[Git][java-team/tomcat8][jessie] 2 commits: Import Debian changes 8.0.14-1+deb8u15
Markus Koschany
gitlab at salsa.debian.org
Tue Aug 13 23:05:34 BST 2019
Markus Koschany pushed to branch jessie at Debian Java Maintainers / tomcat8
Commits:
1dc175d5 by Sylvain Beucler at 2019-08-13T18:23:11Z
Import Debian changes 8.0.14-1+deb8u15
tomcat8 (8.0.14-1+deb8u15) jessie-security; urgency=high
* Non-maintainer upload by the LTS team.
* Fix flacky FTBFS by improving fix for CVE-2017-5647.
* Refresh the expired SSL certificates used by the tests from
freshly-renewed upstream Tomcat and adapt the test user DN.
* Fix CVE-2019-0221:
The SSI printenv command in Apache Tomcat echoes user provided
data without escaping and is, therefore, vulnerable to XSS. SSI is
disabled by default. The printenv command is intended for
debugging and is unlikely to be present in a production website.
* Fix CVE-2018-8014:
The defaults settings for the CORS filter provided in Apache
Tomcat are insecure and enable 'supportsCredentials' for all
origins. It is expected that users of the CORS filter will have
configured it appropriately for their environment rather than
using it in the default configuration. Therefore, it is expected
that most users will not be impacted by this issue.
* Fix CVE-2016-5388:
Apache Tomcat, when the CGI Servlet is enabled, follows RFC 3875
section 4.1.18 and therefore does not protect applications from
the presence of untrusted client data in the HTTP_PROXY
environment variable, which might allow remote attackers to
redirect an application's outbound HTTP traffic to an arbitrary
proxy server via a crafted Proxy header in an HTTP request, aka an
"httpoxy" issue. The 'cgi' servlet now has a 'envHttpHeaders'
parameter to filter environment variables.
- - - - -
56b840e5 by Markus Koschany at 2019-08-13T22:05:11Z
Merge branch 'jessie' into 'jessie'
Import Debian changes 8.0.14-1+deb8u15
See merge request java-team/tomcat8!3
- - - - -
15 changed files:
- + debian/certificates/ca.jks
- debian/certificates/localhost-cert.pem
- debian/certificates/localhost-copy1.jks
- + debian/certificates/localhost-key.pem
- debian/certificates/localhost.jks
- debian/certificates/user1.jks
- debian/changelog
- + debian/patches/0021-client-certificate-dn.patch
- + debian/patches/CVE-2016-5388.patch
- debian/patches/CVE-2017-5647.patch
- + debian/patches/CVE-2018-8014.patch
- + debian/patches/CVE-2019-0221.patch
- debian/patches/series
- debian/rules
- debian/source/include-binaries
Changes:
=====================================
debian/certificates/ca.jks
=====================================
Binary files /dev/null and b/debian/certificates/ca.jks differ
=====================================
debian/certificates/localhost-cert.pem
=====================================
@@ -1,35 +1,35 @@
Certificate:
Data:
Version: 3 (0x2)
- Serial Number: 4109 (0x100d)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: C=US, CN=ca-test.tomcat.apache.org
+ Serial Number: 4102 (0x1006)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=MA, L=Wakefield, O=The Apache Software Foundation, OU=Apache Tomcat PMC, CN=Apache Tomcat Test CA
Validity
- Not Before: Feb 27 23:25:29 2017 GMT
- Not After : Feb 27 23:25:29 2019 GMT
- Subject: C=US, CN=localhost
+ Not Before: Aug 7 20:30:28 2019 GMT
+ Not After : Aug 6 20:30:28 2021 GMT
+ Subject: C=US, ST=MA, L=Wakefield, O=The Apache Software Foundation, OU=Apache Tomcat PMC, CN=localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
- Public-Key: (2048 bit)
+ RSA Public-Key: (2048 bit)
Modulus:
- 00:ba:d6:b2:32:de:10:53:1f:5d:af:da:d4:3f:64:
- b3:22:37:fd:4e:16:a3:f0:d6:9e:6e:d3:ee:47:ec:
- 15:b4:b3:0d:80:bf:fc:21:96:8b:1d:40:16:6d:89:
- 35:03:8a:45:8c:c6:6e:2b:66:67:0f:1c:19:cf:62:
- d5:e6:08:48:a8:df:10:da:4c:47:79:7c:02:97:54:
- f9:a8:e9:59:50:33:cd:a0:72:fd:e1:e7:5e:3a:43:
- 5c:ff:0c:69:9e:f6:c2:86:71:07:a5:eb:b5:c7:61:
- f9:e9:fe:3f:26:55:2c:f4:04:7c:c0:bd:cd:2b:88:
- 9c:69:4d:ce:3c:1e:ad:2e:18:96:aa:a0:eb:72:2b:
- 95:99:47:16:90:b5:59:ed:f1:78:cc:8b:01:33:40:
- c4:e9:b0:3f:ec:89:04:13:5c:9b:22:01:cc:25:cf:
- 40:c1:40:fa:04:a0:b9:b7:f7:d8:73:91:7f:b8:7e:
- e9:82:20:1f:e9:9c:89:25:28:b5:fa:6f:b7:4a:88:
- 28:68:59:d5:30:52:f9:e4:5b:a6:b4:f8:e4:ed:2f:
- 03:d8:50:61:9a:53:86:1f:ad:aa:0d:5f:f8:52:b5:
- 27:dd:05:82:25:13:a0:d0:10:3c:dd:c0:70:15:24:
- 63:89:22:0e:f0:5a:9a:fa:b0:75:56:06:aa:7f:b0:
- f7:9b
+ 00:cf:e2:56:a6:67:a6:e8:e7:f3:94:86:6e:f9:06:
+ 46:cf:20:66:b5:cd:b1:c7:d6:50:ea:4d:46:44:ed:
+ 45:65:ea:b6:9b:2e:49:a5:25:c1:8e:36:f6:2c:bc:
+ 8e:09:35:0b:2f:43:70:73:07:47:1d:78:a1:12:e9:
+ 56:5d:ab:84:15:16:0e:38:01:bb:81:87:2d:c4:3b:
+ dc:2e:4a:e1:d4:66:1b:ce:87:2c:a9:b8:e3:aa:80:
+ 75:79:b1:98:f3:dd:df:66:d0:0d:e1:06:d8:6c:6c:
+ 50:f0:00:80:32:70:55:7b:dd:eb:ae:f2:6a:bf:93:
+ 3d:15:e1:25:f8:75:ce:d8:46:dc:c4:6b:ee:f9:f5:
+ 93:39:ad:90:47:15:4b:fa:ca:5b:fe:ca:1b:29:8a:
+ 74:19:2a:cb:1e:4f:20:d9:74:75:24:a0:06:d1:3a:
+ ed:9b:88:87:f3:1b:0f:a6:14:67:e9:ed:47:2e:a1:
+ 25:6a:c2:97:04:13:f4:9f:62:38:cd:5a:e7:ad:c2:
+ 64:2c:8f:9c:3d:04:58:12:42:e5:0c:8e:8c:ce:78:
+ 3d:60:38:ce:06:ff:9c:ea:9c:c9:0f:73:90:b2:1a:
+ 4a:16:99:c9:fe:95:88:7b:3c:7f:19:d0:26:27:11:
+ 78:f9:92:5c:b4:f5:d4:cb:b0:84:0c:74:37:3d:87:
+ 1a:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
@@ -37,43 +37,73 @@ Certificate:
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
- 0B:37:2F:D6:48:9C:11:2F:28:AE:DC:47:E6:5E:3A:1D:24:12:0F:1A
+ 0D:86:88:1D:07:59:CE:14:B4:89:81:58:C6:0B:FF:4C:CA:25:52:80
X509v3 Authority Key Identifier:
- keyid:B0:3B:BC:C9:FA:28:5F:3E:04:1F:9B:6C:C7:8B:68:D8:01:B0:F8:3D
+ keyid:00:F2:98:4D:21:2C:00:3C:40:9B:84:F4:DE:2A:F0:26:EE:32:0E:9F
+
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:8888
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
