[Git][java-team/tomcat8][stretch] 3 commits: Import Debian changes 8.5.54-0+deb9u4
Markus Koschany (@apo)
gitlab at salsa.debian.org
Wed Aug 4 23:01:20 BST 2021
Markus Koschany pushed to branch stretch at Debian Java Maintainers / tomcat8
Commits:
1f2ea40a by Chris Lamb at 2021-08-05T00:00:05+02:00
Import Debian changes 8.5.54-0+deb9u4
tomcat8 (8.5.54-0+deb9u4) stretch-security; urgency=high
..
* Non-maintainer upload by the LTS team.
* CVE-2020-13943: Prevent an issue where an excessive number of concurrent
streams could result in users seeing responses for unexpected resources.
- - - - -
ec904d4d by Utkarsh Gupta at 2021-08-05T00:00:25+02:00
Import Debian changes 8.5.54-0+deb9u5
tomcat8 (8.5.54-0+deb9u5) stretch-security; urgency=high
..
* Non-maintainer upload by the LTS team.
* Add patch to fix concurrency issue in HPACK decoder.
(Fixes: CVE-2020-17527)
- - - - -
36f47384 by Anton Gladky at 2021-08-05T00:00:36+02:00
Import Debian changes 8.5.54-0+deb9u6
tomcat8 (8.5.54-0+deb9u6) stretch-security; urgency=high
..
* Non-maintainer upload by the LTS team.
* Fix CVE-2021-25122
When responding to new h2c connection requests, Apache Tomcat could
duplicate request headers and a limited amount of request body from one
request to another meaning user A and user B could both see the results
of user A's request.
* Fix CVE-2021-25329
The fix for 2020-9484 was incomplete. When using Apache Tomcat 8.5.0 to
8.5.61 with a configuration edge case that was highly unlikely to be used,
the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both
the previously published prerequisites for CVE-2020-9484 and the
previously published mitigations for CVE-2020-9484 also apply to this
issue.
* Fix CVE-2021-24122
When serving resources from a network location using the NTFS file system,
Apache Tomcat versions 8.5.0 to 8.5.59 is susceptible to JSP source code
disclosure in some configurations. The root cause was the unexpected
behaviour of the JRE API File.getCanonicalPath() which in turn was caused
by the inconsistent behaviour of the Windows API (FindFirstFileW) in some
circumstances.
- - - - -
8 changed files:
- + debian/.gitlab-ci.yml
- debian/changelog
- + debian/patches/CVE-2020-13943.patch
- + debian/patches/CVE-2020-17527.patch
- + debian/patches/CVE-2021-24122.patch
- + debian/patches/CVE-2021-25122.patch
- + debian/patches/CVE-2021-25329.patch
- debian/patches/series
Changes:
=====================================
debian/.gitlab-ci.yml
=====================================
@@ -0,0 +1,7 @@
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+ RELEASE: 'stretch'
+ SALSA_CI_COMPONENTS: 'main contrib non-free'
+ SALSA_CI_DISABLE_REPROTEST: 1
=====================================
debian/changelog
=====================================
@@ -1,3 +1,44 @@
+tomcat8 (8.5.54-0+deb9u6) stretch-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * Fix CVE-2021-25122
+ When responding to new h2c connection requests, Apache Tomcat could
+ duplicate request headers and a limited amount of request body from one
+ request to another meaning user A and user B could both see the results
+ of user A's request.
+ * Fix CVE-2021-25329
+ The fix for 2020-9484 was incomplete. When using Apache Tomcat 8.5.0 to
+ 8.5.61 with a configuration edge case that was highly unlikely to be used,
+ the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both
+ the previously published prerequisites for CVE-2020-9484 and the
+ previously published mitigations for CVE-2020-9484 also apply to this
+ issue.
