[tomcat8] 01/06: Imported Debian patch 8.0.14-1+deb8u2
Markus Koschany
apo at moszumanska.debian.org
Mon Aug 15 16:12:38 UTC 2016
This is an automated email from the git hooks/post-receive script.
apo pushed a commit to branch jessie
in repository tomcat8.
commit 168a13c9b05a2d5e7d16b30e2f7a84a9f9306e47
Author: Emmanuel Bourg <ebourg at apache.org>
Date: Thu Jun 23 00:27:20 2016 +0200
Imported Debian patch 8.0.14-1+deb8u2
---
debian/changelog | 7 ++-
debian/patches/CVE-2015-5174.patch | 108 +++++---------------------------
debian/patches/CVE-2015-5345.patch | 122 +++++++++----------------------------
debian/patches/CVE-2015-5346.patch | 58 +++++++-----------
debian/patches/CVE-2015-5351.patch | 38 +++---------
debian/patches/CVE-2016-0706.patch | 23 +++----
debian/patches/CVE-2016-0714.patch | 98 +++++++++--------------------
debian/patches/CVE-2016-0763.patch | 26 +++-----
debian/patches/CVE-2016-3092.patch | 29 +++++++++
debian/patches/series | 5 +-
10 files changed, 156 insertions(+), 358 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index b05f5b7..b73673e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,11 @@
tomcat8 (8.0.14-1+deb8u2) jessie-security; urgency=high
* Team upload.
+
+ [ Emmanuel Bourg ]
+ * Fix CVE-2016-3092: Denial-of-Service vulnerability with file uploads
+
+ [ Markus Koschany ]
* Fix CVE-2015-5174:
Directory traversal vulnerability in RequestUtil.java allows remote
authenticated users to bypass intended SecurityManager restrictions and
@@ -43,7 +48,7 @@ tomcat8 (8.0.14-1+deb8u2) jessie-security; urgency=high
data, or cause a denial of service (application disruption), via a web
application that sets a crafted global context.
- -- Markus Koschany <apo at debian.org> Sun, 29 May 2016 23:11:52 +0200
+ -- Emmanuel Bourg <ebourg at apache.org> Thu, 23 Jun 2016 00:27:20 +0200
tomcat8 (8.0.14-1+deb8u1) jessie-security; urgency=medium
diff --git a/debian/patches/CVE-2015-5174.patch b/debian/patches/CVE-2015-5174.patch
index 19ffa3b..5c927a4 100644
--- a/debian/patches/CVE-2015-5174.patch
+++ b/debian/patches/CVE-2015-5174.patch
@@ -1,47 +1,14 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sat, 28 May 2016 01:54:08 +0000
-Subject: CVE-2015-5174
-
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1696281
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1700897
----
- java/org/apache/tomcat/util/http/RequestUtil.java | 45 ++++++----
- .../apache/tomcat/util/http/TestRequestUtil.java | 100 +++++++++++++++++++--
- webapps/docs/changelog.xml | 11 +++
- 3 files changed, 135 insertions(+), 21 deletions(-)
-
-diff --git a/java/org/apache/tomcat/util/http/RequestUtil.java b/java/org/apache/tomcat/util/http/RequestUtil.java
-index ebe4f34..1ee4bca 100644
+Description: Fixes CVE-2015-5174: Directory traversal vulnerability in RequestUtil
+ allows remote authenticated users to bypass intended SecurityManager restrictions
+ and list a parent directory via a /.. (slash dot dot) in a pathname used by a
+ web application in a getResource, getResourceAsStream, or getResourcePaths call,
+ as demonstrated by the $CATALINA_BASE/webapps directory.
+Author: Markus Koschany <apo at debian.org>
+Origin: backport, https://svn.apache.org/r1696281
+ https://svn.apache.org/r1700897
--- a/java/org/apache/tomcat/util/http/RequestUtil.java
+++ b/java/org/apache/tomcat/util/http/RequestUtil.java
-@@ -30,6 +30,9 @@ public class RequestUtil {
- * try to perform security checks for malicious input.