- 3b:0a:ad:f2:27:26:d4:db:bc:97:e7:4e:52:8b:6c:08:4d:7b:
- e7:66:ec:81:0b:0c:04:f8:b9:92:35:12:c9:b9:ed:d2:5e:b7:
- ac:89:67:72:7e:2b:4f:5b:e3:3a:d1:09:fe:e8:cf:33:ac:a5:
- 84:95:7f:48:4d:af:59:87:0b:4c:6f:6a:bf:6b:07:af:33:13:
- 19:fd:70:0d:fc:1c:92:04:be:05:b9:96:46:d5:82:a4:f8:3b:
- b0:11:2d:f0:19:25:ba:d6:ce:1c:7a:17:76:c6:80:d2:73:a0:
- 1a:01:48:d6:0b:12:a9:3f:50:66:81:1b:e9:9f:1e:5b:6f:d1:
- 19:12:14:70:d3:de:4c:ab:d3:83:d6:e5:4f:bb:b3:e5:c6:87:
- 16:47:f7:59:4d:9d:52:9d:00:f0:24:7a:1e:6e:14:01:0d:07:
- 0c:b6:f7:4e:c0:40:77:65:fd:ac:c7:aa:73:77:f0:44:b1:30:
- ad:65:83:1a:cc:bd:fa:9d:80:29:61:e9:b3:26:e8:3b:55:c7:
- 12:79:3e:4d:31:f1:21:d0:4e:5f:1f:73:c3:9f:ce:f9:6c:7e:
- 8e:11:10:8e:f6:60:d2:11:ae:0f:24:6e:10:71:42:05:ed:ea:
- 4b:41:86:86:84:26:74:ed:46:81:48:34:16:40:e6:df:64:c9:
- c2:7d:6b:1b
+ 7d:dc:b1:0f:dd:34:df:26:63:73:02:8a:d6:39:64:73:c3:fc:
+ 40:75:26:b6:9b:42:72:af:c9:63:41:68:d0:78:c7:47:ef:c2:
+ 44:5a:b3:58:95:a3:2c:f3:b1:f4:a3:3d:0b:94:ff:b4:97:6a:
+ e9:4b:4b:c2:3a:f6:36:43:af:ee:2f:39:3e:f2:5f:2c:a2:b7:
+ 43:3c:13:42:d8:4e:e0:36:bc:23:c5:43:88:46:92:f7:77:14:
+ 67:73:14:5b:43:0e:3d:b5:1a:69:e9:ca:84:08:20:27:9f:23:
+ 4d:60:db:cb:98:4a:b3:3e:71:e6:e8:a1:11:1c:7e:7e:43:fb:
+ 6d:a5:41:c0:7e:3f:84:ed:06:28:dc:aa:80:17:76:ec:8a:e6:
+ 65:45:21:85:13:48:e0:5b:87:c8:2a:1a:0f:37:0f:2a:64:53:
+ a8:e3:49:04:84:88:fe:8b:a2:3c:cc:41:c7:c0:ad:26:d6:e1:
+ 67:69:9a:50:c7:eb:3d:1c:7f:da:88:08:24:14:6e:a1:ab:3e:
+ 77:3f:88:12:55:98:97:9f:db:ad:09:e2:20:fe:8d:1f:ea:4f:
+ 46:7e:d8:aa:ba:14:bd:a8:c2:6f:1b:47:62:d9:05:ca:c7:30:
+ 7b:1e:95:2e:55:10:1d:b1:e3:44:95:07:25:6e:8c:9d:69:5b:
+ 5c:ad:5f:56:27:e8:60:9f:d2:f4:64:7f:f7:8f:dc:bb:ee:bf:
+ be:0b:ea:34:9b:37:de:f0:5c:e0:64:c2:52:42:a6:0d:20:7d:
+ 78:34:42:c1:1c:43:a1:98:e8:48:7b:92:49:2b:d9:63:91:6a:
+ 70:02:d0:1b:a5:2a:ee:e5:1b:12:4f:cb:c9:e7:18:ae:66:f5:
+ 04:d9:d2:68:95:c1:31:fe:57:9d:51:f5:fc:ed:43:3b:79:bf:
+ c3:9d:85:68:d8:98:a5:3c:a2:bb:fb:5b:19:5b:de:f0:7e:c8:
+ 5e:47:ba:5d:8a:5b:44:f1:44:54:64:c0:da:95:a6:f0:bf:a9:
+ 3f:5d:4c:72:97:86:ae:1e:0d:cd:20:4b:85:e0:4e:26:4d:29:
+ 4e:96:43:b0:fd:30:5f:53:24:97:bc:35:d8:31:4b:6c:ea:a7:
+ f9:64:f9:cb:a0:14:c4:fc:54:78:13:52:b5:06:8f:7a:c2:00:
+ 14:97:18:06:ef:bc:2f:2a:31:fc:11:25:7f:47:e3:3b:54:e7:
+ 46:62:78:ba:52:07:32:41:48:9d:47:bd:1c:f4:eb:49:11:42:
+ 40:9c:36:5a:e0:84:bd:09:44:91:bb:5c:d1:c4:28:6a:68:34:
+ f9:2c:22:b7:fc:43:bb:c4:96:02:ce:73:43:be:de:02:9c:e1:
+ d2:2a:4a:76:19:d6:3f:b0
-----BEGIN CERTIFICATE-----
-MIIDSTCCAjGgAwIBAgICEA0wDQYJKoZIhvcNAQELBQAwMTELMAkGA1UEBhMCVVMx
-IjAgBgNVBAMMGWNhLXRlc3QudG9tY2F0LmFwYWNoZS5vcmcwHhcNMTcwMjI3MjMy
-NTI5WhcNMTkwMjI3MjMyNTI5WjAhMQswCQYDVQQGEwJVUzESMBAGA1UEAxMJbG9j
-YWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAutayMt4QUx9d
-r9rUP2SzIjf9Thaj8NaebtPuR+wVtLMNgL/8IZaLHUAWbYk1A4pFjMZuK2ZnDxwZ
-z2LV5ghIqN8Q2kxHeXwCl1T5qOlZUDPNoHL94edeOkNc/wxpnvbChnEHpeu1x2H5
-6f4/JlUs9AR8wL3NK4icaU3OPB6tLhiWqqDrciuVmUcWkLVZ7fF4zIsBM0DE6bA/
-7IkEE1ybIgHMJc9AwUD6BKC5t/fYc5F/uH7pgiAf6ZyJJSi1+m+3SogoaFnVMFL5
-5FumtPjk7S8D2FBhmlOGH62qDV/4UrUn3QWCJROg0BA83cBwFSRjiSIO8Fqa+rB1
-Vgaqf7D3mwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVu
-U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUCzcv1kicES8ortxH
-5l46HSQSDxowHwYDVR0jBBgwFoAUsDu8yfooXz4EH5tsx4to2AGw+D0wDQYJKoZI
-hvcNAQELBQADggEBADsKrfInJtTbvJfnTlKLbAhNe+dm7IELDAT4uZI1Esm57dJe
-t6yJZ3J+K09b4zrRCf7ozzOspYSVf0hNr1mHC0xvar9rB68zExn9cA38HJIEvgW5
-lkbVgqT4O7ARLfAZJbrWzhx6F3bGgNJzoBoBSNYLEqk/UGaBG+mfHltv0RkSFHDT
-3kyr04PW5U+7s+XGhxZH91lNnVKdAPAkeh5uFAENBwy2907AQHdl/azHqnN38ESx
-MK1lgxrMvfqdgClh6bMm6DtVxxJ5Pk0x8SHQTl8fc8Ofzvlsfo4REI72YNIRrg8k
-bhBxQgXt6ktBhoaEJnTtRoFINBZA5t9kycJ9axs=
+MIIFZDCCA0ygAwIBAgICEAYwDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlVT
+MQswCQYDVQQIEwJNQTESMBAGA1UEBxMJV2FrZWZpZWxkMScwJQYDVQQKEx5UaGUg
+QXBhY2hlIFNvZnR3YXJlIEZvdW5kYXRpb24xGjAYBgNVBAsTEUFwYWNoZSBUb21j
+YXQgUE1DMR4wHAYDVQQDExVBcGFjaGUgVG9tY2F0IFRlc3QgQ0EwHhcNMTkwODA3
+MjAzMDI4WhcNMjEwODA2MjAzMDI4WjCBhzELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
+Ak1BMRIwEAYDVQQHEwlXYWtlZmllbGQxJzAlBgNVBAoTHlRoZSBBcGFjaGUgU29m
+dHdhcmUgRm91bmRhdGlvbjEaMBgGA1UECxMRQXBhY2hlIFRvbWNhdCBQTUMxEjAQ
+BgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AM/iVqZnpujn85SGbvkGRs8gZrXNscfWUOpNRkTtRWXqtpsuSaUlwY429iy8jgk1
+Cy9DcHMHRx14oRLpVl2rhBUWDjgBu4GHLcQ73C5K4dRmG86HLKm446qAdXmxmPPd
+32bQDeEG2GxsUPAAgDJwVXvd667yar+TPRXhJfh1zthG3MRr7vn1kzmtkEcVS/rK
+W/7KGymKdBkqyx5PINl0dSSgBtE67ZuIh/MbD6YUZ+ntRy6hJWrClwQT9J9iOM1a
+563CZCyPnD0EWBJC5QyOjM54PWA4zgb/nOqcyQ9zkLIaShaZyf6ViHs8fxnQJicR
+ePmSXLT11MuwhAx0Nz2HGgsCAwEAAaOByzCByDAJBgNVHRMEAjAAMCwGCWCGSAGG
++EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU
+DYaIHQdZzhS0iYFYxgv/TMolUoAwHwYDVR0jBBgwFoAUAPKYTSEsADxAm4T03irw
+Ju4yDp8wMQYIKwYBBQUHAQEEJTAjMCEGCCsGAQUFBzABhhVodHRwOi8vMTI3LjAu
+MC4xOjg4ODgwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB
+CwUAA4ICAQB93LEP3TTfJmNzAorWOWRzw/xAdSa2m0Jyr8ljQWjQeMdH78JEWrNY
+laMs87H0oz0LlP+0l2rpS0vCOvY2Q6/uLzk+8l8sordDPBNC2E7gNrwjxUOIRpL3
+dxRncxRbQw49tRpp6cqECCAnnyNNYNvLmEqzPnHm6KERHH5+Q/ttpUHAfj+E7QYo
+3KqAF3bsiuZlRSGFE0jgW4fIKhoPNw8qZFOo40kEhIj+i6I8zEHHwK0m1uFnaZpQ
+x+s9HH/aiAgkFG6hqz53P4gSVZiXn9utCeIg/o0f6k9GftiquhS9qMJvG0di2QXK
+xzB7HpUuVRAdseNElQclboydaVtcrV9WJ+hgn9L0ZH/3j9y77r++C+o0mzfe8Fzg
+ZMJSQqYNIH14NELBHEOhmOhIe5JJK9ljkWpwAtAbpSru5RsST8vJ5xiuZvUE2dJo
+lcEx/ledUfX87UM7eb/DnYVo2JilPKK7+1sZW97wfsheR7pdiltE8URUZMDalabw
+v6k/XUxyl4auHg3NIEuF4E4mTSlOlkOw/TBfUySXvDXYMUts6qf5ZPnLoBTE/FR4
+E1K1Bo96wgAUlxgG77wvKjH8ESV/R+M7VOdGYni6UgcyQUidR70c9OtJEUJAnDZa
+4IS9CUSRu1zRxChqaDT5LCK3/EO7xJYCznNDvt4CnOHSKkp2GdY/sA==
-----END CERTIFICATE-----
=====================================
debian/certificates/localhost-copy1.jks
=====================================