+ * Fix CVE-2021-24122
+ When serving resources from a network location using the NTFS file system,
+ Apache Tomcat versions 8.5.0 to 8.5.59 is susceptible to JSP source code
+ disclosure in some configurations. The root cause was the unexpected
+ behaviour of the JRE API File.getCanonicalPath() which in turn was caused
+ by the inconsistent behaviour of the Windows API (FindFirstFileW) in some
+ circumstances.
+
+ -- Anton Gladky <gladk at debian.org> Mon, 15 Mar 2021 21:18:04 +0100
+
+tomcat8 (8.5.54-0+deb9u5) stretch-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * Add patch to fix concurrency issue in HPACK decoder.
+ (Fixes: CVE-2020-17527)
+
+ -- Utkarsh Gupta <utkarsh at debian.org> Mon, 07 Dec 2020 01:54:50 +0530
+
+tomcat8 (8.5.54-0+deb9u4) stretch-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * CVE-2020-13943: Prevent an issue where an excessive number of concurrent
+ streams could result in users seeing responses for unexpected resources.
+
+ -- Chris Lamb <lamby at debian.org> Wed, 14 Oct 2020 10:54:20 +0100
+
tomcat8 (8.5.54-0+deb9u3) stretch-security; urgency=high
* Non-maintainer upload by the LTS team.
@@ -574,7 +615,7 @@ tomcat8 (8.0.3-1) unstable; urgency=medium
on the tomcat-i18n jars instead of a patch turning them into zip files.
* Removed 0011-fix-classpath-lintian-warnings.patch and specified
the classpath of jasper.jar in libtomcat8-java.manifest instead.
-
+
[ tony mancill ]
* Include tomcat-util-scan.jar in the libtomcat8-java package.
* Remove debian/NEWS (inapplicable to this release).
=====================================
debian/patches/CVE-2020-13943.patch
=====================================
@@ -0,0 +1,56 @@
+--- tomcat8-8.5.54.orig/java/org/apache/coyote/http2/Http2Parser.java
++++ tomcat8-8.5.54/java/org/apache/coyote/http2/Http2Parser.java
+@@ -647,7 +647,7 @@ class Http2Parser {
+ HeaderEmitter headersStart(int streamId, boolean headersEndStream)
+ throws Http2Exception, IOException;
+ void headersContinue(int payloadSize, boolean endOfHeaders);
+- void headersEnd(int streamId) throws ConnectionException;
++ void headersEnd(int streamId) throws Http2Exception;
+
+ // Priority frames (also headers)
+ void reprioritise(int streamId, int parentStreamId, boolean exclusive, int weight)
+--- tomcat8-8.5.54.orig/java/org/apache/coyote/http2/Http2UpgradeHandler.java
++++ tomcat8-8.5.54/java/org/apache/coyote/http2/Http2UpgradeHandler.java
+@@ -1559,16 +1559,6 @@ public class Http2UpgradeHandler extends
+ stream.checkState(FrameType.HEADERS);
+ stream.receivedStartOfHeaders(headersEndStream);
+ closeIdleStreams(streamId);
+- if (localSettings.getMaxConcurrentStreams() < activeRemoteStreamCount.incrementAndGet()) {
+- setConnectionTimeoutForStreamCount(activeRemoteStreamCount.decrementAndGet());
+- // Ignoring maxConcurrentStreams increases the overhead count
+- increaseOverheadCount();
+- throw new StreamException(sm.getString("upgradeHandler.tooManyRemoteStreams",
+- Long.toString(localSettings.getMaxConcurrentStreams())),
+- Http2Error.REFUSED_STREAM, streamId);
+- }
+- // Valid new stream reduces the overhead count
+- reduceOverheadCount();
+ return stream;
+ } else {
+ if (log.isDebugEnabled()) {
