[tomcat8] 01/06: Imported Debian patch 8.0.14-1+deb8u2

Markus Koschany apo at moszumanska.debian.org
Mon Aug 15 16:12:38 UTC 2016


This is an automated email from the git hooks/post-receive script.

apo pushed a commit to branch jessie
in repository tomcat8.

commit 168a13c9b05a2d5e7d16b30e2f7a84a9f9306e47
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Thu Jun 23 00:27:20 2016 +0200

    Imported Debian patch 8.0.14-1+deb8u2
---
 debian/changelog                   |   7 ++-
 debian/patches/CVE-2015-5174.patch | 108 +++++---------------------------
 debian/patches/CVE-2015-5345.patch | 122 +++++++++----------------------------
 debian/patches/CVE-2015-5346.patch |  58 +++++++-----------
 debian/patches/CVE-2015-5351.patch |  38 +++---------
 debian/patches/CVE-2016-0706.patch |  23 +++----
 debian/patches/CVE-2016-0714.patch |  98 +++++++++--------------------
 debian/patches/CVE-2016-0763.patch |  26 +++-----
 debian/patches/CVE-2016-3092.patch |  29 +++++++++
 debian/patches/series              |   5 +-
 10 files changed, 156 insertions(+), 358 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index b05f5b7..b73673e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,11 @@
 tomcat8 (8.0.14-1+deb8u2) jessie-security; urgency=high
 
   * Team upload.
+
+  [ Emmanuel Bourg ]
+  * Fix CVE-2016-3092: Denial-of-Service vulnerability with file uploads
+
+  [ Markus Koschany ]
   * Fix CVE-2015-5174:
     Directory traversal vulnerability in RequestUtil.java allows remote
     authenticated users to bypass intended SecurityManager restrictions and
@@ -43,7 +48,7 @@ tomcat8 (8.0.14-1+deb8u2) jessie-security; urgency=high
     data, or cause a denial of service (application disruption), via a web
     application that sets a crafted global context.
 
- -- Markus Koschany <apo at debian.org>  Sun, 29 May 2016 23:11:52 +0200
+ -- Emmanuel Bourg <ebourg at apache.org>  Thu, 23 Jun 2016 00:27:20 +0200
 
 tomcat8 (8.0.14-1+deb8u1) jessie-security; urgency=medium
 
diff --git a/debian/patches/CVE-2015-5174.patch b/debian/patches/CVE-2015-5174.patch
index 19ffa3b..5c927a4 100644
--- a/debian/patches/CVE-2015-5174.patch
+++ b/debian/patches/CVE-2015-5174.patch
@@ -1,47 +1,14 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sat, 28 May 2016 01:54:08 +0000
-Subject: CVE-2015-5174
-
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1696281
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1700897
----
- java/org/apache/tomcat/util/http/RequestUtil.java  |  45 ++++++----
- .../apache/tomcat/util/http/TestRequestUtil.java   | 100 +++++++++++++++++++--
- webapps/docs/changelog.xml                         |  11 +++
- 3 files changed, 135 insertions(+), 21 deletions(-)
-
-diff --git a/java/org/apache/tomcat/util/http/RequestUtil.java b/java/org/apache/tomcat/util/http/RequestUtil.java
-index ebe4f34..1ee4bca 100644
+Description: Fixes CVE-2015-5174: Directory traversal vulnerability in RequestUtil
+ allows remote authenticated users to bypass intended SecurityManager restrictions
+ and list a parent directory via a /.. (slash dot dot) in a pathname used by a
+ web application in a getResource, getResourceAsStream, or getResourcePaths call,
+ as demonstrated by the $CATALINA_BASE/webapps directory.
+Author: Markus Koschany <apo at debian.org>
+Origin: backport, https://svn.apache.org/r1696281
+                  https://svn.apache.org/r1700897
 --- a/java/org/apache/tomcat/util/http/RequestUtil.java
 +++ b/java/org/apache/tomcat/util/http/RequestUtil.java
-@@ -30,6 +30,9 @@ public class RequestUtil {
-      * try to perform security checks for malicious input.
-      *
-      * @param path Relative path to be normalized
-+     *
-+     * @return The normalized path or <code>null</code> of the path cannot be
-+     *         normalized
-      */
-     public static String normalize(String path) {
-         return normalize(path, true);
-@@ -44,11 +47,15 @@ public class RequestUtil {
-      *
-      * @param path Relative path to be normalized
-      * @param replaceBackSlash Should '\\' be replaced with '/'
-+     *
-+     * @return The normalized path or <code>null</code> of the path cannot be
-+     *         normalized
-      */
-     public static String normalize(String path, boolean replaceBackSlash) {
- 
--        if (path == null)
-+        if (path == null) {
-             return null;
-+        }
- 
-         // Create a place for the normalized path
-         String normalized = path;
-@@ -56,9 +63,6 @@ public class RequestUtil {
+@@ -56,9 +56,6 @@
          if (replaceBackSlash && normalized.indexOf('\\') >= 0)
              normalized = normalized.replace('\\', '/');
  
@@ -51,67 +18,24 @@ index ebe4f34..1ee4bca 100644
          // Add a leading "/" if necessary
          if (!normalized.startsWith("/"))
              normalized = "/" + normalized;
-@@ -66,34 +70,43 @@ public class RequestUtil {
-         // Resolve occurrences of "//" in the normalized path
-         while (true) {
-             int index = normalized.indexOf("//");
--            if (index < 0)
-+            if (index < 0) {
-                 break;
--            normalized = normalized.substring(0, index) +
--                normalized.substring(index + 1);
-+            }
-+            normalized = normalized.substring(0, index) + normalized.substring(index + 1);
+@@ -93,6 +90,14 @@
+                 normalized.substring(index + 3);
          }
  