- *
- * @param path Relative path to be normalized
-+ *
-+ * @return The normalized path or <code>null</code> of the path cannot be
-+ * normalized
- */
- public static String normalize(String path) {
- return normalize(path, true);
-@@ -44,11 +47,15 @@ public class RequestUtil {
- *
- * @param path Relative path to be normalized
- * @param replaceBackSlash Should '\\' be replaced with '/'
-+ *
-+ * @return The normalized path or <code>null</code> of the path cannot be
-+ * normalized
- */
- public static String normalize(String path, boolean replaceBackSlash) {
-
-- if (path == null)
-+ if (path == null) {
- return null;
-+ }
-
- // Create a place for the normalized path
- String normalized = path;
-@@ -56,9 +63,6 @@ public class RequestUtil {
+@@ -56,9 +56,6 @@
if (replaceBackSlash && normalized.indexOf('\\') >= 0)
normalized = normalized.replace('\\', '/');
@@ -51,67 +18,24 @@ index ebe4f34..1ee4bca 100644
// Add a leading "/" if necessary
if (!normalized.startsWith("/"))
normalized = "/" + normalized;
-@@ -66,34 +70,43 @@ public class RequestUtil {
- // Resolve occurrences of "//" in the normalized path
- while (true) {
- int index = normalized.indexOf("//");
-- if (index < 0)
-+ if (index < 0) {
- break;
-- normalized = normalized.substring(0, index) +
-- normalized.substring(index + 1);
-+ }
-+ normalized = normalized.substring(0, index) + normalized.substring(index + 1);
+@@ -93,6 +90,14 @@
+ normalized.substring(index + 3);
}
- // Resolve occurrences of "/./" in the normalized path
- while (true) {
- int index = normalized.indexOf("/./");
-- if (index < 0)
-+ if (index < 0) {
- break;
-- normalized = normalized.substring(0, index) +
-- normalized.substring(index + 2);
-+ }
-+ normalized = normalized.substring(0, index) + normalized.substring(index + 2);
- }
-
- // Resolve occurrences of "/../" in the normalized path
- while (true) {
- int index = normalized.indexOf("/../");
-- if (index < 0)
-+ if (index < 0) {
- break;
-- if (index == 0)
-- return (null); // Trying to go outside our context
-+ }
-+ if (index == 0) {
-+ return null; // Trying to go outside our context
-+ }
- int index2 = normalized.lastIndexOf('/', index - 1);
-- normalized = normalized.substring(0, index2) +
-- normalized.substring(index + 3);
-+ normalized = normalized.substring(0, index2) + normalized.substring(index + 3);
-+ }
-+
+ if (normalized.equals("/.")) {
+ return "/";
+ }
+
+ if (normalized.equals("/..")) {
+ return null; // Trying to go outside our context
- }
-
++ }
++
// Return the normalized path that we have completed
-- return (normalized);
-+ return normalized;
+ return (normalized);
}
- }
-diff --git a/test/org/apache/tomcat/util/http/TestRequestUtil.java b/test/org/apache/tomcat/util/http/TestRequestUtil.java
-index fe3115f..f50098c 100644
--- a/test/org/apache/tomcat/util/http/TestRequestUtil.java
+++ b/test/org/apache/tomcat/util/http/TestRequestUtil.java
-@@ -23,11 +23,101 @@ import org.junit.Test;
+@@ -23,11 +23,101 @@
public class TestRequestUtil {
@Test
@@ -218,8 +142,6 @@ index fe3115f..f50098c 100644
+ assertEquals(expected,RequestUtil.normalize(input));
+ }
}
-diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
-index a89b75e..f552c88 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -1857,6 +1857,10 @@
diff --git a/debian/patches/CVE-2015-5345.patch b/debian/patches/CVE-2015-5345.patch
index dc39b90..32904fe 100644
--- a/debian/patches/CVE-2015-5345.patch
+++ b/debian/patches/CVE-2015-5345.patch
@@ -1,30 +1,13 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sun, 29 May 2016 18:09:44 +0200
-Subject: CVE-2015-5345
-
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1715207
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1717209
----
- java/org/apache/catalina/Context.java | 40 ++++++++++++++
- .../catalina/authenticator/FormAuthenticator.java | 14 +++++
- java/org/apache/catalina/core/StandardContext.java | 35 ++++++++++++
- .../apache/catalina/core/mbeans-descriptors.xml | 8 +++
- java/org/apache/catalina/mapper/Mapper.java | 31 ++++++-----
- .../apache/catalina/servlets/DefaultServlet.java | 28 +++++++++-
- .../apache/catalina/servlets/WebdavServlet.java | 5 ++
- .../org/apache/catalina/startup/FailedContext.java | 19 ++++++-
- test/org/apache/catalina/core/TesterContext.java | 17 ++++++
- .../apache/catalina/mapper/TestMapperWebapps.java | 64 ++++++++++++++++++++++
- .../apache/catalina/startup/TomcatBaseTest.java | 3 +-
- webapps/docs/changelog.xml | 15 +++++
- webapps/docs/config/context.xml | 16 ++++++
- 13 files changed, 276 insertions(+), 19 deletions(-)
-
-diff --git a/java/org/apache/catalina/Context.java b/java/org/apache/catalina/Context.java
-index a871b99..84c2a60 100644
+Description: Fixes CVE-2015-5345: The Mapper component in Apache Tomcat processes
+ redirects before considering security constraints and Filters, which allows
+ remote attackers to determine the existence of a directory via a URL that lacks
+ a trailing / (slash) character.