+@@ -1636,12 +1626,24 @@ public class Http2UpgradeHandler extends
+
+
+ @Override
+- public void headersEnd(int streamId) throws ConnectionException {
++ public void headersEnd(int streamId) throws Http2Exception {
+ Stream stream = getStream(streamId, connectionState.get().isNewStreamAllowed());
+ if (stream != null) {
+ setMaxProcessedStream(streamId);
+ if (stream.isActive()) {
+ if (stream.receivedEndOfHeaders()) {
++
++ if (localSettings.getMaxConcurrentStreams() < activeRemoteStreamCount.incrementAndGet()) {
++ setConnectionTimeoutForStreamCount(activeRemoteStreamCount.decrementAndGet());
++ // Ignoring maxConcurrentStreams increases the overhead count
++ increaseOverheadCount();
++ throw new StreamException(sm.getString("upgradeHandler.tooManyRemoteStreams",
++ Long.toString(localSettings.getMaxConcurrentStreams())),
++ Http2Error.REFUSED_STREAM, streamId);
++ }
++ // Valid new stream reduces the overhead count
++ reduceOverheadCount();
++
+ processStreamOnContainerThread(stream);
+ }
+ }
=====================================
debian/patches/CVE-2020-17527.patch
=====================================
@@ -0,0 +1,58 @@
+From 21e3408671aac7e0d7e264e720cac8b1b189eb29 Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt at apache.org>
+Date: Mon, 9 Nov 2020 19:23:12 +0000
+Subject: [PATCH] Fix BZ 64830 - concurrency issue in HPACK decoder
+
+https://bz.apache.org/bugzilla/show_bug.cgi?id=64830
+---
+ java/org/apache/coyote/http2/HpackDecoder.java | 12 ++++--------
+ webapps/docs/changelog.xml | 3 +++
+ 2 files changed, 7 insertions(+), 8 deletions(-)
+
+--- a/java/org/apache/coyote/http2/HpackDecoder.java
++++ b/java/org/apache/coyote/http2/HpackDecoder.java
+@@ -72,8 +72,6 @@
+ private volatile boolean countedCookie;
+ private volatile int headerSize = 0;
+
+- private final StringBuilder stringBuilder = new StringBuilder();
+-
+ public HpackDecoder(int maxMemorySize) {
+ this.maxMemorySizeHard = maxMemorySize;
+ this.maxMemorySizeSoft = maxMemorySize;
+@@ -222,19 +220,17 @@
+ if (huffman) {
+ return readHuffmanString(length, buffer);
+ }
++ StringBuilder stringBuilder = new StringBuilder(length);
+ for (int i = 0; i < length; ++i) {
+ stringBuilder.append((char) buffer.get());
+ }
+- String ret = stringBuilder.toString();
+- stringBuilder.setLength(0);
+- return ret;
++ return stringBuilder.toString();
+ }
+
+ private String readHuffmanString(int length, ByteBuffer buffer) throws HpackException {
++ StringBuilder stringBuilder = new StringBuilder(length);
+ HPackHuffman.decode(buffer, length, stringBuilder);
+- String ret = stringBuilder.toString();
+- stringBuilder.setLength(0);
+- return ret;
++ return stringBuilder.toString();
+ }
+
+ private String handleIndexedHeaderName(int index) throws HpackException {
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -115,6 +115,9 @@
+ header can be tailored based on the properties of the request, such as
+ the user agent, if required. Based on a patch by Lazar Kirchev. (markt)
+ </add>
++ <fix>
++ <bug>64830</bug>: Fix concurrency issue in HPACK decoder. (markt)
++ </fix>
+ </changelog>
+ </subsection>
+ <subsection name="Jasper">
=====================================
debian/patches/CVE-2021-24122.patch
=====================================
