugs.debian.org/802312
+origin: https://svn.apache.org/r1824359
+
+(cherry picked from commit 014e21e7ac8cf76d93129672cbf799e979d91806)
+[rcs: Backported to jessie]
+---
+ java/org/apache/catalina/startup/ContextConfig.java | 17 ++++-------------
+ webapps/docs/changelog.xml | 5 +++++
+ 2 files changed, 9 insertions(+), 13 deletions(-)
+
+--- tomcat8.git.orig/java/org/apache/catalina/startup/ContextConfig.java
++++ tomcat8.git/java/org/apache/catalina/startup/ContextConfig.java
+@@ -348,19 +348,10 @@
+ protected void authenticatorConfig() {
+
+ LoginConfig loginConfig = context.getLoginConfig();
+-
+- SecurityConstraint constraints[] = context.findConstraints();
+- if ((constraints == null || constraints.length ==0) &&
+- !context.getPreemptiveAuthentication()) {
+- // No need for an authenticator
+- return;
+- } else {
+- if (loginConfig == null) {
+- // Security constraints present. Need an authenticator to
+- // support them.
+- loginConfig = DUMMY_LOGIN_CONFIG;
+- context.setLoginConfig(loginConfig);
+- }
++ if (loginConfig == null) {
++ // Need an authenticator to support HttpServletRequest.login()
++ loginConfig = DUMMY_LOGIN_CONFIG;
++ context.setLoginConfig(loginConfig);
+ }
+
+ // Has an authenticator been configured already?
=====================================
debian/patches/CVE-2018-1336.patch
=====================================
@@ -0,0 +1,25 @@
+From: Markus Koschany <apo at debian.org>
+Date: Fri, 24 Aug 2018 21:13:11 +0200
+Subject: CVE-2018-1336
+
+Origin: https://svn.apache.org/r1830374
+---
+ java/org/apache/tomcat/util/buf/Utf8Decoder.java | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/java/org/apache/tomcat/util/buf/Utf8Decoder.java b/java/org/apache/tomcat/util/buf/Utf8Decoder.java
+index 13d6543..ca819c4 100644
+--- a/java/org/apache/tomcat/util/buf/Utf8Decoder.java
++++ b/java/org/apache/tomcat/util/buf/Utf8Decoder.java
+@@ -278,6 +278,11 @@ public class Utf8Decoder extends CharsetDecoder {
+ outRemaining--;
+ } else {
+ if (outRemaining < 2) {
++ // Encoded with 4 bytes. inIndex currently points
++ // to the final byte. Move it back to first byte.
++ inIndex -= 3;
++ in.position(inIndex - in.arrayOffset());
++ out.position(outIndex - out.arrayOffset());
+ return CoderResult.OVERFLOW;
+ }
+ cArr[outIndex++] = (char) ((jchar >> 0xA) + 0xD7C0);
=====================================
debian/patches/CVE-2018-8034.patch
=====================================
@@ -0,0 +1,95 @@
+From: Markus Koschany <apo at debian.org>
+Date: Fri, 24 Aug 2018 21:25:57 +0200
+Subject: CVE-2018-8034
+
+Origin: https://svn.apache.org/r1833758
+---
+ .../apache/tomcat/websocket/WsWebSocketContainer.java | 18 ++++++++++++++----
+ webapps/docs/web-socket-howto.xml | 19 +++++++++++++++----
+ 2 files changed, 29 insertions(+), 8 deletions(-)
+
+--- tomcat8.git.orig/java/org/apache/tomcat/websocket/WsWebSocketContainer.java
++++ tomcat8.git/java/org/apache/tomcat/websocket/WsWebSocketContainer.java
+@@ -49,6 +49,7 @@
+ import javax.net.ssl.SSLContext;
+ import javax.net.ssl.SSLEngine;
+ import javax.net.ssl.SSLException;
++import javax.net.ssl.SSLParameters;
+ import javax.net.ssl.TrustManagerFactory;
+ import javax.websocket.ClientEndpoint;
+ import javax.websocket.ClientEndpointConfig;
+@@ -254,10 +255,11 @@
+
+ Future<Void> fConnect = socketChannel.connect(sa);
+
++ Map<String,Object> userProperties = clientEndpointConfiguration.getUserProperties();
++
+ AsyncChannelWrapper channel;