Binary files a/debian/certificates/localhost-copy1.jks and b/debian/certificates/localhost-copy1.jks differ
=====================================
debian/certificates/localhost-key.pem
=====================================
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDP4lamZ6bo5/OU
+hm75BkbPIGa1zbHH1lDqTUZE7UVl6rabLkmlJcGONvYsvI4JNQsvQ3BzB0cdeKES
+6VZdq4QVFg44AbuBhy3EO9wuSuHUZhvOhyypuOOqgHV5sZjz3d9m0A3hBthsbFDw
+AIAycFV73euu8mq/kz0V4SX4dc7YRtzEa+759ZM5rZBHFUv6ylv+yhspinQZKsse
+TyDZdHUkoAbROu2biIfzGw+mFGfp7UcuoSVqwpcEE/SfYjjNWuetwmQsj5w9BFgS
+QuUMjozOeD1gOM4G/5zqnMkPc5CyGkoWmcn+lYh7PH8Z0CYnEXj5kly09dTLsIQM
+dDc9hxoLAgMBAAECggEAXfOqO6yux6ZE9MRJFSzcBbJcGSBsj6dxjGL+NhqR+by5
+aKrjx8qnjpGScqeI/epGMsck5CfO4SfqjDR+vvjMSgdcx70otCKW8ZAoM5fONoMr
+YAzBh7cy1ZUXArfcK6MD22B+VUwVtfLCJaXkSmdwivnCEaAn1ItD2UaXNZJwuFeF
+pT9Veif4MwfRhrVvHeEK+hEsrUePOOZ7bvfvIyd2pKtBuniiaoP9LIE2E/s+G458
+xFZUHDxSgumEekZLv1mt03rcNDW9B9kLELaDuVbO4mQBn3edolvmL7N2iZpPIhM/
+UDMqs7HfZ70bLcENa26UAZqIenbkueg7UkZgCF5RWQKBgQDxVTizo8vF+f7BhY8o
+VSvGEhyRsJsyt9wb5AkVUCSM6Q+fKTimRBoDBQijDVc20uV5HpYIy35THphmXYX8
+qIYNQiaGyLwBk6YWJDfqcfCjKBm6P7vtSFWjroRj2c0GjmXBZPk4sGYj16P4Qy00
+ZssPsa+ENYgc4mox6szTp5Zp1wKBgQDchLRPaz1tWoLIlIl35a5GLHZwf6GGDeDI
+2bxTMhBAohbjW9NSWf7GeZgeigRd7p5s6m2EriEJwsn61W0IWUzPLJ7iTHKOrVxU
+tGxHd+SV3KhOkGn1EJ8zFiNIma/nAZraGW9zH/lhq09G8ygf1y3lSCQIABG8pAbK
+xHmn3BoS7QKBgQCi0hSHXqNE1v4CItILLCt0XxPXV4feGB3w01Eth/yg9T0M7QrD
+Yn8KOoMxPvbwjik0JmajWGfKPIIlzkNvy2Nl3pOPrC7sAWm01orDKkxoR83T0tw/
+ouXkoQHBPFkPa1NLv4xFqv2+gOanwOrmx9OIqyD32gYTNs7fDsNSqWbZ0QKBgCup
+WsoewZrVQO/V+SH0J/1c8FZ17tVMCiW6dr9COlWRwlZh6AV2LCvAB46EZTjz9go6
+oFSU5ZW5K6SufVgZ1ktu2kaUPFpjmNRspMPByVCiz/A+R7xt/hdvWq0VQO7MMozc
+XGS+//GGqbuyiU9Em6G6Fug+m0RudanQHQZPXhpBAoGBAIuWHrYCOWJRHDw8WdOE
+811QFYHpMbYc0G4/50+O/1qKADWKbqAZpnbIW8NpHrcfggkgJw6E9kmtt8HbBu/3
+NuCWK1K/0aLwQQMXqgrwuNYvk1QRXbAx86fbC1XVrY2KwmuCg6snXjJZqsTI91xm
+jO0LxqN3mDyK11I9/XuearPH
+-----END PRIVATE KEY-----
=====================================
debian/certificates/localhost.jks
=====================================
Binary files a/debian/certificates/localhost.jks and b/debian/certificates/localhost.jks differ
=====================================
debian/certificates/user1.jks
=====================================
Binary files a/debian/certificates/user1.jks and b/debian/certificates/user1.jks differ
=====================================
debian/changelog
=====================================
@@ -1,3 +1,33 @@
+tomcat8 (8.0.14-1+deb8u15) jessie-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * Fix flacky FTBFS by improving fix for CVE-2017-5647.
+ * Refresh the expired SSL certificates used by the tests from
+ freshly-renewed upstream Tomcat and adapt the test user DN.
+ * Fix CVE-2019-0221:
+ The SSI printenv command in Apache Tomcat echoes user provided
+ data without escaping and is, therefore, vulnerable to XSS. SSI is
+ disabled by default. The printenv command is intended for
+ debugging and is unlikely to be present in a production website.
+ * Fix CVE-2018-8014:
+ The defaults settings for the CORS filter provided in Apache
+ Tomcat are insecure and enable 'supportsCredentials' for all
+ origins. It is expected that users of the CORS filter will have
+ configured it appropriately for their environment rather than
+ using it in the default configuration. Therefore, it is expected
+ that most users will not be impacted by this issue.
+ * Fix CVE-2016-5388:
+ Apache Tomcat, when the CGI Servlet is enabled, follows RFC 3875
+ section 4.1.18 and therefore does not protect applications from
+ the presence of untrusted client data in the HTTP_PROXY
+ environment variable, which might allow remote attackers to
+ redirect an application's outbound HTTP traffic to an arbitrary
+ proxy server via a crafted Proxy header in an HTTP request, aka an
+ "httpoxy" issue. The 'cgi' servlet now has a 'envHttpHeaders'
+ parameter to filter environment variables.
+
+ -- Sylvain Beucler <beuc at debian.org> Tue, 13 Aug 2019 16:22:22 +0200
+
tomcat8 (8.0.14-1+deb8u14) jessie-security; urgency=high
* Non-maintainer upload by the LTS team.
=====================================
debian/patches/0021-client-certificate-dn.patch
=====================================
@@ -0,0 +1,26 @@
+From: Sylvain Beucler <beuc at debian.org>
+Date: Wed Aug 7 21:47:13 CEST 2019
+Subject: Update client certificate CN
+Forwarded: no
+Last-Update: 2019-08-07
+
+See also:
+debian/rules
+debian/certificates/
+debian/source/include-binaries
+
+Index: tomcat8-8.0.14/test/org/apache/tomcat/util/net/TesterSupport.java
+===================================================================
+--- tomcat8-8.0.14.orig/test/org/apache/tomcat/util/net/TesterSupport.java
++++ tomcat8-8.0.14/test/org/apache/tomcat/util/net/TesterSupport.java
+@@ -163,8 +163,8 @@ public final class TesterSupport {
+
+ // Configure the Realm
+ TesterMapRealm realm = new TesterMapRealm();
+- realm.addUser("CN=user1, C=US", "not used");
+- realm.addUserRole("CN=user1, C=US", ROLE);
++ realm.addUser("CN=user1, OU=Apache Tomcat PMC, O=The Apache Software Foundation, L=Wakefield, ST=MA, C=US", "not used");
++ realm.addUserRole("CN=user1, OU=Apache Tomcat PMC, O=The Apache Software Foundation, L=Wakefield, ST=MA, C=US", ROLE);
+ ctx.setRealm(realm);
+
+ // Configure the authenticator
=====================================
debian/patches/CVE-2016-5388.patch
=====================================
@@ -0,0 +1,84 @@
+From: Mark Thomas <markt at apache.org>
+Date: Fri, 19 Aug 2016 16:57:16 +0000
+Subject: Add a new initialisation parameter, envHttpHeaders, to the
+ CGI Servlet to mitigate httpoxy (CVE-2016-5388) by default and to
+ provide a mechanism that can be used to mitigate any future, similar
+ issues.