@@ -0,0 +1,89 @@
+From 935fc5582dc25ae10bab6f9d5629ff8d996cb533 Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt at apache.org>
+Date: Fri, 6 Nov 2020 19:03:57 +0000
+Subject: [PATCH] Fix BZ 64871. Log if file access is blocked due to symlinks
+
+https://bz.apache.org/bugzilla/show_bug.cgi?id=64871
+---
+ .../webresources/AbstractFileResourceSet.java | 19 ++++++++++++++++++-
+ .../webresources/LocalStrings.properties | 2 ++
+ webapps/docs/changelog.xml | 4 ++++
+ 3 files changed, 24 insertions(+), 1 deletion(-)
+
+Index: tomcat8/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
+===================================================================
+--- tomcat8.orig/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
++++ tomcat8/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
+@@ -22,11 +22,15 @@ import java.net.MalformedURLException;
+ import java.net.URL;
+
+ import org.apache.catalina.LifecycleException;
++import org.apache.juli.logging.Log;
++import org.apache.juli.logging.LogFactory;
+ import org.apache.tomcat.util.compat.JrePlatform;
+ import org.apache.tomcat.util.http.RequestUtil;
+
+ public abstract class AbstractFileResourceSet extends AbstractResourceSet {
+
++ private static final Log log = LogFactory.getLog(AbstractFileResourceSet.class);
++
+ protected static final String[] EMPTY_STRING_ARRAY = new String[0];
+
+ private File fileBase;
+@@ -128,6 +132,19 @@ public abstract class AbstractFileResour
+ canPath = normalize(canPath);
+ }
+ if (!canPath.equals(absPath)) {
++ if (!canPath.equalsIgnoreCase(absPath)) {
++ // Typically means symlinks are in use but being ignored. Given
++ // the symlink was likely created for a reason, log a warning
++ // that it was ignored.
++ String msg = sm.getString("abstractFileResourceSet.canonicalfileCheckFailed",
++ getRoot().getContext().getName(), absPath, canPath);
++ // Log issues with configuration files at a higher level
++ if(absPath.startsWith("/META-INF/") || absPath.startsWith("/WEB-INF/")) {
++ log.error(msg);
++ } else {
++ log.warn(msg);
++ }
++ }
+ return null;
+ }
+
+@@ -144,7 +161,7 @@ public abstract class AbstractFileResour
+ // expression irrespective of input length.
+ for (int i = 0; i < len; i++) {
+ char c = name.charAt(i);
+- if (c == '\"' || c == '<' || c == '>') {
++ if (c == '\"' || c == '<' || c == '>' || c == ':') {
+ // These characters are disallowed in Windows file names and
+ // there are known problems for file names with these characters
+ // when using File#getCanonicalPath().
+Index: tomcat8/java/org/apache/catalina/webresources/LocalStrings.properties
+===================================================================
+--- tomcat8.orig/java/org/apache/catalina/webresources/LocalStrings.properties
++++ tomcat8/java/org/apache/catalina/webresources/LocalStrings.properties
+@@ -15,6 +15,8 @@
+
+ abstractArchiveResourceSet.setReadOnlyFalse=Archive based WebResourceSets such as those based on JARs are hard-coded to be read-only and may not be configured to be read-write
+
++abstractFileResourceSet.canonicalfileCheckFailed=Resource for web application [{0}] at path [{1}] was not loaded as the canonical path [{2}] did not match. Use of symlinks is one possible cause.