+ if (secure) {
+- SSLEngine sslEngine = createSSLEngine(
+- clientEndpointConfiguration.getUserProperties());
++ SSLEngine sslEngine = createSSLEngine(userProperties, host, port);
+ channel = new AsyncChannelWrapperSecure(socketChannel, sslEngine);
+ } else {
+ channel = new AsyncChannelWrapperNonSecure(socketChannel);
+@@ -624,7 +626,7 @@
+ }
+
+
+- private SSLEngine createSSLEngine(Map<String,Object> userProperties)
++ private SSLEngine createSSLEngine(Map<String,Object> userProperties, String host, int port)
+ throws DeploymentException {
+
+ try {
+@@ -662,7 +664,7 @@
+ }
+ }
+
+- SSLEngine engine = sslContext.createSSLEngine();
++ SSLEngine engine = sslContext.createSSLEngine(host, port);
+
+ String sslProtocolsValue =
+ (String) userProperties.get(SSL_PROTOCOLS_PROPERTY);
+@@ -672,6 +674,14 @@
+
+ engine.setUseClientMode(true);
+
++ // Enable host verification
++ // Start with current settings (returns a copy)
++ SSLParameters sslParams = engine.getSSLParameters();
++ // Use HTTPS since WebSocket starts over HTTP(S)
++ sslParams.setEndpointIdentificationAlgorithm("HTTPS");
++ // Write the parameters back
++ engine.setSSLParameters(sslParams);
++
+ return engine;
+ } catch (Exception e) {
+ throw new DeploymentException(sm.getString(
+--- tomcat8.git.orig/webapps/docs/web-socket-howto.xml
++++ tomcat8.git/webapps/docs/web-socket-howto.xml
+@@ -146,10 +146,21 @@
+ <li><code>org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD</code></li>
+ </ul>
+ <p>The default truststore password is <code>changeit</code>.</p>
+- <p>If the <code>org.apache.tomcat.websocket.SSL_CONTEXT</code> property is
+- set then the <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE</code> and
+- <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD</code> properties
+- will be ignored.</p>
++<p>If the <code>org.apache.tomcat.websocket.SSL_CONTEXT</code> property is
++ set then the <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE</code> and
++ <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD</code> properties
++ will be ignored.</p>
++
++<p>For secure server end points, host name verification is enabled by default.
++ To bypass this verification (not recommended), it is necessary to provide a
++ custom <code>SSLContext</code> via the
++ <code>org.apache.tomcat.websocket.SSL_CONTEXT</code> user property. The
++ custom <code>SSLContext</code> must be configured with a custom
++ <code>TrustManager</code> that extends
++ <code>javax.net.ssl.X509ExtendedTrustManager</code>. The desired verification
++ (or lack of verification) can then be controlled by appropriate
++ implementations of the individual abstract methods.</p>
++
+ </section>
+
+ </body>
=====================================
debian/patches/series
=====================================
@@ -37,3 +37,11 @@ BZ57544-infinite-loop.patch
BZ57544-infinite-loop-part2.patch
CVE-2017-5647.patch
CVE-2017-5648.patch
+CVE-2017-5664.patch
+CVE-2017-7674.patch
+CVE-2018-1304.patch
+CVE-2018-1305_1_of_2.patch
+CVE-2018-1305_2_of_2.patch
+CVE-2018-1336.patch
+CVE-2018-8034.patch
+CVE-2018-11784.patch
View it on GitLab: https://salsa.debian.org/java-team/tomcat8/commit/e4c5e7f8f55813ce2f541099f3d880fa90306df5
--
View it on GitLab: https://salsa.debian.org/java-team/tomcat8/commit/e4c5e7f8f55813ce2f541099f3d880fa90306df5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20181023/f1a142d7/attachment.html>
More information about the pkg-java-commits
mailing list