+
+Origin: http://svn.apache.org/1756941
+Last-Update: 2019-08-13
+Reviewed-by: Sylvain Beucler <beuc at debian.org>
+
+
+Index: tomcat8-8.0.14/webapps/docs/cgi-howto.xml
+===================================================================
+--- tomcat8-8.0.14.orig/webapps/docs/cgi-howto.xml
++++ tomcat8-8.0.14/webapps/docs/cgi-howto.xml
+@@ -86,6 +86,12 @@ if your script is itself executable (e.g
+ <li><strong>executable-arg-1</strong>, <strong>executable-arg-2</strong>,
+ and so on - additional arguments for the executable. These precede the
+ CGI script name. By default there are no additional arguments.</li>
++<li><strong>envHttpHeaders</strong> - A regular expression used to select the
++HTTP headers passed to the CGI process as environment variables. Note that
++headers are converted to upper case before matching and that the entire header
++name must match the pattern. Default is
++<code>ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT</code>
++</li>
+ <li><strong>parameterEncoding</strong> - Name of the parameter encoding
+ to be used with the CGI servlet. Default is
+ <code>System.getProperty("file.encoding","UTF-8")</code>.</li>
+Index: tomcat8-8.0.14/java/org/apache/catalina/servlets/CGIServlet.java
+===================================================================
+--- tomcat8-8.0.14.orig/java/org/apache/catalina/servlets/CGIServlet.java
++++ tomcat8-8.0.14/java/org/apache/catalina/servlets/CGIServlet.java
+@@ -36,6 +36,7 @@ import java.util.List;
+ import java.util.Locale;
+ import java.util.StringTokenizer;
+ import java.util.Vector;
++import java.util.regex.Pattern;
+
+ import javax.servlet.RequestDispatcher;
+ import javax.servlet.ServletConfig;
+@@ -268,6 +269,16 @@ public final class CGIServlet extends Ht
+ */
+ private long stderrTimeout = 2000;
+
++ /**
++ * The regular expression used to select HTTP headers to be passed to the
++ * CGI process as environment variables. The name of the environment
++ * variable will be the name of the HTTP header converter to upper case,
++ * prefixed with <code>HTTP_</code> and with all <code>-</code> characters
++ * converted to <code>_</code>.
++ */
++ private Pattern envHttpHeadersPattern = Pattern.compile(
++ "ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT");
++
+ /** object used to ensure multiple threads don't try to expand same file */
+ private static final Object expandFileLock = new Object();
+
+@@ -331,6 +342,10 @@ public final class CGIServlet extends Ht
+ "stderrTimeout"));
+ }
+
++ if (getServletConfig().getInitParameter("envHttpHeaders") != null) {
++ envHttpHeadersPattern =
++ Pattern.compile(getServletConfig().getInitParameter("envHttpHeaders"));
++ }
+ }
+
+
+@@ -1073,12 +1088,8 @@ public final class CGIServlet extends Ht
+ //REMIND: rewrite multiple headers as if received as single
+ //REMIND: change character set
+ //REMIND: I forgot what the previous REMIND means
+- if ("AUTHORIZATION".equalsIgnoreCase(header) ||
+- "PROXY_AUTHORIZATION".equalsIgnoreCase(header)) {
+- //NOOP per CGI specification section 11.2
+- } else {
+- envp.put("HTTP_" + header.replace('-', '_'),
+- req.getHeader(header));
++ if (envHttpHeadersPattern.matcher(header).matches()) {
++ envp.put("HTTP_" + header.replace('-', '_'), req.getHeader(header));
+ }
+ }
+
=====================================
debian/patches/CVE-2017-5647.patch
=====================================
@@ -4,25 +4,123 @@ Subject: CVE-2017-5647
Bug-Debian: https://bugs.debian.org/860068
Origin: http://svn.apache.org/r1788999
----
- java/org/apache/coyote/AbstractProtocol.java | 7 +-
- .../apache/coyote/http11/Http11AprProcessor.java | 38 +++++++----
- .../apache/coyote/http11/Http11Nio2Processor.java | 11 +++-
- .../apache/coyote/http11/Http11NioProcessor.java | 26 ++++++--
- java/org/apache/tomcat/util/net/AprEndpoint.java | 49 +++++++++-----
- java/org/apache/tomcat/util/net/Nio2Endpoint.java | 25 ++++---
- java/org/apache/tomcat/util/net/NioEndpoint.java | 76 ++++++++++++----------
- .../tomcat/util/net/SendfileKeepAliveState.java | 39 +++++++++++
- java/org/apache/tomcat/util/net/SendfileState.java | 37 +++++++++++
- 9 files changed, 222 insertions(+), 86 deletions(-)
- create mode 100644 java/org/apache/tomcat/util/net/SendfileKeepAliveState.java
- create mode 100644 java/org/apache/tomcat/util/net/SendfileState.java
+Last-Update: 2019-08-07
+Reviewed-by: Sylvain Beucler <beuc at debian.org>
-diff --git a/java/org/apache/coyote/AbstractProtocol.java b/java/org/apache/coyote/AbstractProtocol.java
-index 9886cef..cabfbf6 100644
---- a/java/org/apache/coyote/AbstractProtocol.java
-+++ b/java/org/apache/coyote/AbstractProtocol.java
-@@ -710,10 +710,9 @@ public abstract class AbstractProtocol<S> implements ProtocolHandler,
+Dependencies:
+https://svn.apache.org/r1653887 https://svn.apache.org/r1695592
+ <bug>57481</bug>: Fix <code>IllegalStateException</code> at the end of
+ the request when using non-blocking reads with the HTTP BIO connector.
+https://svn.apache.org/r1712081 https://svn.apache.org/r1712529 / https://svn.apache.org/r1712925
+ <bug>57799</bug>: InputStream.available() was causing an IO operation
+ to occur even in blocking mode, which caused problems with NIO2.
+
+
+Index: tomcat8-8.0.14/java/org/apache/coyote/http11/AbstractHttp11Processor.java
+===================================================================
+--- tomcat8-8.0.14.orig/java/org/apache/coyote/http11/AbstractHttp11Processor.java
++++ tomcat8-8.0.14/java/org/apache/coyote/http11/AbstractHttp11Processor.java
+@@ -867,7 +867,7 @@ public abstract class AbstractHttp11Proc
+ break;
+ }
+ case AVAILABLE: {
+- request.setAvailable(inputBuffer.available());
++ request.setAvailable(inputBuffer.available(param == Boolean.TRUE));
+ break;
+ }
+ case NB_WRITE_INTEREST: {
+@@ -910,6 +910,11 @@ public abstract class AbstractHttp11Proc
+ setErrorState(ErrorState.CLOSE_NOW, null);
+ break;
+ }
++ case IS_COMET: {
++ AtomicBoolean result = (AtomicBoolean) param;
++ result.set(isComet());
++ break;
++ }
+ default: {
+ actionInternal(actionCode, param);
+ break;
+@@ -1661,7 +1666,11 @@ public abstract class AbstractHttp11Proc
+ } else if (status == SocketStatus.OPEN_READ &&
+ request.getReadListener() != null) {
+ try {
+- if (inputBuffer.available() > 0) {
++ // Check of asyncStateMachine.isAsyncStarted() is to avoid issue
++ // with BIO. Because it can't do a non-blocking read, BIO always
++ // returns available() == 1. This causes a problem here at the
++ // end of a non-blocking read. See BZ 57481.
++ if (asyncStateMachine.isAsyncStarted()) {
+ asyncStateMachine.asyncOperation();
+ }
+ } catch (IllegalStateException x) {
+Index: tomcat8-8.0.14/java/org/apache/coyote/http11/AbstractInputBuffer.java
+===================================================================
+--- tomcat8-8.0.14.orig/java/org/apache/coyote/http11/AbstractInputBuffer.java
++++ tomcat8-8.0.14/java/org/apache/coyote/http11/AbstractInputBuffer.java
+@@ -272,14 +272,14 @@ public abstract class AbstractInputBuffe
+ * Available bytes in the buffers (note that due to encoding, this may not
+ * correspond).
+ */
+- public int available() {
++ public int available(boolean read) {
+ int available = lastValid - pos;
+ if ((available == 0) && (lastActiveFilter >= 0)) {
+ for (int i = 0; (available == 0) && (i <= lastActiveFilter); i++) {
+ available = activeFilters[i].available();
+ }
+ }
+- if (available > 0) {
++ if (available > 0 || !read) {
+ return available;
+ }
+
+Index: tomcat8-8.0.14/java/org/apache/coyote/http11/InternalInputBuffer.java
+===================================================================
+--- tomcat8-8.0.14.orig/java/org/apache/coyote/http11/InternalInputBuffer.java
++++ tomcat8-8.0.14/java/org/apache/coyote/http11/InternalInputBuffer.java
+@@ -77,7 +77,7 @@ public class InternalInputBuffer extends
+ * tested for == 0 or > 0.