++
+ abstractResource.getContentFail=Unable to return [{0}] as a byte array
+ abstractResource.getContentTooLarge=Unable to return [{0}] as a byte array since the resource is [{1}] bytes in size which is larger than the maximum size of a byte array
+
+Index: tomcat8/webapps/docs/changelog.xml
+===================================================================
+--- tomcat8.orig/webapps/docs/changelog.xml
++++ tomcat8/webapps/docs/changelog.xml
+@@ -118,6 +118,10 @@
+ <fix>
+ <bug>64830</bug>: Fix concurrency issue in HPACK decoder. (markt)
+ </fix>
++ <add>
++ <bug>64871</bug>: Log a warning if Tomcat blocks access to a file
++ because it uses symlinks. (markt)
++ </add>
+ </changelog>
+ </subsection>
+ <subsection name="Jasper">
=====================================
debian/patches/CVE-2021-25122.patch
=====================================
@@ -0,0 +1,58 @@
+From bb0e7c1e0d737a0de7d794572517bce0e91d30fa Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt at apache.org>
+Date: Thu, 14 Jan 2021 16:59:43 +0000
+Subject: [PATCH] Simplify the code and fix an edge case for BZ 64830
+
+https://bz.apache.org/bugzilla/show_bug.cgi?id=64830
+---
+ java/org/apache/coyote/AbstractProtocol.java | 6 +++---
+ webapps/docs/changelog.xml | 4 ++++
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+Index: tomcat8/java/org/apache/coyote/AbstractProtocol.java
+===================================================================
+--- tomcat8.orig/java/org/apache/coyote/AbstractProtocol.java
++++ tomcat8/java/org/apache/coyote/AbstractProtocol.java
+@@ -820,8 +820,10 @@ public abstract class AbstractProtocol<S
+ if (state == SocketState.UPGRADING) {
+ // Get the HTTP upgrade handler
+ UpgradeToken upgradeToken = processor.getUpgradeToken();
+- // Retrieve leftover input
++ // Restore leftover input to the wrapper so the upgrade
++ // processor can process it.
+ ByteBuffer leftOverInput = processor.getLeftoverInput();
++ wrapper.unRead(leftOverInput);
+ if (upgradeToken == null) {
+ // Assume direct HTTP/2 connection
+ UpgradeProtocol upgradeProtocol = getProtocol().getUpgradeProtocol("h2c");
+@@ -830,7 +832,6 @@ public abstract class AbstractProtocol<S
+ release(processor);
+ // Create the upgrade processor
+ processor = upgradeProtocol.getProcessor(wrapper, getProtocol().getAdapter());
+- wrapper.unRead(leftOverInput);
+ // Associate with the processor with the connection
+ connections.put(socket, processor);
+ } else {
+@@ -852,7 +853,6 @@ public abstract class AbstractProtocol<S
+ getLog().debug(sm.getString("abstractConnectionHandler.upgradeCreate",
+ processor, wrapper));
+ }
+- wrapper.unRead(leftOverInput);
+ // Mark the connection as upgraded
+ wrapper.setUpgraded(true);
+ // Associate with the processor with the connection
+Index: tomcat8/webapps/docs/changelog.xml
+===================================================================
+--- tomcat8.orig/webapps/docs/changelog.xml
++++ tomcat8/webapps/docs/changelog.xml
+@@ -183,6 +183,10 @@
+ <subsection name="Coyote">
+ <changelog>
+ <fix>
++ Additional fix for <bug>64830</bug> to address an edge case that could
++ trigger request corruption with h2c connections. (markt)
++ </fix>
++ <fix>
+ <bug>64210</bug>: Correct a regression in the improvements to HTTP
+ header validation that caused requests to be incorrectly treated as
+ invalid if a <code>CRLF</code> sequence was split between TCP packets.