-         // Resolve occurrences of "/./" in the normalized path
-         while (true) {
-             int index = normalized.indexOf("/./");
--            if (index < 0)
-+            if (index < 0) {
-                 break;
--            normalized = normalized.substring(0, index) +
--                normalized.substring(index + 2);
-+            }
-+            normalized = normalized.substring(0, index) + normalized.substring(index + 2);
-         }
- 
-         // Resolve occurrences of "/../" in the normalized path
-         while (true) {
-             int index = normalized.indexOf("/../");
--            if (index < 0)
-+            if (index < 0) {
-                 break;
--            if (index == 0)
--                return (null);  // Trying to go outside our context
-+            }
-+            if (index == 0) {
-+                return null;  // Trying to go outside our context
-+            }
-             int index2 = normalized.lastIndexOf('/', index - 1);
--            normalized = normalized.substring(0, index2) +
--                normalized.substring(index + 3);
-+            normalized = normalized.substring(0, index2) + normalized.substring(index + 3);
-+        }
-+
 +        if (normalized.equals("/.")) {
 +            return "/";
 +        }
 +
 +        if (normalized.equals("/..")) {
 +            return null;  // Trying to go outside our context
-         }
- 
++        }
++
          // Return the normalized path that we have completed
--        return (normalized);
-+        return normalized;
+         return (normalized);
      }
- }
-diff --git a/test/org/apache/tomcat/util/http/TestRequestUtil.java b/test/org/apache/tomcat/util/http/TestRequestUtil.java
-index fe3115f..f50098c 100644
 --- a/test/org/apache/tomcat/util/http/TestRequestUtil.java
 +++ b/test/org/apache/tomcat/util/http/TestRequestUtil.java
-@@ -23,11 +23,101 @@ import org.junit.Test;
+@@ -23,11 +23,101 @@
  public class TestRequestUtil {
  
      @Test
@@ -218,8 +142,6 @@ index fe3115f..f50098c 100644
 +        assertEquals(expected,RequestUtil.normalize(input));
 +    }
  }
-diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
-index a89b75e..f552c88 100644
 --- a/webapps/docs/changelog.xml
 +++ b/webapps/docs/changelog.xml
 @@ -1857,6 +1857,10 @@
diff --git a/debian/patches/CVE-2015-5345.patch b/debian/patches/CVE-2015-5345.patch
index dc39b90..32904fe 100644
--- a/debian/patches/CVE-2015-5345.patch
+++ b/debian/patches/CVE-2015-5345.patch
@@ -1,30 +1,13 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sun, 29 May 2016 18:09:44 +0200
-Subject: CVE-2015-5345
-
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1715207
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1717209
----
- java/org/apache/catalina/Context.java              | 40 ++++++++++++++
- .../catalina/authenticator/FormAuthenticator.java  | 14 +++++
- java/org/apache/catalina/core/StandardContext.java | 35 ++++++++++++
- .../apache/catalina/core/mbeans-descriptors.xml    |  8 +++
- java/org/apache/catalina/mapper/Mapper.java        | 31 ++++++-----
- .../apache/catalina/servlets/DefaultServlet.java   | 28 +++++++++-
- .../apache/catalina/servlets/WebdavServlet.java    |  5 ++
- .../org/apache/catalina/startup/FailedContext.java | 19 ++++++-
- test/org/apache/catalina/core/TesterContext.java   | 17 ++++++
- .../apache/catalina/mapper/TestMapperWebapps.java  | 64 ++++++++++++++++++++++
- .../apache/catalina/startup/TomcatBaseTest.java    |  3 +-
- webapps/docs/changelog.xml                         | 15 +++++
- webapps/docs/config/context.xml                    | 16 ++++++
- 13 files changed, 276 insertions(+), 19 deletions(-)
-
-diff --git a/java/org/apache/catalina/Context.java b/java/org/apache/catalina/Context.java
-index a871b99..84c2a60 100644
+Description: Fixes CVE-2015-5345: The Mapper component in Apache Tomcat processes
+ redirects before considering security constraints and Filters, which allows
+ remote attackers to determine the existence of a directory via a URL that lacks
+ a trailing / (slash) character.
+Author: Markus Koschany <apo at debian.org>
+Origin: backport, https://svn.apache.org/r1715207
+                  https://svn.apache.org/r1717209
 --- a/java/org/apache/catalina/Context.java
 +++ b/java/org/apache/catalina/Context.java
-@@ -1674,4 +1674,44 @@ public interface Context extends Container {
+@@ -1674,4 +1674,44 @@
       * processing cookies using the RFC6265 based cookie parser.
       */
      public Charset getCookieEncodingCharset();
@@ -69,11 +52,9 @@ index a871b99..84c2a60 100644
 +     */
 +    public boolean getMapperDirectoryRedirectEnabled();
  }
-diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java
-index 57a3cd7..4933d03 100644
 --- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
 +++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
-@@ -241,6 +241,20 @@ public class FormAuthenticator
+@@ -241,6 +241,20 @@
  
          // No -- Save this request and redirect to the form login page
          if (!loginAction) {
@@ -94,11 +75,9 @@ index 57a3cd7..4933d03 100644
              session = request.getSessionInternal(true);
              if (log.isDebugEnabled()) {
                  log.debug("Save request in session '" + session.getIdInternal() + "'");
-diff --git a/java/org/apache/catalina/core/StandardContext.java b/java/org/apache/catalina/core/StandardContext.java
-index f47dd3f..0615e26 100644
 --- a/java/org/apache/catalina/core/StandardContext.java
 +++ b/java/org/apache/catalina/core/StandardContext.java
-@@ -828,9 +828,44 @@ public class StandardContext extends ContainerBase
+@@ -828,9 +828,44 @@
      private boolean useRfc6265 = false;
      private Charset cookieEncoding = StandardCharsets.UTF_8;
  
@@ -143,8 +122,6 @@ index f47dd3f..0615e26 100644
  
      @Override
      public void setUseRfc6265(boolean useRfc6265) {
-diff --git a/java/org/apache/catalina/core/mbeans-descriptors.xml b/java/org/apache/catalina/core/mbeans-descriptors.xml
-index 64fe285..27847bf 100644
 --- a/java/org/apache/catalina/core/mbeans-descriptors.xml
 +++ b/java/org/apache/catalina/core/mbeans-descriptors.xml
 @@ -181,6 +181,14 @@
@@ -162,11 +139,9 @@ index 64fe285..27847bf 100644
      <attribute name="namingContextListener"
                 description="Associated naming context listener."
                 type="org.apache.catalina.core.NamingContextListener" />
-diff --git a/java/org/apache/catalina/mapper/Mapper.java b/java/org/apache/catalina/mapper/Mapper.java
-index a40b257..0c57145 100644
 --- a/java/org/apache/catalina/mapper/Mapper.java
 +++ b/java/org/apache/catalina/mapper/Mapper.java
-@@ -830,20 +830,13 @@ public final class Mapper {
+@@ -830,20 +830,13 @@
  
          int pathOffset = path.getOffset();
          int pathEnd = path.getEnd();
@@ -189,7 +164,7 @@ index a40b257..0c57145 100644
          path.setOffset(servletPath);
  