+ */
+ @Override
+- public int available() {
++ public int available(boolean read) {
+ return 1;
+ }
+
+Index: tomcat8-8.0.14/java/org/apache/catalina/connector/InputBuffer.java
+===================================================================
+--- tomcat8-8.0.14.orig/java/org/apache/catalina/connector/InputBuffer.java
++++ tomcat8-8.0.14/java/org/apache/catalina/connector/InputBuffer.java
+@@ -22,6 +22,7 @@ import java.security.AccessController;
+ import java.security.PrivilegedActionException;
+ import java.security.PrivilegedExceptionAction;
+ import java.util.HashMap;
++import java.util.concurrent.atomic.AtomicBoolean;
+
+ import javax.servlet.ReadListener;
+
+@@ -241,7 +242,14 @@ public class InputBuffer extends Reader
+ available = cb.getLength();
+ }
+ if (available == 0) {
+- coyoteRequest.action(ActionCode.AVAILABLE, null);
++ // Written this way to avoid use of IS_COMET action where possible
++ boolean readForAvailable = coyoteRequest.getReadListener() != null;
++ if (!readForAvailable) {
++ AtomicBoolean isComet = new AtomicBoolean();
++ coyoteRequest.action(ActionCode.IS_COMET, isComet);
++ readForAvailable = isComet.get();
++ }
++ coyoteRequest.action(ActionCode.AVAILABLE, Boolean.valueOf(readForAvailable));
+ available = (coyoteRequest.getAvailable() > 0) ? 1 : 0;
+ }
+ return available;
+Index: tomcat8-8.0.14/java/org/apache/coyote/AbstractProtocol.java
+===================================================================
+--- tomcat8-8.0.14.orig/java/org/apache/coyote/AbstractProtocol.java
++++ tomcat8-8.0.14/java/org/apache/coyote/AbstractProtocol.java
+@@ -710,10 +710,9 @@ public abstract class AbstractProtocol<S
release(wrapper, processor, false, true);
} else if (state == SocketState.SENDFILE) {
// Sendfile in progress. If it fails, the socket will be
@@ -36,11 +134,11 @@ index 9886cef..cabfbf6 100644
} else if (state == SocketState.UPGRADED) {
// Don't add sockets back to the poller if this was a
// non-blocking write otherwise the poller may trigger
-diff --git a/java/org/apache/coyote/http11/Http11AprProcessor.java b/java/org/apache/coyote/http11/Http11AprProcessor.java
-index e4ecd1a..a08da6f 100644
---- a/java/org/apache/coyote/http11/Http11AprProcessor.java
-+++ b/java/org/apache/coyote/http11/Http11AprProcessor.java
-@@ -37,6 +37,7 @@ import org.apache.tomcat.util.ExceptionUtils;
+Index: tomcat8-8.0.14/java/org/apache/coyote/http11/Http11AprProcessor.java
+===================================================================
+--- tomcat8-8.0.14.orig/java/org/apache/coyote/http11/Http11AprProcessor.java
++++ tomcat8-8.0.14/java/org/apache/coyote/http11/Http11AprProcessor.java
+@@ -37,6 +37,7 @@ import org.apache.tomcat.util.ExceptionU
import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
import org.apache.tomcat.util.net.AprEndpoint;
import org.apache.tomcat.util.net.SSLSupport;
@@ -48,7 +146,7 @@ index e4ecd1a..a08da6f 100644
import org.apache.tomcat.util.net.SocketStatus;
import org.apache.tomcat.util.net.SocketWrapper;
-@@ -197,22 +198,31 @@ public class Http11AprProcessor extends AbstractHttp11Processor<Long> {
+@@ -197,22 +198,31 @@ public class Http11AprProcessor extends
// Do sendfile as needed: add socket to sendfile and end
if (sendfileData != null && !getErrorState().isError()) {
sendfileData.socket = socketWrapper.getSocket().longValue();
@@ -64,14 +162,14 @@ index e4ecd1a..a08da6f 100644
- }
- setErrorState(ErrorState.CLOSE_NOW, null);
+ if (keepAlive) {
-+ if (getInputBuffer().available() == 0) {
++ if (getInputBuffer().available(false) == 0) {
+ sendfileData.keepAliveState = SendfileKeepAliveState.OPEN;
} else {
- // The sendfile Poller will add the socket to the main
- // Poller once sendfile processing is complete
- sendfileInProgress = true;
+ sendfileData.keepAliveState = SendfileKeepAliveState.PIPELINED;
-+ }
+ }
+ } else {
+ sendfileData.keepAliveState = SendfileKeepAliveState.NONE;
+ }
@@ -89,16 +187,16 @@ index e4ecd1a..a08da6f 100644
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString(
+ "http11processor.sendfile.error"));
- }
++ }
+ setErrorState(ErrorState.CLOSE_NOW, null);
return true;
}
}
-diff --git a/java/org/apache/coyote/http11/Http11Nio2Processor.java b/java/org/apache/coyote/http11/Http11Nio2Processor.java
-index 6abd200..d13931a 100644
---- a/java/org/apache/coyote/http11/Http11Nio2Processor.java
-+++ b/java/org/apache/coyote/http11/Http11Nio2Processor.java
-@@ -35,6 +35,7 @@ import org.apache.tomcat.util.net.Nio2Channel;
+Index: tomcat8-8.0.14/java/org/apache/coyote/http11/Http11Nio2Processor.java
+===================================================================
+--- tomcat8-8.0.14.orig/java/org/apache/coyote/http11/Http11Nio2Processor.java
++++ tomcat8-8.0.14/java/org/apache/coyote/http11/Http11Nio2Processor.java
+@@ -35,6 +35,7 @@ import org.apache.tomcat.util.net.Nio2Ch
import org.apache.tomcat.util.net.Nio2Endpoint;
import org.apache.tomcat.util.net.SSLSupport;
import org.apache.tomcat.util.net.SecureNio2Channel;
@@ -106,13 +204,13 @@ index 6abd200..d13931a 100644
import org.apache.tomcat.util.net.SocketStatus;
import org.apache.tomcat.util.net.SocketWrapper;
-@@ -279,7 +280,15 @@ public class Http11Nio2Processor extends AbstractHttp11Processor<Nio2Channel> {
+@@ -279,7 +280,15 @@ public class Http11Nio2Processor extends
// Do sendfile as needed: add socket to sendfile and end
if (sendfileData != null && !getErrorState().isError()) {
((Nio2Endpoint.Nio2SocketWrapper) socketWrapper).setSendfileData(sendfileData);
- sendfileData.keepAlive = keepAlive;
+ if (keepAlive) {
-+ if (getInputBuffer().available() == 0) {
++ if (getInputBuffer().available(false) == 0) {
+ sendfileData.keepAliveState = SendfileKeepAliveState.OPEN;
+ } else {
+ sendfileData.keepAliveState = SendfileKeepAliveState.PIPELINED;
@@ -123,11 +221,11 @@ index 6abd200..d13931a 100644
switch (((Nio2Endpoint) endpoint)
.processSendfile((Nio2Endpoint.Nio2SocketWrapper) socketWrapper)) {
case DONE:
-diff --git a/java/org/apache/coyote/http11/Http11NioProcessor.java b/java/org/apache/coyote/http11/Http11NioProcessor.java
-index 30aa9e9..983bd06 100644
---- a/java/org/apache/coyote/http11/Http11NioProcessor.java
-+++ b/java/org/apache/coyote/http11/Http11NioProcessor.java
-@@ -36,6 +36,7 @@ import org.apache.tomcat.util.net.NioEndpoint;
+Index: tomcat8-8.0.14/java/org/apache/coyote/http11/Http11NioProcessor.java
+===================================================================
+--- tomcat8-8.0.14.orig/java/org/apache/coyote/http11/Http11NioProcessor.java
++++ tomcat8-8.0.14/java/org/apache/coyote/http11/Http11NioProcessor.java
+@@ -36,6 +36,7 @@ import org.apache.tomcat.util.net.NioEnd
import org.apache.tomcat.util.net.NioEndpoint.KeyAttachment;
import org.apache.tomcat.util.net.SSLSupport;
import org.apache.tomcat.util.net.SecureNioChannel;
@@ -135,7 +233,7 @@ index 30aa9e9..983bd06 100644
import org.apache.tomcat.util.net.SocketStatus;
import org.apache.tomcat.util.net.SocketWrapper;
-@@ -270,28 +271,41 @@ public class Http11NioProcessor extends AbstractHttp11Processor<NioChannel> {
+@@ -270,28 +271,41 @@ public class Http11NioProcessor extends
}
}
@@ -148,7 +246,7 @@ index 30aa9e9..983bd06 100644
((KeyAttachment) socketWrapper).setSendfileData(sendfileData);
- sendfileData.keepAlive = keepAlive;
+ if (keepAlive) {
-+ if (getInputBuffer().available() == 0) {
++ if (getInputBuffer().available(false) == 0) {
+ sendfileData.keepAliveState = SendfileKeepAliveState.OPEN;
+ } else {
+ sendfileData.keepAliveState = SendfileKeepAliveState.PIPELINED;
@@ -183,11 +281,11 @@ index 30aa9e9..983bd06 100644
}
return false;
}
-diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java b/java/org/apache/tomcat/util/net/AprEndpoint.java
-index 7db7214..66c876c 100644
---- a/java/org/apache/tomcat/util/net/AprEndpoint.java
-+++ b/java/org/apache/tomcat/util/net/AprEndpoint.java
-@@ -1973,7 +1973,7 @@ public class AprEndpoint extends AbstractEndpoint<Long> {
+Index: tomcat8-8.0.14/java/org/apache/tomcat/util/net/AprEndpoint.java
+===================================================================
+--- tomcat8-8.0.14.orig/java/org/apache/tomcat/util/net/AprEndpoint.java
++++ tomcat8-8.0.14/java/org/apache/tomcat/util/net/AprEndpoint.java
+@@ -1973,7 +1973,7 @@ public class AprEndpoint extends Abstrac
// Position
public long pos;
// KeepAlive flag
@@ -196,7 +294,7 @@ index 7db7214..66c876c 100644
}
-@@ -2061,7 +2061,7 @@ public class AprEndpoint extends AbstractEndpoint<Long> {
+@@ -2061,7 +2061,7 @@ public class AprEndpoint extends Abstrac
* @return true if all the data has been sent right away, and false
* otherwise
*/
@@ -205,7 +303,7 @@ index 7db7214..66c876c 100644
// Initialize fd from data given
try {
data.fdpool = Socket.pool(data.socket);
-@@ -2079,7 +2079,7 @@ public class AprEndpoint extends AbstractEndpoint<Long> {
+@@ -2079,7 +2079,7 @@ public class AprEndpoint extends Abstrac
if (!(-nw == Status.EAGAIN)) {
Pool.destroy(data.fdpool);
data.socket = 0;
@@ -214,7 +312,7 @@ index 7db7214..66c876c 100644
} else {
// Break the loop and add the socket to poller.