=====================================
debian/patches/CVE-2021-25329.patch
=====================================
@@ -0,0 +1,153 @@
+From 93f0cc403a9210d469afc2bd9cf03ab3251c6f35 Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt at apache.org>
+Date: Wed, 20 Jan 2021 13:28:57 +0000
+Subject: [PATCH] Use java.nio.file.Path for consistent sub-directory checking
+
+---
+ .../catalina/servlets/DefaultServlet.java | 2 +-
+ .../apache/catalina/session/FileStore.java | 2 +-
+ .../catalina/startup/ContextConfig.java | 3 ++-
+ .../apache/catalina/startup/ExpandWar.java | 21 +++++++------------
+ .../apache/catalina/startup/HostConfig.java | 3 +--
+ webapps/docs/changelog.xml | 4 ++++
+ 6 files changed, 16 insertions(+), 19 deletions(-)
+
+Index: tomcat8/java/org/apache/catalina/servlets/DefaultServlet.java
+===================================================================
+--- tomcat8.orig/java/org/apache/catalina/servlets/DefaultServlet.java
++++ tomcat8/java/org/apache/catalina/servlets/DefaultServlet.java
+@@ -2209,7 +2209,7 @@ public class DefaultServlet extends Http
+
+ // First check that the resulting path is under the provided base
+ try {
+- if (!candidate.getCanonicalPath().startsWith(base.getCanonicalPath())) {
++ if (!candidate.getCanonicalFile().toPath().startsWith(base.getCanonicalFile().toPath())) {
+ return null;
+ }
+ } catch (IOException ioe) {
+Index: tomcat8/java/org/apache/catalina/session/FileStore.java
+===================================================================
+--- tomcat8.orig/java/org/apache/catalina/session/FileStore.java
++++ tomcat8/java/org/apache/catalina/session/FileStore.java
+@@ -351,7 +351,7 @@ public final class FileStore extends Sto
+ File file = new File(storageDir, filename);
+
+ // Check the file is within the storage directory
+- if (!file.getCanonicalPath().startsWith(storageDir.getCanonicalPath())) {
++ if (!file.getCanonicalFile().toPath().startsWith(storageDir.getCanonicalFile().toPath())) {
+ log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
+ return null;
+ }
+Index: tomcat8/java/org/apache/catalina/startup/ContextConfig.java
+===================================================================
+--- tomcat8.orig/java/org/apache/catalina/startup/ContextConfig.java
++++ tomcat8/java/org/apache/catalina/startup/ContextConfig.java
+@@ -655,7 +655,8 @@ public class ContextConfig implements Li
+ String docBaseCanonical = docBaseAbsoluteFile.getCanonicalPath();
+
+ // Re-calculate now docBase is a canonical path
+- boolean docBaseCanonicalInAppBase = docBaseCanonical.startsWith(appBase.getPath() + File.separatorChar);
++ boolean docBaseCanonicalInAppBase =
++ docBaseAbsoluteFile.getCanonicalFile().toPath().startsWith(appBase.toPath());
+ String docBase;
+ if (docBaseCanonicalInAppBase) {
+ docBase = docBaseCanonical.substring(appBase.getPath().length());
+Index: tomcat8/java/org/apache/catalina/startup/ExpandWar.java
+===================================================================
+--- tomcat8.orig/java/org/apache/catalina/startup/ExpandWar.java
++++ tomcat8/java/org/apache/catalina/startup/ExpandWar.java
+@@ -26,6 +26,7 @@ import java.net.JarURLConnection;
+ import java.net.URL;
+ import java.net.URLConnection;
+ import java.nio.channels.FileChannel;
++import java.nio.file.Path;
+ import java.util.Enumeration;
+ import java.util.jar.JarEntry;
+ import java.util.jar.JarFile;
+@@ -116,10 +117,7 @@ public class ExpandWar {
+ }
+
+ // Expand the WAR into the new document base directory
+- String canonicalDocBasePrefix = docBase.getCanonicalPath();
+- if (!canonicalDocBasePrefix.endsWith(File.separator)) {
+- canonicalDocBasePrefix += File.separator;
+- }
++ Path canonicalDocBasePath = docBase.getCanonicalFile().toPath();
+
+ // Creating war tracker parent (normally META-INF)
+ File warTrackerParent = warTracker.getParentFile();