          // Rule 1 -- Exact Match
-@@ -878,10 +871,13 @@ public final class Mapper {
+@@ -878,8 +871,11 @@
              }
          }
  
@@ -200,12 +175,9 @@ index a40b257..0c57145 100644
 +            path.append('/');
 +            pathEnd = path.getEnd();
              mappingData.redirectPath.setChars
--                (path.getBuffer(), pathOffset, pathEnd-pathOffset);
-+                (path.getBuffer(), pathOffset, pathEnd - pathOffset);
+                 (path.getBuffer(), pathOffset, pathEnd-pathOffset);
              path.setEnd(pathEnd - 1);
-             return;
-         }
-@@ -996,9 +992,15 @@ public final class Mapper {
+@@ -996,9 +992,15 @@
              char[] buf = path.getBuffer();
              if (contextVersion.resources != null && buf[pathEnd -1 ] != '/') {
                  String pathStr = path.toString();
@@ -224,19 +196,9 @@ index a40b257..0c57145 100644
                      // Note: this mutates the path: do not do any processing
                      // after this (since we set the redirectPath, there
                      // shouldn't be any)
-@@ -1015,7 +1017,6 @@ public final class Mapper {
- 
-         path.setOffset(pathOffset);
-         path.setEnd(pathEnd);
--
-     }
- 
- 
-diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java
-index cbf65b6..021425c 100644
 --- a/java/org/apache/catalina/servlets/DefaultServlet.java
 +++ b/java/org/apache/catalina/servlets/DefaultServlet.java
-@@ -342,6 +342,10 @@ public class DefaultServlet extends HttpServlet {
+@@ -342,6 +342,10 @@
       * @param request The servlet request we are processing
       */
      protected String getRelativePath(HttpServletRequest request) {
@@ -247,7 +209,7 @@ index cbf65b6..021425c 100644
          // IMPORTANT: DefaultServlet can be mapped to '/' or '/path/*' but always
          // serves resources from the web app root with context rooted paths.
          // i.e. it can not be used to mount the web app root under a sub-path
-@@ -703,7 +707,8 @@ public class DefaultServlet extends HttpServlet {
+@@ -703,7 +707,8 @@
          boolean serveContent = content;
  
          // Identify the requested resource path
@@ -257,7 +219,7 @@ index cbf65b6..021425c 100644
          if (debug > 0) {
              if (serveContent)
                  log("DefaultServlet.serveResource:  Serving resource '" +
-@@ -713,6 +718,12 @@ public class DefaultServlet extends HttpServlet {
+@@ -713,6 +718,12 @@
                      path + "' headers only");
          }
  
@@ -270,7 +232,7 @@ index cbf65b6..021425c 100644
          WebResource resource = resources.getResource(path);
  
          if (!resource.exists()) {
-@@ -827,6 +838,11 @@ public class DefaultServlet extends HttpServlet {
+@@ -827,6 +838,11 @@
          long contentLength = -1L;
  
          if (resource.isDirectory()) {
@@ -282,7 +244,7 @@ index cbf65b6..021425c 100644
              // Skip directory listings if we have been configured to
              // suppress them
              if (!listings) {
-@@ -1032,6 +1048,16 @@ public class DefaultServlet extends HttpServlet {
+@@ -1032,6 +1048,16 @@
          }
      }
  
@@ -299,11 +261,9 @@ index cbf65b6..021425c 100644
  
      /**
       * Parse the content-range header.
-diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java b/java/org/apache/catalina/servlets/WebdavServlet.java
-index 7bccf76..1303d99 100644
 --- a/java/org/apache/catalina/servlets/WebdavServlet.java
 +++ b/java/org/apache/catalina/servlets/WebdavServlet.java
-@@ -375,6 +375,11 @@ public class WebdavServlet
+@@ -375,6 +375,11 @@
       */
      @Override
      protected String getRelativePath(HttpServletRequest request) {
@@ -315,11 +275,9 @@ index 7bccf76..1303d99 100644
          // Are we being processed by a RequestDispatcher.include()?
          if (request.getAttribute(
                  RequestDispatcher.INCLUDE_REQUEST_URI) != null) {
-diff --git a/java/org/apache/catalina/startup/FailedContext.java b/java/org/apache/catalina/startup/FailedContext.java
-index 73c6bf4..166ab45 100644
 --- a/java/org/apache/catalina/startup/FailedContext.java
 +++ b/java/org/apache/catalina/startup/FailedContext.java
-@@ -771,4 +771,21 @@ public class FailedContext extends LifecycleMBeanBase implements Context {
+@@ -771,4 +771,21 @@
  
      @Override
      public Charset getCookieEncodingCharset() { return StandardCharsets.UTF_8; }
@@ -343,11 +301,9 @@ index 73c6bf4..166ab45 100644
 +    public boolean getMapperDirectoryRedirectEnabled() { return false; }
 +
 +}
-diff --git a/test/org/apache/catalina/core/TesterContext.java b/test/org/apache/catalina/core/TesterContext.java
-index ac4d945..36bfdfe 100644
 --- a/test/org/apache/catalina/core/TesterContext.java
 +++ b/test/org/apache/catalina/core/TesterContext.java
-@@ -1238,4 +1238,21 @@ public class TesterContext implements Context {
+@@ -1238,4 +1238,21 @@
  
      @Override
      public Charset getCookieEncodingCharset() { return StandardCharsets.UTF_8; }
@@ -369,11 +325,9 @@ index ac4d945..36bfdfe 100644
 +    public boolean getMapperDirectoryRedirectEnabled() { return false; }
 +
  }
-diff --git a/test/org/apache/catalina/mapper/TestMapperWebapps.java b/test/org/apache/catalina/mapper/TestMapperWebapps.java
-index 9014efd..3778fdf 100644
 --- a/test/org/apache/catalina/mapper/TestMapperWebapps.java
 +++ b/test/org/apache/catalina/mapper/TestMapperWebapps.java
-@@ -18,6 +18,7 @@ package org.apache.catalina.mapper;
+@@ -18,6 +18,7 @@
  
  import java.io.File;
  import java.io.IOException;
@@ -381,7 +335,7 @@ index 9014efd..3778fdf 100644
  import java.util.HashMap;
  import java.util.List;
  