break;
-@@ -2092,13 +2092,13 @@ public class AprEndpoint extends AbstractEndpoint<Long> {
+@@ -2092,13 +2092,13 @@ public class AprEndpoint extends Abstrac
// Set back socket to blocking mode
Socket.timeoutSet(
data.socket, getSoTimeout() * 1000);
@@ -230,7 +328,7 @@ index 7db7214..66c876c 100644
}
// Add socket to the list. Newly added sockets will wait
// at most for pollTime before being polled
-@@ -2106,7 +2106,7 @@ public class AprEndpoint extends AbstractEndpoint<Long> {
+@@ -2106,7 +2106,7 @@ public class AprEndpoint extends Abstrac
addS.add(data);
this.notify();
}
@@ -239,7 +337,7 @@ index 7db7214..66c876c 100644
}
/**
-@@ -2216,20 +2216,33 @@ public class AprEndpoint extends AbstractEndpoint<Long> {
+@@ -2216,20 +2216,33 @@ public class AprEndpoint extends Abstrac
state.pos = state.pos + nw;
if (state.pos >= state.end) {
remove(state);
@@ -285,11 +383,11 @@ index 7db7214..66c876c 100644
}
}
}
-diff --git a/java/org/apache/tomcat/util/net/Nio2Endpoint.java b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
-index 0f9a023..389c615 100644
---- a/java/org/apache/tomcat/util/net/Nio2Endpoint.java
-+++ b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
-@@ -909,17 +909,22 @@ public class Nio2Endpoint extends AbstractEndpoint<Nio2Channel> {
+Index: tomcat8-8.0.14/java/org/apache/tomcat/util/net/Nio2Endpoint.java
+===================================================================
+--- tomcat8-8.0.14.orig/java/org/apache/tomcat/util/net/Nio2Endpoint.java
++++ tomcat8-8.0.14/java/org/apache/tomcat/util/net/Nio2Endpoint.java
+@@ -909,17 +909,22 @@ public class Nio2Endpoint extends Abstra
} catch (IOException e) {
// Ignore
}
@@ -321,7 +419,7 @@ index 0f9a023..389c615 100644
}
}
return;
-@@ -1159,7 +1164,7 @@ public class Nio2Endpoint extends AbstractEndpoint<Nio2Channel> {
+@@ -1159,7 +1164,7 @@ public class Nio2Endpoint extends Abstra
public long pos;
public long length;
// KeepAlive flag
@@ -330,11 +428,11 @@ index 0f9a023..389c615 100644
// Internal use only
private Nio2SocketWrapper socket;
private ByteBuffer buffer;
-diff --git a/java/org/apache/tomcat/util/net/NioEndpoint.java b/java/org/apache/tomcat/util/net/NioEndpoint.java
-index 36a1c53..96386a4 100644
---- a/java/org/apache/tomcat/util/net/NioEndpoint.java
-+++ b/java/org/apache/tomcat/util/net/NioEndpoint.java
-@@ -1166,7 +1166,9 @@ public class NioEndpoint extends AbstractEndpoint<NioChannel> {
+Index: tomcat8-8.0.14/java/org/apache/tomcat/util/net/NioEndpoint.java
+===================================================================
+--- tomcat8-8.0.14.orig/java/org/apache/tomcat/util/net/NioEndpoint.java
++++ tomcat8-8.0.14/java/org/apache/tomcat/util/net/NioEndpoint.java
+@@ -1166,7 +1166,9 @@ public class NioEndpoint extends Abstrac
return result;
}
@@ -345,7 +443,7 @@ index 36a1c53..96386a4 100644
NioChannel sc = null;
try {
unreg(sk, attachment, sk.readyOps());
-@@ -1176,32 +1178,27 @@ public class NioEndpoint extends AbstractEndpoint<NioChannel> {
+@@ -1176,32 +1178,27 @@ public class NioEndpoint extends Abstrac
log.trace("Processing send file for: " + sd.fileName);
}
@@ -384,7 +482,7 @@ index 36a1c53..96386a4 100644
sd.pos += written;
sd.length -= written;
attachment.access();
-@@ -1214,7 +1211,7 @@ public class NioEndpoint extends AbstractEndpoint<NioChannel> {
+@@ -1214,7 +1211,7 @@ public class NioEndpoint extends Abstrac
}
}
}
@@ -393,7 +491,7 @@ index 36a1c53..96386a4 100644
if (log.isDebugEnabled()) {
log.debug("Send file complete for: "+sd.fileName);
}
-@@ -1223,48 +1220,61 @@ public class NioEndpoint extends AbstractEndpoint<NioChannel> {
+@@ -1223,48 +1220,61 @@ public class NioEndpoint extends Abstrac
sd.fchannel.close();
} catch (Exception ignore) {
}
@@ -474,7 +572,7 @@ index 36a1c53..96386a4 100644
}
protected void unreg(SelectionKey sk, KeyAttachment attachment, int readyOps) {
-@@ -1653,6 +1663,6 @@ public class NioEndpoint extends AbstractEndpoint<NioChannel> {
+@@ -1653,6 +1663,6 @@ public class NioEndpoint extends Abstrac
public long pos;
public long length;
// KeepAlive flag
@@ -482,11 +580,10 @@ index 36a1c53..96386a4 100644
+ public SendfileKeepAliveState keepAliveState = SendfileKeepAliveState.NONE;
}
}
-diff --git a/java/org/apache/tomcat/util/net/SendfileKeepAliveState.java b/java/org/apache/tomcat/util/net/SendfileKeepAliveState.java
-new file mode 100644
-index 0000000..b27a9f1
+Index: tomcat8-8.0.14/java/org/apache/tomcat/util/net/SendfileKeepAliveState.java
+===================================================================
--- /dev/null
-+++ b/java/org/apache/tomcat/util/net/SendfileKeepAliveState.java
++++ tomcat8-8.0.14/java/org/apache/tomcat/util/net/SendfileKeepAliveState.java
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
@@ -527,11 +624,10 @@ index 0000000..b27a9f1
+ */
+ OPEN
+}
-diff --git a/java/org/apache/tomcat/util/net/SendfileState.java b/java/org/apache/tomcat/util/net/SendfileState.java
-new file mode 100644
-index 0000000..b354e2f
+Index: tomcat8-8.0.14/java/org/apache/tomcat/util/net/SendfileState.java
+===================================================================
--- /dev/null
-+++ b/java/org/apache/tomcat/util/net/SendfileState.java
++++ tomcat8-8.0.14/java/org/apache/tomcat/util/net/SendfileState.java
@@ -0,0 +1,37 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
@@ -570,3 +666,99 @@ index 0000000..b354e2f
+ */
+ ERROR
+}
+Index: tomcat8-8.0.14/java/org/apache/catalina/connector/CoyoteAdapter.java
+===================================================================
+--- tomcat8-8.0.14.orig/java/org/apache/catalina/connector/CoyoteAdapter.java
++++ tomcat8-8.0.14/java/org/apache/catalina/connector/CoyoteAdapter.java
+@@ -538,15 +538,11 @@ public class CoyoteAdapter implements Ad
+
+ if (request.isComet()) {
+ if (!response.isClosed() && !response.isError()) {
++ comet = true;
++ res.action(ActionCode.COMET_BEGIN, null);
+ if (request.getAvailable() || (request.getContentLength() > 0 && (!request.isParametersParsed()))) {
+ // Invoke a read event right away if there are available bytes
+- if (event(req, res, SocketStatus.OPEN_READ)) {
+- comet = true;
+- res.action(ActionCode.COMET_BEGIN, null);
+- }
+- } else {
+- comet = true;
+- res.action(ActionCode.COMET_BEGIN, null);
++ event(req, res, SocketStatus.OPEN_READ);
+ }
+ } else {
+ // Clear the filter chain, as otherwise it will not be reset elsewhere
+@@ -554,8 +550,8 @@ public class CoyoteAdapter implements Ad
+ request.setFilterChain(null);
+ }
+ }
+-
+ }
++
+ AsyncContextImpl asyncConImpl = (AsyncContextImpl)request.getAsyncContext();
+ if (asyncConImpl != null) {
+ async = true;
+Index: tomcat8-8.0.14/java/org/apache/catalina/core/StandardWrapperValve.java
+===================================================================
+--- tomcat8-8.0.14.orig/java/org/apache/catalina/core/StandardWrapperValve.java
++++ tomcat8-8.0.14/java/org/apache/catalina/core/StandardWrapperValve.java
+@@ -183,9 +183,6 @@ final class StandardWrapperValve
+ ApplicationFilterChain filterChain =
+ factory.createFilterChain(request, wrapper, servlet);
+
+- // Reset comet flag value after creating the filter chain
+- request.setComet(false);
+-
+ // Call the filter chain for this request
+ // NOTE: This also calls the servlet's service() method
+ try {
+@@ -198,7 +195,6 @@ final class StandardWrapperValve
+ ((AsyncContextImpl)request.getAsyncContext()).doInternalDispatch();
+ } else if (comet) {
+ filterChain.doFilterEvent(request.getEvent());
+- request.setComet(true);
+ } else {
+ filterChain.doFilter(request.getRequest(),
+ response.getResponse());
+@@ -213,7 +209,6 @@ final class StandardWrapperValve
+ if (request.isAsyncDispatching()) {
+ ((AsyncContextImpl)request.getAsyncContext()).doInternalDispatch();
+ } else if (comet) {
+- request.setComet(true);
+ filterChain.doFilterEvent(request.getEvent());
+ } else {
+ filterChain.doFilter
+Index: tomcat8-8.0.14/java/org/apache/coyote/ajp/AbstractAjpProcessor.java
+===================================================================
+--- tomcat8-8.0.14.orig/java/org/apache/coyote/ajp/AbstractAjpProcessor.java
++++ tomcat8-8.0.14/java/org/apache/coyote/ajp/AbstractAjpProcessor.java
+@@ -603,6 +603,12 @@ public abstract class AbstractAjpProcess
+ throw new UnsupportedOperationException(
+ sm.getString("ajpprocessor.comet.notsupported"));
+ }
++ case IS_COMET: {
++ // HTTP connections only. Unsupported for AJP.