+@@ -134,14 +132,13 @@ public class ExpandWar {
+ JarEntry jarEntry = jarEntries.nextElement();
+ String name = jarEntry.getName();
+ File expandedFile = new File(docBase, name);
+- if (!expandedFile.getCanonicalPath().startsWith(
+- canonicalDocBasePrefix)) {
++ if (!expandedFile.getCanonicalFile().toPath().startsWith(canonicalDocBasePath)) {
+ // Trying to expand outside the docBase
+ // Throw an exception to stop the deployment
+ throw new IllegalArgumentException(
+ sm.getString("expandWar.illegalPath",war, name,
+ expandedFile.getCanonicalPath(),
+- canonicalDocBasePrefix));
++ canonicalDocBasePath));
+ }
+ int last = name.lastIndexOf('/');
+ if (last >= 0) {
+@@ -217,10 +214,7 @@ public class ExpandWar {
+ File docBase = new File(host.getAppBaseFile(), pathname);
+
+ // Calculate the document base directory
+- String canonicalDocBasePrefix = docBase.getCanonicalPath();
+- if (!canonicalDocBasePrefix.endsWith(File.separator)) {
+- canonicalDocBasePrefix += File.separator;
+- }
++ Path canonicalDocBasePath = docBase.getCanonicalFile().toPath();
+ JarURLConnection juc = (JarURLConnection) war.openConnection();
+ juc.setUseCaches(false);
+ try (JarFile jarFile = juc.getJarFile()) {
+@@ -229,14 +223,13 @@ public class ExpandWar {
+ JarEntry jarEntry = jarEntries.nextElement();
+ String name = jarEntry.getName();
+ File expandedFile = new File(docBase, name);
+- if (!expandedFile.getCanonicalPath().startsWith(
+- canonicalDocBasePrefix)) {
++ if (!expandedFile.getCanonicalFile().toPath().startsWith(canonicalDocBasePath)) {
+ // Entry located outside the docBase
+ // Throw an exception to stop the deployment
+ throw new IllegalArgumentException(
+ sm.getString("expandWar.illegalPath",war, name,
+ expandedFile.getCanonicalPath(),
+- canonicalDocBasePrefix));
++ canonicalDocBasePath));
+ }
+ }
+ } catch (IOException e) {
+Index: tomcat8/java/org/apache/catalina/startup/HostConfig.java
+===================================================================
+--- tomcat8.orig/java/org/apache/catalina/startup/HostConfig.java
++++ tomcat8/java/org/apache/catalina/startup/HostConfig.java
+@@ -592,8 +592,7 @@ public class HostConfig implements Lifec
+ docBase = new File(host.getAppBaseFile(), context.getDocBase());
+ }
+ // If external docBase, register .xml as redeploy first
+- if (!docBase.getCanonicalPath().startsWith(
+- host.getAppBaseFile().getAbsolutePath() + File.separator)) {
++ if (!docBase.getCanonicalFile().toPath().startsWith(host.getAppBaseFile().toPath())) {
+ isExternal = true;
+ deployedApp.redeployResources.put(
+ contextXml.getAbsolutePath(),
+Index: tomcat8/webapps/docs/changelog.xml
+===================================================================
+--- tomcat8.orig/webapps/docs/changelog.xml
++++ tomcat8/webapps/docs/changelog.xml
+@@ -1387,6 +1387,10 @@
+ test suite to replace the keys and certificates that are about to
+ expire. (markt)
+ </update>
++ <scode>
++ Use <code>java.nio.file.Path</code> to test for one directory being a
++ sub-directory of another in a consistent way. (markt)
++ </scode>
+ </changelog>
+ </subsection>
+ </section>
=====================================
debian/patches/series
=====================================
@@ -11,3 +11,8 @@ CVE-2020-11996.patch
CVE-2020-9484.patch
CVE-2020-13934.patch
CVE-2020-13935.patch
+CVE-2020-13943.patch
+CVE-2020-17527.patch
+CVE-2021-25122.patch
+CVE-2021-25329.patch
+CVE-2021-24122.patch
View it on GitLab: https://salsa.debian.org/java-team/tomcat8/-/compare/98510bdf09ffc0fa6beb9a2383e70a4d5b032e95...36f4738434be023dc4fea3c06fe24875c5f359eb
--
View it on GitLab: https://salsa.debian.org/java-team/tomcat8/-/compare/98510bdf09ffc0fa6beb9a2383e70a4d5b032e95...36f4738434be023dc4fea3c06fe24875c5f359eb
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20210804/54cc7ed4/attachment.htm>
More information about the pkg-java-commits
mailing list