-@@ -33,7 +34,10 @@ import org.apache.catalina.Context;
+@@ -33,7 +34,10 @@
  import org.apache.catalina.core.StandardContext;
  import org.apache.catalina.startup.Tomcat;
  import org.apache.catalina.startup.TomcatBaseTest;
@@ -392,7 +346,7 @@ index 9014efd..3778fdf 100644
  import org.apache.tomcat.websocket.server.WsContextListener;
  
  /**
-@@ -226,6 +230,66 @@ public class TestMapperWebapps extends TomcatBaseTest{
+@@ -226,6 +230,66 @@
          Assert.assertEquals(HttpServletResponse.SC_NOT_FOUND, rc);
      }
  
@@ -459,27 +413,11 @@ index 9014efd..3778fdf 100644
      /**
       * Prepare a string to search in messages that contain a timestamp, when it
       * is known that the timestamp was printed between {@code timeA} and
-diff --git a/test/org/apache/catalina/startup/TomcatBaseTest.java b/test/org/apache/catalina/startup/TomcatBaseTest.java
-index 2808317..0856ea6 100644
---- a/test/org/apache/catalina/startup/TomcatBaseTest.java
-+++ b/test/org/apache/catalina/startup/TomcatBaseTest.java
-@@ -233,8 +233,7 @@ public abstract class TomcatBaseTest extends LoggingBaseTest {
-             String method) throws IOException {
- 
-         URL url = new URL(path);
--        HttpURLConnection connection =
--            (HttpURLConnection) url.openConnection();
-+        HttpURLConnection connection = (HttpURLConnection) url.openConnection();
-         connection.setUseCaches(false);
-         connection.setReadTimeout(readTimeout);
-         connection.setRequestMethod(method);
-diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
-index a0b4788..02762a0 100644
 --- a/webapps/docs/changelog.xml
 +++ b/webapps/docs/changelog.xml
-@@ -188,6 +188,16 @@
-           <bug>58809</bug>: Correctly recycle cookies when mapping requests for
-                parallel deployment. (markt)
+@@ -184,6 +184,16 @@
+         Reduce duplicated code. All AJP connectors use common method to
+         configuration of processor. (kfujino)
        </fix>
 +      <add>
 +        Move the functionality that provides redirects for context roots and
@@ -494,7 +432,7 @@ index a0b4788..02762a0 100644
      </changelog>
    </subsection>
    <subsection name="Jasper">
-@@ -279,6 +289,11 @@
+@@ -275,6 +285,11 @@
          leak fixes and support for application provided eviction policies.
          (markt)
        </fix>
@@ -506,8 +444,6 @@ index a0b4788..02762a0 100644
      </changelog>
    </subsection>
  </section>
-diff --git a/webapps/docs/config/context.xml b/webapps/docs/config/context.xml
-index 41e66ae..91634f0 100644
 --- a/webapps/docs/config/context.xml
 +++ b/webapps/docs/config/context.xml
 @@ -367,6 +367,22 @@
diff --git a/debian/patches/CVE-2015-5346.patch b/debian/patches/CVE-2015-5346.patch
index 95f08bc..d13aa24 100644
--- a/debian/patches/CVE-2015-5346.patch
+++ b/debian/patches/CVE-2015-5346.patch
@@ -1,20 +1,14 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sat, 28 May 2016 03:11:58 +0000
-Subject: CVE-2015-5346
-
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1713185
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1723506
----
- .../apache/catalina/connector/CoyoteAdapter.java   |  8 ++--
- java/org/apache/catalina/connector/Request.java    | 52 ++++++++++++++--------
- webapps/docs/changelog.xml                         |  8 ++++
- 3 files changed, 46 insertions(+), 22 deletions(-)
-
-diff --git a/java/org/apache/catalina/connector/CoyoteAdapter.java b/java/org/apache/catalina/connector/CoyoteAdapter.java
-index e3ff219..775862d 100644
+Description: Fixes CVE-2015-5346: Session fixation vulnerability in Apache Tomcat
+ when different session settings are used for deployments of multiple versions
+ of the same web application, might allow remote attackers to hijack web sessions
+ by leveraging use of a requestedSessionSSL field for an unintended request,
+ related to CoyoteAdapter.java and Request.java.
+Author: Markus Koschany <apo at debian.org>
+Origin: backport, https://svn.apache.org/r1713185
+                  https://svn.apache.org/r1723506
 --- a/java/org/apache/catalina/connector/CoyoteAdapter.java
 +++ b/java/org/apache/catalina/connector/CoyoteAdapter.java
-@@ -941,9 +941,11 @@ public class CoyoteAdapter implements Adapter {
+@@ -941,9 +941,11 @@
                                  // Reset mapping
                                  request.getMappingData().recycle();
                                  mapRequired = true;
@@ -29,11 +23,9 @@ index e3ff219..775862d 100644
                              }
                              break;
                          }
-diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java
-index 2d24ba4..55682be 100644
 --- a/java/org/apache/catalina/connector/Request.java
 +++ b/java/org/apache/catalina/connector/Request.java
-@@ -287,6 +287,11 @@ public class Request
+@@ -287,6 +287,11 @@
       */
      protected boolean cookiesParsed = false;
  
@@ -45,7 +37,7 @@ index 2d24ba4..55682be 100644
  
      /**
       * Secure flag.
-@@ -461,7 +466,6 @@ public class Request
+@@ -461,7 +466,6 @@
              parts = null;
          }
          partsParseException = null;
@@ -53,7 +45,7 @@ index 2d24ba4..55682be 100644
          locales.clear();
          localesParsed = false;
          secure = false;
-@@ -475,20 +479,9 @@ public class Request
+@@ -475,20 +479,9 @@
          attributes.clear();
          sslAttributesParsed = false;
          notes.clear();
@@ -76,15 +68,10 @@ index 2d24ba4..55682be 100644
  
          if (Globals.IS_SECURITY_ENABLED || Connector.RECYCLE_FACADES) {
              parameterMap = new ParameterMap<>();
-@@ -531,11 +524,32 @@ public class Request
+@@ -531,6 +524,31 @@
      }
  
