[Git][java-team/tomcat8][stretch] 2 commits: Fix CVE-2021-41079

Markus Koschany (@apo) gitlab at salsa.debian.org
Wed Sep 22 21:42:39 BST 2021 


Markus Koschany pushed to branch stretch at Debian Java Maintainers / tomcat8


Commits:
c7a71f3b by Markus Koschany at 2021-09-22T21:45:59+02:00
Fix CVE-2021-41079

- - - - -
7056c3ee by Markus Koschany at 2021-09-22T21:47:24+02:00
Update changelog

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2021-41079.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,19 @@
+tomcat8 (8.5.54-0+deb9u8) stretch-security; urgency=high
+
+  * Team upload.
+  * CVE-2021-30640: Fix NullPointerException.
+    If no userRoleAttribute is specified in the user's Realm configuration its
+    default value will be null. This will cause a NPE in the methods
+    doFilterEscaping and doAttributeValueEscaping. This is upstream bug
+    https://bz.apache.org/bugzilla/show_bug.cgi?id=65308
+  * Fix CVE-2021-41079:
+    Apache Tomcat did not properly validate incoming TLS packets. When Tomcat
+    was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially
+    crafted packet could be used to trigger an infinite loop resulting in a
+    denial of service.
+
+ -- Markus Koschany <apo at debian.org>  Wed, 22 Sep 2021 21:46:16 +0200
+
 tomcat8 (8.5.54-0+deb9u7) stretch-security; urgency=high
 
   * Non-maintainer upload by the LTS team.


=====================================
debian/patches/CVE-2021-41079.patch
=====================================
@@ -0,0 +1,55 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 22 Sep 2021 19:44:27 +0200
+Subject: CVE-2021-41079
+
+Origin: https://github.com/apache/tomcat/commit/b90d4fc1ff44f30e4b3aba622ba6677e3f003822
+---
+ java/org/apache/tomcat/util/net/openssl/LocalStrings.properties | 1 +
+ java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java      | 6 ++++--
+ webapps/docs/changelog.xml                                      | 4 ++++
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
+index 486f9ea..a080791 100644
+--- a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
++++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
+@@ -17,6 +17,7 @@ engine.ciphersFailure=Failed getting cipher list
+ engine.emptyCipherSuite=Empty cipher suite
+ engine.engineClosed=Engine is closed
+ engine.failedCipherSuite=Failed to enable cipher suite [{0}]
++engine.failedToReadAvailableBytes=There are plain text bytes available to read but no bytes were read
+ engine.inboundClose=Inbound closed before receiving peer's close_notify
+ engine.invalidBufferArray=offset: [{0}], length: [{1}] (expected: offset <= offset + length <= srcs.length [{2}])
+ engine.noRestrictSessionCreation=OpenSslEngine does not permit restricting the engine to only resuming existing sessions
+diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+index 3607b01..52cf6e3 100644
+--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
++++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+@@ -586,8 +586,10 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
+                     throw new SSLException(e);
+                 }
+ 
+-                if (bytesRead == 0) {
+-                    break;
++                if (bytesRead <= 0) {
++                    // This should not be possible. pendingApp is positive
++                    // therefore the read should have read at least one byte.
++                    throw new IllegalStateException(sm.getString("engine.failedToReadAvailableBytes"));
+                 }
+ 
+                 bytesProduced += bytesRead;
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index 97883ef..44a5011 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -156,6 +156,10 @@
+         Ensure that the HTTP/1.1 processor is correctly recycled when a direct
+         connection to h2c is made. (markt)
+       </fix>
++      <fix>
++        Make handling of OpenSSL read errors more robust when plain text data is
++        reported to be available to read. (markt)
++      </fix>
+     </changelog>
+   </subsection>
+   <subsection name="Other">


=====================================
debian/patches/series
=====================================
@@ -18,3 +18,4 @@ CVE-2021-25329.patch
 CVE-2021-24122.patch
 CVE-2021-33037.patch
 CVE-2021-30640.patch
+CVE-2021-41079.patch



View it on GitLab: https://salsa.debian.org/java-team/tomcat8/-/compare/45148fa66427c391e8dbfb0c01e0355bfc37f595...7056c3eed0ac61e95ca3933a61e9e483e50c037f

-- 
View it on GitLab: https://salsa.debian.org/java-team/tomcat8/-/compare/45148fa66427c391e8dbfb0c01e0355bfc37f595...7056c3eed0ac61e95ca3933a61e9e483e50c037f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20210922/d2d85a86/attachment.htm>

More information about the pkg-java-commits mailing list