+Author: Markus Koschany <apo at debian.org>
+Origin: backport, https://svn.apache.org/r1715207
+ https://svn.apache.org/r1717209
--- a/java/org/apache/catalina/Context.java
+++ b/java/org/apache/catalina/Context.java
-@@ -1674,4 +1674,44 @@ public interface Context extends Container {
+@@ -1674,4 +1674,44 @@
* processing cookies using the RFC6265 based cookie parser.
*/
public Charset getCookieEncodingCharset();
@@ -69,11 +52,9 @@ index a871b99..84c2a60 100644
+ */
+ public boolean getMapperDirectoryRedirectEnabled();
}
-diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java
-index 57a3cd7..4933d03 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
-@@ -241,6 +241,20 @@ public class FormAuthenticator
+@@ -241,6 +241,20 @@
// No -- Save this request and redirect to the form login page
if (!loginAction) {
@@ -94,11 +75,9 @@ index 57a3cd7..4933d03 100644
session = request.getSessionInternal(true);
if (log.isDebugEnabled()) {
log.debug("Save request in session '" + session.getIdInternal() + "'");
-diff --git a/java/org/apache/catalina/core/StandardContext.java b/java/org/apache/catalina/core/StandardContext.java
-index f47dd3f..0615e26 100644
--- a/java/org/apache/catalina/core/StandardContext.java
+++ b/java/org/apache/catalina/core/StandardContext.java
-@@ -828,9 +828,44 @@ public class StandardContext extends ContainerBase
+@@ -828,9 +828,44 @@
private boolean useRfc6265 = false;
private Charset cookieEncoding = StandardCharsets.UTF_8;
@@ -143,8 +122,6 @@ index f47dd3f..0615e26 100644
@Override
public void setUseRfc6265(boolean useRfc6265) {
-diff --git a/java/org/apache/catalina/core/mbeans-descriptors.xml b/java/org/apache/catalina/core/mbeans-descriptors.xml
-index 64fe285..27847bf 100644
--- a/java/org/apache/catalina/core/mbeans-descriptors.xml
+++ b/java/org/apache/catalina/core/mbeans-descriptors.xml
@@ -181,6 +181,14 @@
@@ -162,11 +139,9 @@ index 64fe285..27847bf 100644
<attribute name="namingContextListener"
description="Associated naming context listener."