  
--    /**
--     * Clear cached encoders (to save memory for Comet requests).
--     */
--    public boolean read()
--        throws IOException {
 +    protected void recycleSessionInfo() {
 +        if (session != null) {
 +            try {
@@ -110,17 +97,14 @@ index 2d24ba4..55682be 100644
 +        }
 +    }
 +
-+    public boolean read() throws IOException {
-         return (inputBuffer.realReadBytes(null, 0, 0) > 0);
-     }
- 
-diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
-index f552c88..cb4c914 100644
+     /**
+      * Clear cached encoders (to save memory for Comet requests).
+      */
 --- a/webapps/docs/changelog.xml
 +++ b/webapps/docs/changelog.xml
-@@ -184,6 +184,10 @@
-         Reduce duplicated code. All AJP connectors use common method to
-         configuration of processor. (kfujino)
+@@ -168,6 +168,10 @@
+         <bug>57011</bug>: Ensure that the request and response are correctly
+         recycled when processing errors during async processing. (markt)
        </fix>
 +      <fix>
 +          <bug>58809</bug>: Correctly recycle cookies when mapping requests for
@@ -128,8 +112,8 @@ index f552c88..cb4c914 100644
 +      </fix>
      </changelog>
    </subsection>
-   <subsection name="Jasper">
-@@ -318,6 +322,10 @@
+   <subsection name="Coyote">
+@@ -333,6 +337,10 @@
          page that has the <code>isErrorPage</code> page directive set to
          <code>true</code>. (markt)
        </fix>
diff --git a/debian/patches/CVE-2015-5351.patch b/debian/patches/CVE-2015-5351.patch
index 88b34d0..df65650 100644
--- a/debian/patches/CVE-2015-5351.patch
+++ b/debian/patches/CVE-2015-5351.patch
@@ -1,24 +1,12 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sat, 28 May 2016 03:13:41 +0000
-Subject: CVE-2015-5351
-
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1720658
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1720660
----
- webapps/docs/changelog.xml               | 7 +++++++
- webapps/host-manager/WEB-INF/jsp/401.jsp | 1 +
- webapps/host-manager/WEB-INF/jsp/403.jsp | 1 +
- webapps/host-manager/WEB-INF/jsp/404.jsp | 3 ++-
- webapps/host-manager/index.jsp           | 4 ++--
- webapps/manager/WEB-INF/web.xml          | 1 -
- webapps/manager/index.jsp                | 4 ++--
- 7 files changed, 15 insertions(+), 6 deletions(-)
-
-diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
-index cb4c914..92d5b3c 100644
+Description: Fixes CVE-2015-5351: The Manager and Host Manager applications establish
+ sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers
+ to bypass a CSRF protection mechanism by using a token.
+Author: Markus Koschany <apo at debian.org>
+Origin: backport, https://svn.apache.org/r1720658
+                  https://svn.apache.org/r1720660
 --- a/webapps/docs/changelog.xml
 +++ b/webapps/docs/changelog.xml
-@@ -326,6 +326,13 @@
+@@ -341,6 +341,13 @@
          Handle the unlikely case where different versions of a web application
          are deployed with different session settings. (markt)
        </fix>
@@ -32,8 +20,6 @@ index cb4c914..92d5b3c 100644
      </changelog>
    </subsection>
    <subsection name="WebSocket">
-diff --git a/webapps/host-manager/WEB-INF/jsp/401.jsp b/webapps/host-manager/WEB-INF/jsp/401.jsp
-index 83c8c6f..047766b 100644
 --- a/webapps/host-manager/WEB-INF/jsp/401.jsp
 +++ b/webapps/host-manager/WEB-INF/jsp/401.jsp
 @@ -14,6 +14,7 @@
@@ -44,8 +30,6 @@ index 83c8c6f..047766b 100644
  <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
  <html>
   <head>
-diff --git a/webapps/host-manager/WEB-INF/jsp/403.jsp b/webapps/host-manager/WEB-INF/jsp/403.jsp
-index 2dbb448..5eff6f0 100644
 --- a/webapps/host-manager/WEB-INF/jsp/403.jsp
 +++ b/webapps/host-manager/WEB-INF/jsp/403.jsp
 @@ -14,6 +14,7 @@
@@ -56,8 +40,6 @@ index 2dbb448..5eff6f0 100644
  <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
  <html>
   <head>
-diff --git a/webapps/host-manager/WEB-INF/jsp/404.jsp b/webapps/host-manager/WEB-INF/jsp/404.jsp
-index d1b5b0b..9816df5 100644
 --- a/webapps/host-manager/WEB-INF/jsp/404.jsp
 +++ b/webapps/host-manager/WEB-INF/jsp/404.jsp
 @@ -14,7 +14,8 @@
@@ -70,8 +52,6 @@ index d1b5b0b..9816df5 100644
  <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
  <html>
   <head>
-diff --git a/webapps/host-manager/index.jsp b/webapps/host-manager/index.jsp
-index d4816e5..2806b76 100644
 --- a/webapps/host-manager/index.jsp
 +++ b/webapps/host-manager/index.jsp
 @@ -14,5 +14,5 @@
@@ -84,8 +64,6 @@ index d4816e5..2806b76 100644
 +<%@ page session="false" trimDirectiveWhitespaces="true" %>
 +<% response.sendRedirect(request.getContextPath() + "/html"); %>
 \ No newline at end of file
-diff --git a/webapps/manager/WEB-INF/web.xml b/webapps/manager/WEB-INF/web.xml
-index 230199e..ef917e6 100644
 --- a/webapps/manager/WEB-INF/web.xml
 +++ b/webapps/manager/WEB-INF/web.xml
 @@ -115,7 +115,6 @@
@@ -96,8 +74,6 @@ index 230199e..ef917e6 100644
    </filter-mapping>
  