++ AtomicBoolean result = (AtomicBoolean) param;
++ result.set(false);
++ break;
++ }
+ case AVAILABLE: {
+ if (available()) {
+ request.setAvailable(1);
+Index: tomcat8-8.0.14/java/org/apache/coyote/ActionCode.java
+===================================================================
+--- tomcat8-8.0.14.orig/java/org/apache/coyote/ActionCode.java
++++ tomcat8-8.0.14/java/org/apache/coyote/ActionCode.java
+@@ -135,6 +135,11 @@ public enum ActionCode {
+ COMET_SETTIMEOUT,
+
+ /**
++ * Callback to determine if the current request is a Comet request.
++ */
++ IS_COMET,
++
++ /**
+ * Callback for an async request
+ */
+ ASYNC_START,
=====================================
debian/patches/CVE-2018-8014.patch
=====================================
@@ -0,0 +1,268 @@
+From: Mark Thomas <markt at apache.org>
+Date: Wed, 16 May 2018 14:54:51 +0000
+Subject: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=62343
+ Make CORS filter defaults more secure.
+ This is the fix for CVE-2018-8014.
+
+Bug-Debian: https://bugs.debian.org/898935
+Origin: http://svn.apache.org/1831729
+Last-Update: 2019-08-13
+Reviewed-by: Sylvain Beucler <beuc at debian.org>
+
+Index: tomcat8-8.0.14/test/org/apache/catalina/filters/TestCorsFilter.java
+===================================================================
+--- tomcat8-8.0.14.orig/test/org/apache/catalina/filters/TestCorsFilter.java
++++ tomcat8-8.0.14/test/org/apache/catalina/filters/TestCorsFilter.java
+@@ -51,8 +51,7 @@ public class TestCorsFilter {
+ corsFilter.doFilter(request, response, filterChain);
+
+ Assert.assertTrue(response.getHeader(
+- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals(
+- "https://www.apache.org"));
++ CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals("*"));
+ Assert.assertTrue(((Boolean) request.getAttribute(
+ CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue());
+ Assert.assertTrue(request.getAttribute(
+@@ -84,8 +83,7 @@ public class TestCorsFilter {
+ corsFilter.doFilter(request, response, filterChain);
+
+ Assert.assertTrue(response.getHeader(
+- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals(
+- "https://www.apache.org"));
++ CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals("*"));
+ Assert.assertTrue(((Boolean) request.getAttribute(
+ CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue());
+ Assert.assertTrue(request.getAttribute(
+@@ -116,8 +114,7 @@ public class TestCorsFilter {
+ corsFilter.doFilter(request, response, filterChain);
+
+ Assert.assertTrue(response.getHeader(
+- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals(
+- "https://www.apache.org"));
++ CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals("*"));
+ Assert.assertTrue(((Boolean) request.getAttribute(
+ CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue());
+ Assert.assertTrue(request.getAttribute(
+@@ -162,41 +159,15 @@ public class TestCorsFilter {
+ }
+
+ /**
+- * Tests the prsence of the origin (and not '*') in the response, when
+- * supports credentials is enabled alongwith any origin, '*'.
++ * Tests the that supports credentials may not be enabled with any origin,
++ * '*'.
+ *
+- * @throws IOException
+ * @throws ServletException
+ */
+- @Test
+- public void testDoFilterSimpleAnyOriginAndSupportsCredentials()
+- throws IOException, ServletException {
+- TesterHttpServletRequest request = new TesterHttpServletRequest();
+- request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN,
+- TesterFilterConfigs.HTTPS_WWW_APACHE_ORG);
+- request.setMethod("GET");
+- TesterHttpServletResponse response = new TesterHttpServletResponse();
+-
++ @Test(expected=ServletException.class)
++ public void testDoFilterSimpleAnyOriginAndSupportsCredentials() throws ServletException {
+ CorsFilter corsFilter = new CorsFilter();
+- corsFilter.init(TesterFilterConfigs
+- .getFilterConfigAnyOriginAndSupportsCredentials());
+- corsFilter.doFilter(request, response, filterChain);
+-
+- Assert.assertTrue(response.getHeader(
+- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals(
+- TesterFilterConfigs.HTTPS_WWW_APACHE_ORG));
+- Assert.assertTrue(response.getHeader(
+- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS)
+- .equals(
+- "true"));
+- Assert.assertTrue(((Boolean) request.getAttribute(
+- CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue());
+- Assert.assertTrue(request.getAttribute(
+- CorsFilter.HTTP_REQUEST_ATTRIBUTE_ORIGIN).equals(
+- TesterFilterConfigs.HTTPS_WWW_APACHE_ORG));
+- Assert.assertTrue(request.getAttribute(
+- CorsFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE).equals(
+- CorsFilter.CORSRequestType.SIMPLE.name().toLowerCase()));
++ corsFilter.init(TesterFilterConfigs.getFilterConfigAnyOriginAndSupportsCredentials());
+ }
+
+ /**
+@@ -257,8 +228,7 @@ public class TestCorsFilter {
+ corsFilter.doFilter(request, response, filterChain);
+
+ Assert.assertTrue(response.getHeader(
+- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals(
+- "https://www.apache.org"));
++ CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals("*"));
+ Assert.assertTrue(response.getHeader(
+ CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS)
+ .equals(TesterFilterConfigs.EXPOSED_HEADERS));
+@@ -575,9 +545,8 @@ public class TestCorsFilter {
+ corsFilter.init(null);
+ corsFilter.doFilter(request, response, filterChain);
+
+- Assert.assertTrue(response.getHeader(
+- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals(
+- "https://www.apache.org"));
++ Assert.assertNull(response.getHeader(
++ CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN));
+ Assert.assertTrue(((Boolean) request.getAttribute(
+ CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue());
+ Assert.assertTrue(request.getAttribute(
+@@ -1251,7 +1220,7 @@ public class TestCorsFilter {
+ Assert.assertTrue(corsFilter.getAllowedOrigins().size() == 0);
+ Assert.assertTrue(corsFilter.isAnyOriginAllowed());
+ Assert.assertTrue(corsFilter.getExposedHeaders().size() == 0);
+- Assert.assertTrue(corsFilter.isSupportsCredentials());
++ Assert.assertFalse(corsFilter.isSupportsCredentials());
+ Assert.assertTrue(corsFilter.getPreflightMaxAge() == 1800);
+ }
+
+@@ -1287,9 +1256,9 @@ public class TestCorsFilter {
+ Assert.assertTrue(corsFilter.getAllowedHttpHeaders().size() == 6);
+ Assert.assertTrue(corsFilter.getAllowedHttpMethods().size() == 4);
+ Assert.assertTrue(corsFilter.getAllowedOrigins().size() == 0);
+- Assert.assertTrue(corsFilter.isAnyOriginAllowed());
++ Assert.assertFalse(corsFilter.isAnyOriginAllowed());
+ Assert.assertTrue(corsFilter.getExposedHeaders().size() == 0);
+- Assert.assertTrue(corsFilter.isSupportsCredentials());
++ Assert.assertFalse(corsFilter.isSupportsCredentials());
+ Assert.assertTrue(corsFilter.getPreflightMaxAge() == 1800);
+ }
+
+@@ -1393,8 +1362,7 @@ public class TestCorsFilter {
+ corsFilter.doFilter(request, response, filterChain);
+
+ Assert.assertTrue(response.getHeader(
+- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals(
+- "https://www.apache.org"));
++ CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals("*"));
+ Assert.assertNull(request
+ .getAttribute(CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST));
+ Assert.assertNull(request
+Index: tomcat8-8.0.14/test/org/apache/catalina/filters/TesterFilterConfigs.java
+===================================================================
+--- tomcat8-8.0.14.orig/test/org/apache/catalina/filters/TesterFilterConfigs.java
++++ tomcat8-8.0.14/test/org/apache/catalina/filters/TesterFilterConfigs.java
+@@ -34,12 +34,13 @@ public class TesterFilterConfigs {
+ public static final TesterServletContext mockServletContext =
+ new TesterServletContext();
+
++ // Default config for the test is to allow any origin
+ public static FilterConfig getDefaultFilterConfig() {
+ final String allowedHttpHeaders =
+ CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS;
+ final String allowedHttpMethods =
+ CorsFilter.DEFAULT_ALLOWED_HTTP_METHODS;