    <!-- Define a Security Constraint on this Application -->
-diff --git a/webapps/manager/index.jsp b/webapps/manager/index.jsp
-index d4816e5..ff4f47b 100644
 --- a/webapps/manager/index.jsp
 +++ b/webapps/manager/index.jsp
 @@ -14,5 +14,5 @@
diff --git a/debian/patches/CVE-2016-0706.patch b/debian/patches/CVE-2016-0706.patch
index 4f497d4..c896c24 100644
--- a/debian/patches/CVE-2016-0706.patch
+++ b/debian/patches/CVE-2016-0706.patch
@@ -1,15 +1,10 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sat, 28 May 2016 13:15:51 +0000
-Subject: CVE-2016-0706
-
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1722800
----
- java/org/apache/catalina/core/RestrictedServlets.properties | 1 +
- webapps/docs/changelog.xml                                  | 4 ++++
- 2 files changed, 5 insertions(+)
-
-diff --git a/java/org/apache/catalina/core/RestrictedServlets.properties b/java/org/apache/catalina/core/RestrictedServlets.properties
-index d336968..cefa249 100644
+Description: Fixes CVE-2016-0706: Apache Tomcat does not place StatusManagerServlet
+ on the RestrictedServlets.properties list, which allows remote authenticated
+ users to bypass intended SecurityManager restrictions  and read arbitrary HTTP
+ requests, and consequently discover session ID  values, via a crafted web
+ application.
+Author: Markus Koschany <apo at debian.org>
+Origin: backport, https://svn.apache.org/r1722800
 --- a/java/org/apache/catalina/core/RestrictedServlets.properties
 +++ b/java/org/apache/catalina/core/RestrictedServlets.properties
 @@ -16,3 +16,4 @@
@@ -17,11 +12,9 @@ index d336968..cefa249 100644
  org.apache.catalina.servlets.CGIServlet=restricted
  org.apache.catalina.manager.JMXProxyServlet=restricted
 +org.apache.catalina.manager.StatusManagerServlet=restricted
-diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
-index 92d5b3c..f075094 100644
 --- a/webapps/docs/changelog.xml
 +++ b/webapps/docs/changelog.xml
-@@ -333,6 +333,10 @@
+@@ -348,6 +348,10 @@
          Don't create sessions unnecessarily in the Host Manager application.
          (markt)
        </fix>
diff --git a/debian/patches/CVE-2016-0714.patch b/debian/patches/CVE-2016-0714.patch
index cb5434c..d587408 100644
--- a/debian/patches/CVE-2016-0714.patch
+++ b/debian/patches/CVE-2016-0714.patch
@@ -1,28 +1,13 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sun, 29 May 2016 15:11:37 +0200
-Subject: CVE-2016-0714
-
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1726196
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1726203
----
- .../catalina/ha/session/ClusterManagerBase.java    |   3 +
- .../catalina/ha/session/mbeans-descriptors.xml     |  24 +++
- .../catalina/session/LocalStrings.properties       |   2 +
- java/org/apache/catalina/session/ManagerBase.java  | 172 ++++++++++++++++++++-
- .../apache/catalina/session/StandardManager.java   |   9 +-
- .../apache/catalina/session/mbeans-descriptors.xml |  20 +++
- .../catalina/util/CustomObjectInputStream.java     |  89 ++++++++++-
- .../apache/catalina/util/LocalStrings.properties   |   2 +
- webapps/docs/changelog.xml                         |   8 +
- webapps/docs/config/cluster-manager.xml            |  71 +++++++++
- webapps/docs/config/manager.xml                    |  69 +++++++++
- 11 files changed, 463 insertions(+), 6 deletions(-)
-
-diff --git a/java/org/apache/catalina/ha/session/ClusterManagerBase.java b/java/org/apache/catalina/ha/session/ClusterManagerBase.java
-index 8eb284d..ee601a8 100644
+Description: Fixes CVE-2016-0714: The session-persistence implementation mishandles
+ session attributes, which allows remote authenticated users to bypass intended
+ SecurityManager restrictions and execute arbitrary code in a privileged context
+ via a web application that places a crafted object in a session.
+Author: Markus Koschany <apo at debian.org>
+Origin: backport, https://svn.apache.org/r1726196
+                  https://svn.apache.org/r1726203
 --- a/java/org/apache/catalina/ha/session/ClusterManagerBase.java
 +++ b/java/org/apache/catalina/ha/session/ClusterManagerBase.java
-@@ -196,6 +196,9 @@ public abstract class ClusterManagerBase extends ManagerBase implements ClusterM
+@@ -196,6 +196,9 @@
          copy.setProcessExpiresFrequency(getProcessExpiresFrequency());
          copy.setNotifyListenersOnReplication(isNotifyListenersOnReplication());
          copy.setSessionAttributeFilter(getSessionAttributeFilter());
@@ -32,8 +17,6 @@ index 8eb284d..ee601a8 100644
          copy.setSecureRandomClass(getSecureRandomClass());
          copy.setSecureRandomProvider(getSecureRandomProvider());
          copy.setSecureRandomAlgorithm(getSecureRandomAlgorithm());
-diff --git a/java/org/apache/catalina/ha/session/mbeans-descriptors.xml b/java/org/apache/catalina/ha/session/mbeans-descriptors.xml
-index 76a689e..feff5cc 100644
 --- a/java/org/apache/catalina/ha/session/mbeans-descriptors.xml
 +++ b/java/org/apache/catalina/ha/session/mbeans-descriptors.xml
 @@ -309,6 +309,18 @@
@@ -74,11 +57,9 @@ index 76a689e..feff5cc 100644
      <operation
        name="expireSession"
        description="Expired the given session"
-diff --git a/java/org/apache/catalina/session/LocalStrings.properties b/java/org/apache/catalina/session/LocalStrings.properties
-index 7b00a4c..67eb04e 100644
 --- a/java/org/apache/catalina/session/LocalStrings.properties
 +++ b/java/org/apache/catalina/session/LocalStrings.properties
-@@ -32,6 +32,8 @@ JDBCStore.missingDataSourceName=No valid JNDI name was given.
+@@ -32,6 +32,8 @@
  JDBCStore.commitSQLException=SQLException committing connection before closing
  managerBase.container.noop=Managers added to containers other than Contexts will never be used
  managerBase.createSession.ise=createSession: Too many active sessions
@@ -87,11 +68,9 @@ index 7b00a4c..67eb04e 100644
  managerBase.sessionTimeout=Invalid session timeout setting {0}
  standardManager.loading=Loading persisted sessions from {0}
  standardManager.loading.exception=Exception while loading persisted sessions
-diff --git a/java/org/apache/catalina/session/ManagerBase.java b/java/org/apache/catalina/session/ManagerBase.java
-index b09348a..ada88f1 100644
 --- a/java/org/apache/catalina/session/ManagerBase.java
 +++ b/java/org/apache/catalina/session/ManagerBase.java
-@@ -32,10 +32,13 @@ import java.util.List;
+@@ -32,10 +32,13 @@
  import java.util.Map;
  import java.util.concurrent.ConcurrentHashMap;
  import java.util.concurrent.atomic.AtomicLong;
@@ -105,7 +84,7 @@ index b09348a..ada88f1 100644
  import org.apache.catalina.LifecycleException;
  import org.apache.catalina.Manager;
  import org.apache.catalina.Session;
-@@ -210,8 +213,57 @@ public abstract class ManagerBase extends LifecycleMBeanBase
+@@ -210,8 +213,57 @@
      protected final PropertyChangeSupport support =
              new PropertyChangeSupport(this);
  