+- final String allowedOrigins = CorsFilter.DEFAULT_ALLOWED_ORIGINS;
++ final String allowedOrigins = ANY_ORIGIN;
+ final String exposedHeaders = CorsFilter.DEFAULT_EXPOSED_HEADERS;
+ final String supportCredentials =
+ CorsFilter.DEFAULT_SUPPORTS_CREDENTIALS;
+@@ -57,7 +58,7 @@ public class TesterFilterConfigs {
+ CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS;
+ final String allowedHttpMethods =
+ CorsFilter.DEFAULT_ALLOWED_HTTP_METHODS + ",PUT";
+- final String allowedOrigins = CorsFilter.DEFAULT_ALLOWED_ORIGINS;
++ final String allowedOrigins = ANY_ORIGIN;
+ final String exposedHeaders = CorsFilter.DEFAULT_EXPOSED_HEADERS;
+ final String supportCredentials = "true";
+ final String preflightMaxAge =
+@@ -75,7 +76,7 @@ public class TesterFilterConfigs {
+ CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS;
+ final String allowedHttpMethods =
+ CorsFilter.DEFAULT_ALLOWED_HTTP_METHODS + ",PUT";
+- final String allowedOrigins = CorsFilter.DEFAULT_ALLOWED_ORIGINS;
++ final String allowedOrigins = ANY_ORIGIN;
+ final String exposedHeaders = CorsFilter.DEFAULT_EXPOSED_HEADERS;
+ final String supportCredentials = "false";
+ final String preflightMaxAge =
+@@ -111,7 +112,7 @@ public class TesterFilterConfigs {
+ CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS;
+ final String allowedHttpMethods =
+ CorsFilter.DEFAULT_ALLOWED_HTTP_METHODS;
+- final String allowedOrigins = CorsFilter.DEFAULT_ALLOWED_ORIGINS;
++ final String allowedOrigins = ANY_ORIGIN;
+ final String exposedHeaders = EXPOSED_HEADERS;
+ final String supportCredentials =
+ CorsFilter.DEFAULT_SUPPORTS_CREDENTIALS;
+@@ -220,7 +221,7 @@ public class TesterFilterConfigs {
+ CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS;
+ final String allowedHttpMethods =
+ CorsFilter.DEFAULT_ALLOWED_HTTP_METHODS;
+- final String allowedOrigins = CorsFilter.DEFAULT_ALLOWED_ORIGINS;
++ final String allowedOrigins = ANY_ORIGIN;
+ final String exposedHeaders = CorsFilter.DEFAULT_EXPOSED_HEADERS;
+ final String supportCredentials =
+ CorsFilter.DEFAULT_SUPPORTS_CREDENTIALS;
+Index: tomcat8-8.0.14/java/org/apache/catalina/filters/CorsFilter.java
+===================================================================
+--- tomcat8-8.0.14.orig/java/org/apache/catalina/filters/CorsFilter.java
++++ tomcat8-8.0.14/java/org/apache/catalina/filters/CorsFilter.java
+@@ -261,17 +261,14 @@ public final class CorsFilter implements
+
+ // Section 6.1.3
+ // Add a single Access-Control-Allow-Origin header.
+- if (anyOriginAllowed && !supportsCredentials) {
+- // If resource doesn't support credentials and if any origin is
+- // allowed
+- // to make CORS request, return header with '*'.
++ if (anyOriginAllowed) {
++ // If any origin is allowed, return header with '*'.
+ response.addHeader(
+ CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
+ "*");
+ } else {
+- // If the resource supports credentials add a single
+- // Access-Control-Allow-Origin header, with the value of the Origin
+- // header as value.
++ // Add a single Access-Control-Allow-Origin header, with the value
++ // of the Origin header as value.
+ response.addHeader(
+ CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
+ origin);
+@@ -754,6 +751,10 @@ public final class CorsFilter implements
+ .parseBoolean(supportsCredentials);
+ }
+
++ if (this.supportsCredentials && this.anyOriginAllowed) {
++ throw new ServletException(sm.getString("corsFilter.invalidSupportsCredentials"));
++ }
++
+ if (preflightMaxAge != null) {
+ try {
+ if (!preflightMaxAge.isEmpty()) {
+@@ -1091,7 +1092,7 @@ public final class CorsFilter implements
+ /**
+ * By default, all origins are allowed to make requests.
+ */
+- public static final String DEFAULT_ALLOWED_ORIGINS = "*";
++ public static final String DEFAULT_ALLOWED_ORIGINS = "";
+
+ /**
+ * By default, following methods are supported: GET, POST, HEAD and OPTIONS.
+@@ -1107,7 +1108,7 @@ public final class CorsFilter implements
+ /**
+ * By default, support credentials is turned on.
+ */
+- public static final String DEFAULT_SUPPORTS_CREDENTIALS = "true";
++ public static final String DEFAULT_SUPPORTS_CREDENTIALS = "false";
+
+ /**
+ * By default, following headers are supported:
+Index: tomcat8-8.0.14/java/org/apache/catalina/filters/LocalStrings.properties
+===================================================================
+--- tomcat8-8.0.14.orig/java/org/apache/catalina/filters/LocalStrings.properties
++++ tomcat8-8.0.14/java/org/apache/catalina/filters/LocalStrings.properties
+@@ -14,6 +14,8 @@
+ # limitations under the License.
+
+ addDefaultCharset.unsupportedCharset=Specified character set [{0}] is not supported
++
++corsFilter.invalidSupportsCredentials=It is not allowed to configure supportsCredentials=[true] when allowedOrigins=[*]
+ corsFilter.invalidPreflightMaxAge=Unable to parse preflightMaxAge
+ corsFilter.nullRequest=HttpServletRequest object is null
+ corsFilter.nullRequestType=CORSRequestType object is null
=====================================
debian/patches/CVE-2019-0221.patch
=====================================
@@ -0,0 +1,21 @@
+From: Mark Thomas <markt at apache.org>
+Date: Mon, 11 Mar 2019 11:33:03 +0000
+Subject: [PATCH] Escape debug output to aid readability
+Origin: https://github.com/apache/tomcat/commit/4fcdf70
+Bug-Debian: https://bugs.debian.org/929895
+Last-Update: 2019-08-13
+Reviewed-by: Sylvain Beucler <beuc at debian.org>
+
+Index: tomcat8-8.0.14/java/org/apache/catalina/ssi/SSIPrintenv.java
+===================================================================
+--- tomcat8-8.0.14.orig/java/org/apache/catalina/ssi/SSIPrintenv.java
++++ tomcat8-8.0.14/java/org/apache/catalina/ssi/SSIPrintenv.java
+@@ -44,7 +44,7 @@ public class SSIPrintenv implements SSIC
+ while (iter.hasNext()) {
+ String variableName = iter.next();
+ String variableValue = ssiMediator
+- .getVariableValue(variableName);
++ .getVariableValue(variableName, "entity");
+ //This shouldn't happen, since all the variable names must
+ // have values
+ if (variableValue == null) {
=====================================
debian/patches/series
=====================================
@@ -45,3 +45,7 @@ CVE-2018-1305_2_of_2.patch
CVE-2018-1336.patch
CVE-2018-8034.patch
CVE-2018-11784.patch
+0021-client-certificate-dn.patch
+CVE-2019-0221.patch
+CVE-2018-8014.patch
+CVE-2016-5388.patch
=====================================
debian/rules
=====================================
@@ -80,9 +80,11 @@ clean:
rm -f build-stamp modules/jdbc-pool/output/resources/MANIFEST.MF
rm -f debian/tomcat8.postrm
mv -f test/org/apache/tomcat/util/net/localhost-cert.pem~ test/org/apache/tomcat/util/net/localhost-cert.pem 2>/dev/null || true
+ mv -f test/org/apache/tomcat/util/net/localhost-key.pem~ test/org/apache/tomcat/util/net/localhost-key.pem 2>/dev/null || true
mv -f test/org/apache/tomcat/util/net/localhost-copy1.jks~ test/org/apache/tomcat/util/net/localhost-copy1.jks 2>/dev/null || true
mv -f test/org/apache/tomcat/util/net/localhost.jks~ test/org/apache/tomcat/util/net/localhost.jks 2>/dev/null || true
mv -f test/org/apache/tomcat/util/net/user1.jks~ test/org/apache/tomcat/util/net/user1.jks 2>/dev/null || true
+ mv -f test/org/apache/tomcat/util/net/ca.jks~ test/org/apache/tomcat/util/net/ca.jks 2>/dev/null || true
dh_clean
mh_clean
=====================================
debian/source/include-binaries
=====================================
@@ -1,3 +1,4 @@
debian/certificates/localhost.jks
debian/certificates/user1.jks
debian/certificates/localhost-copy1.jks
+debian/certificates/ca.jks
View it on GitLab: https://salsa.debian.org/java-team/tomcat8/compare/e4c5e7f8f55813ce2f541099f3d880fa90306df5...56b840e5ad5f76d04b9e881395b33e7781255a8a
--
View it on GitLab: https://salsa.debian.org/java-team/tomcat8/compare/e4c5e7f8f55813ce2f541099f3d880fa90306df5...56b840e5ad5f76d04b9e881395b33e7781255a8a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20190813/76225474/attachment.html>
More information about the pkg-java-commits
mailing list