@@ -164,7 +143,7 @@ index b09348a..ada88f1 100644
  
      @Override
      @Deprecated
-@@ -220,6 +272,86 @@ public abstract class ManagerBase extends LifecycleMBeanBase
+@@ -220,6 +272,86 @@
      }
  
  
@@ -251,7 +230,7 @@ index b09348a..ada88f1 100644
      @Override
      @Deprecated
      public void setContainer(Container container) {
-@@ -839,6 +971,44 @@ public abstract class ManagerBase extends LifecycleMBeanBase
+@@ -839,6 +971,44 @@
                  notifySessionListeners, notifyContainerListeners);
      }
  
@@ -296,11 +275,9 @@ index b09348a..ada88f1 100644
  
      // ------------------------------------------------------ Protected Methods
  
-diff --git a/java/org/apache/catalina/session/StandardManager.java b/java/org/apache/catalina/session/StandardManager.java
-index b1eb80b..a63ae7e 100644
 --- a/java/org/apache/catalina/session/StandardManager.java
 +++ b/java/org/apache/catalina/session/StandardManager.java
-@@ -208,19 +208,24 @@ public class StandardManager extends ManagerBase {
+@@ -208,19 +208,24 @@
          BufferedInputStream bis = null;
          ObjectInputStream ois = null;
          Loader loader = null;
@@ -327,8 +304,6 @@ index b1eb80b..a63ae7e 100644
              } else {
                  if (log.isDebugEnabled())
                      log.debug("Creating standard object input stream");
-diff --git a/java/org/apache/catalina/session/mbeans-descriptors.xml b/java/org/apache/catalina/session/mbeans-descriptors.xml
-index 4f9b01e..4edf79b 100644
 --- a/java/org/apache/catalina/session/mbeans-descriptors.xml
 +++ b/java/org/apache/catalina/session/mbeans-descriptors.xml
 @@ -132,6 +132,15 @@
@@ -365,11 +340,9 @@ index 4f9b01e..4edf79b 100644
      <operation   name="backgroundProcess"
            description="Invalidate all sessions that have expired."
                 impact="ACTION"
-diff --git a/java/org/apache/catalina/util/CustomObjectInputStream.java b/java/org/apache/catalina/util/CustomObjectInputStream.java
-index f63d777..25793e4 100644
 --- a/java/org/apache/catalina/util/CustomObjectInputStream.java
 +++ b/java/org/apache/catalina/util/CustomObjectInputStream.java
-@@ -19,9 +19,18 @@ package org.apache.catalina.util;
+@@ -19,9 +19,18 @@
  
  import java.io.IOException;
  import java.io.InputStream;
@@ -388,7 +361,7 @@ index f63d777..25793e4 100644
  
  /**
   * Custom subclass of <code>ObjectInputStream</code> that loads from the
-@@ -35,14 +44,26 @@ public final class CustomObjectInputStream
+@@ -35,14 +44,26 @@
      extends ObjectInputStream {
  
  
@@ -416,7 +389,7 @@ index f63d777..25793e4 100644
       *
       * @param stream The input stream we will read from
       * @param classLoader The class loader used to instantiate objects
-@@ -53,10 +74,56 @@ public final class CustomObjectInputStream
+@@ -53,11 +74,57 @@
                                     ClassLoader classLoader)
          throws IOException {
  
@@ -451,7 +424,6 @@ index f63d777..25793e4 100644
 +                    sm.getString("customObjectInputStream.logRequired"));
 +        }
          this.classLoader = classLoader;
--    }
 +        this.log = log;
 +        this.allowedClassNamePattern = allowedClassNamePattern;
 +        if (allowedClassNamePattern == null) {
@@ -460,7 +432,7 @@ index f63d777..25793e4 100644
 +            this.allowedClassNameFilter = allowedClassNamePattern.toString();
 +        }
 +        this.warnOnFailure = warnOnFailure;
- 
++
 +        Set<String> reportedClasses;
 +        synchronized (reportedClassCache) {
 +            reportedClasses = reportedClassCache.get(classLoader);
@@ -470,11 +442,13 @@ index f63d777..25793e4 100644
 +            }
 +        }
 +        this.reportedClasses = reportedClasses;
-+    }
+     }
  
+-
      /**
       * Load the local class equivalent of the specified stream class
-@@ -70,8 +137,24 @@ public final class CustomObjectInputStream
+      * description, by using the class loader assigned to this Context.
+@@ -70,8 +137,24 @@
      @Override
      public Class<?> resolveClass(ObjectStreamClass classDesc)
          throws ClassNotFoundException, IOException {
@@ -500,11 +474,9 @@ index f63d777..25793e4 100644
          } catch (ClassNotFoundException e) {
              try {
                  // Try also the superclass because of primitive types
-diff --git a/java/org/apache/catalina/util/LocalStrings.properties b/java/org/apache/catalina/util/LocalStrings.properties
-index 55dea98..6aeb973 100644
 --- a/java/org/apache/catalina/util/LocalStrings.properties
 +++ b/java/org/apache/catalina/util/LocalStrings.properties
-@@ -17,6 +17,8 @@ parameterMap.locked=No modifications are allowed to a locked ParameterMap
+@@ -17,6 +17,8 @@
  resourceSet.locked=No modifications are allowed to a locked ResourceSet
  hexUtil.bad=Bad hexadecimal digit
  hexUtil.odd=Odd number of hexadecimal digits
@@ -513,11 +485,9 @@ index 55dea98..6aeb973 100644
  #Default Messages Utilized by the ExtensionValidator
  extensionValidator.web-application-manifest=Web Application Manifest
  extensionValidator.extension-not-found-error=ExtensionValidator[{0}][{1}]: Required extension [{2}] not found.
-diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
-index d18692c..a0b4788 100644
 --- a/webapps/docs/changelog.xml
 +++ b/webapps/docs/changelog.xml
-@@ -308,6 +308,14 @@
+@@ -323,6 +323,14 @@
          Add support for the EECDH alias when using the OpenSSL cipher syntax to
          define JSSE ciphers. (markt)
        </add>
@@ -532,19 +502,9 @@ index d18692c..a0b4788 100644
      </changelog>
    </subsection>
    <subsection name="Jasper">
-diff --git a/webapps/docs/config/cluster-manager.xml b/webapps/docs/config/cluster-manager.xml
-index 377884a..4958a39 100644
 --- a/webapps/docs/config/cluster-manager.xml
 +++ b/webapps/docs/config/cluster-manager.xml
-@@ -97,6 +97,7 @@
-         varied by a servlet via the
-         <code>setMaxInactiveInterval</code> method of the <code>HttpSession</code> object.</p>
-       </attribute>
-+
-       <attribute name="sessionIdLength" required="false">
-        <p>The length of session ids created by this Manager, measured in bytes,
-         excluding subsequent conversion to a hexadecimal string and
-@@ -182,6 +183,30 @@
+@@ -182,6 +182,30 @@
          effective only when <code>sendAllSessions</code> is <code>false</code>.
          Default is <code>2000</code> milliseconds.
        </attribute>
@@ -575,7 +535,7 @@ index 377884a..4958a39 100644
        <attribute name="stateTimestampDrop" required="false">
          When this node sends a <code>GET_ALL_SESSIONS</code> message to other
          node, all session messages that are received as a response are queued.
-@@ -193,6 +218,17 @@
+@@ -193,6 +217,17 @@
          If set to <code>false</code>, all queued session messages are handled.
          Default is <code>true</code>.
        </attribute>
@@ -593,7 +553,7 @@ index 377884a..4958a39 100644
      </attributes>
    </subsection>
    <subsection name="org.apache.catalina.ha.session.BackupManager Attributes">
-@@ -216,6 +252,30 @@
+@@ -216,6 +251,30 @@
          another map.
          Default value is <code>15000</code> milliseconds.
        </attribute>
@@ -624,7 +584,7 @@ index 377884a..4958a39 100644
        <attribute name="terminateOnStartFailure" required="false">
          Set to true if you wish to terminate replication map when replication
          map fails to start. If replication map is terminated, associated context
-@@ -223,6 +283,17 @@
+@@ -223,6 +282,17 @@
          does not end. It will try to join the map membership in the heartbeat.
          Default value is <code>false</code> .
        </attribute>
@@ -642,8 +602,6 @@ index 377884a..4958a39 100644
      </attributes>
    </subsection>
  </section>
-diff --git a/webapps/docs/config/manager.xml b/webapps/docs/config/manager.xml
-index 3ab728b..3726fe5 100644
 --- a/webapps/docs/config/manager.xml
 +++ b/webapps/docs/config/manager.xml
 @@ -175,6 +175,40 @@
diff --git a/debian/patches/CVE-2016-0763.patch b/debian/patches/CVE-2016-0763.patch
index 1e8e34e..39f5785 100644
--- a/debian/patches/CVE-2016-0763.patch
+++ b/debian/patches/CVE-2016-0763.patch
@@ -1,18 +1,14 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sat, 28 May 2016 15:46:37 +0200
-Subject: CVE-2016-0763
-
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1725929
----
- java/org/apache/naming/factory/ResourceLinkFactory.java | 5 +++++
- webapps/docs/changelog.xml                              | 4 ++++
- 2 files changed, 9 insertions(+)
-
-diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java b/java/org/apache/naming/factory/ResourceLinkFactory.java
-index 808192c..8a43e74 100644
+Description: Fixes CVE-2016-0763: The setGlobalContext method in ResourceLinkFactory
+ in Apache Tomcat does not consider whether ResourceLinkFactory.setGlobalContext
+ callers are authorized, which allows remote authenticated users to bypass intended
+ SecurityManager restrictions and read or write to arbitrary application data,
+ or cause a denial of service (application disruption), via a web application
+ that sets a crafted global context.
+Author: Markus Koschany <apo at debian.org>
+Origin: backport, https://svn.apache.org/r1725929
 --- a/java/org/apache/naming/factory/ResourceLinkFactory.java
 +++ b/java/org/apache/naming/factory/ResourceLinkFactory.java
-@@ -60,6 +60,11 @@ public class ResourceLinkFactory
+@@ -60,6 +60,11 @@
       * @param newGlobalContext new global context value
       */
      public static void setGlobalContext(Context newGlobalContext) {
@@ -24,11 +20,9 @@ index 808192c..8a43e74 100644
          globalContext = newGlobalContext;
      }
  
-diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
-index f075094..d18692c 100644
 --- a/webapps/docs/changelog.xml
 +++ b/webapps/docs/changelog.xml
-@@ -337,6 +337,10 @@
+@@ -360,6 +360,10 @@
          Add the <code>StatusManagerServlet</code> to the list of Servlets that
          can only be loaded by privileged applications. (markt)
        </fix>
diff --git a/debian/patches/CVE-2016-3092.patch b/debian/patches/CVE-2016-3092.patch
new file mode 100644
index 0000000..09f88c1
--- /dev/null
+++ b/debian/patches/CVE-2016-3092.patch
@@ -0,0 +1,29 @@
+Description: Fixes CVE-2016-3092: Denial-of-Service vulnerability
+Origin: backport, https://svn.apache.org/r1743480
+--- a/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
++++ b/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
+@@ -289,11 +289,6 @@
+             throw new IllegalArgumentException("boundary may not be null");
+         }
+ 
+-        this.input = input;
+-        this.bufSize = bufSize;
+-        this.buffer = new byte[bufSize];
+-        this.notifier = pNotifier;
+-
+         // We prepend CR/LF to the boundary to chop trailing CR/LF from
+         // body-data tokens.
+         this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
+@@ -301,6 +296,12 @@
+             throw new IllegalArgumentException(
+                     "The buffer size specified for the MultipartStream is too small");
+         }
++
++        this.input = input;
++        this.bufSize = Math.max(bufSize, boundaryLength*2);
++        this.buffer = new byte[this.bufSize];
++        this.notifier = pNotifier;
++
+         this.boundary = new byte[this.boundaryLength];
+         this.keepRegion = this.boundary.length;
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 3b86510..d69cdee 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,9 +14,10 @@
 #0020-disable-java8-support-with-jdtcompiler.patch
 CVE-2014-7810.patch
 CVE-2015-5174.patch
+CVE-2015-5345.patch
 CVE-2015-5346.patch
 CVE-2015-5351.patch
 CVE-2016-0706.patch
-CVE-2016-0763.patch
 CVE-2016-0714.patch
-CVE-2015-5345.patch
+CVE-2016-0763.patch
+CVE-2016-3092.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git



More information about the pkg-java-commits mailing list