type="org.apache.catalina.core.NamingContextListener" />
-diff --git a/java/org/apache/catalina/mapper/Mapper.java b/java/org/apache/catalina/mapper/Mapper.java
-index a40b257..0c57145 100644
--- a/java/org/apache/catalina/mapper/Mapper.java
+++ b/java/org/apache/catalina/mapper/Mapper.java
-@@ -830,20 +830,13 @@ public final class Mapper {
+@@ -830,20 +830,13 @@
int pathOffset = path.getOffset();
int pathEnd = path.getEnd();
@@ -189,7 +164,7 @@ index a40b257..0c57145 100644
path.setOffset(servletPath);
// Rule 1 -- Exact Match
-@@ -878,10 +871,13 @@ public final class Mapper {
+@@ -878,8 +871,11 @@
}
}
@@ -200,12 +175,9 @@ index a40b257..0c57145 100644
+ path.append('/');
+ pathEnd = path.getEnd();
mappingData.redirectPath.setChars
-- (path.getBuffer(), pathOffset, pathEnd-pathOffset);
-+ (path.getBuffer(), pathOffset, pathEnd - pathOffset);
+ (path.getBuffer(), pathOffset, pathEnd-pathOffset);
path.setEnd(pathEnd - 1);
- return;
- }
-@@ -996,9 +992,15 @@ public final class Mapper {
+@@ -996,9 +992,15 @@
char[] buf = path.getBuffer();
if (contextVersion.resources != null && buf[pathEnd -1 ] != '/') {
String pathStr = path.toString();
@@ -224,19 +196,9 @@ index a40b257..0c57145 100644
// Note: this mutates the path: do not do any processing
// after this (since we set the redirectPath, there
// shouldn't be any)
-@@ -1015,7 +1017,6 @@ public final class Mapper {
-
- path.setOffset(pathOffset);
- path.setEnd(pathEnd);
--
- }
-
-
-diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java
-index cbf65b6..021425c 100644
--- a/java/org/apache/catalina/servlets/DefaultServlet.java
+++ b/java/org/apache/catalina/servlets/DefaultServlet.java
-@@ -342,6 +342,10 @@ public class DefaultServlet extends HttpServlet {
+@@ -342,6 +342,10 @@
* @param request The servlet request we are processing
*/
protected String getRelativePath(HttpServletRequest request) {
@@ -247,7 +209,7 @@ index cbf65b6..021425c 100644
// IMPORTANT: DefaultServlet can be mapped to '/' or '/path/*' but always
// serves resources from the web app root with context rooted paths.
// i.e. it can not be used to mount the web app root under a sub-path
-@@ -703,7 +707,8 @@ public class DefaultServlet extends HttpServlet {
+@@ -703,7 +707,8 @@
boolean serveContent = content;
// Identify the requested resource path
@@ -257,7 +219,7 @@ index cbf65b6..021425c 100644
if (debug > 0) {
if (serveContent)
log("DefaultServlet.serveResource: Serving resource '" +
-@@ -713,6 +718,12 @@ public class DefaultServlet extends HttpServlet {
+@@ -713,6 +718,12 @@
path + "' headers only");
}
@@ -270,7 +232,7 @@ index cbf65b6..021425c 100644
WebResource resource = resources.getResource(path);
if (!resource.exists()) {
-@@ -827,6 +838,11 @@ public class DefaultServlet extends HttpServlet {
+@@ -827,6 +838,11 @@
long contentLength = -1L;
if (resource.isDirectory()) {
@@ -282,7 +244,7 @@ index cbf65b6..021425c 100644
// Skip directory listings if we have been configured to
// suppress them
if (!listings) {
-@@ -1032,6 +1048,16 @@ public class DefaultServlet extends HttpServlet {
+@@ -1032,6 +1048,16 @@
}
}
@@ -299,11 +261,9 @@ index cbf65b6..021425c 100644
/**
* Parse the content-range header.
-diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java b/java/org/apache/catalina/servlets/WebdavServlet.java
-index 7bccf76..1303d99 100644
--- a/java/org/apache/catalina/servlets/WebdavServlet.java
+++ b/java/org/apache/catalina/servlets/WebdavServlet.java
-@@ -375,6 +375,11 @@ public class WebdavServlet
+@@ -375,6 +375,11 @@
*/
@Override
protected String getRelativePath(HttpServletRequest request) {
@@ -315,11 +275,9 @@ index 7bccf76..1303d99 100644
// Are we being processed by a RequestDispatcher.include()?
if (request.getAttribute(
RequestDispatcher.INCLUDE_REQUEST_URI) != null) {
-diff --git a/java/org/apache/catalina/startup/FailedContext.java b/java/org/apache/catalina/startup/FailedContext.java
-index 73c6bf4..166ab45 100644
--- a/java/org/apache/catalina/startup/FailedContext.java
+++ b/java/org/apache/catalina/startup/FailedContext.java
-@@ -771,4 +771,21 @@ public class FailedContext extends LifecycleMBeanBase implements Context {
+@@ -771,4 +771,21 @@
@Override
public Charset getCookieEncodingCharset() { return StandardCharsets.UTF_8; }
@@ -343,11 +301,9 @@ index 73c6bf4..166ab45 100644
+ public boolean getMapperDirectoryRedirectEnabled() { return false; }
+
+}
-diff --git a/test/org/apache/catalina/core/TesterContext.java b/test/org/apache/catalina/core/TesterContext.java
-index ac4d945..36bfdfe 100644
--- a/test/org/apache/catalina/core/TesterContext.java
+++ b/test/org/apache/catalina/core/TesterContext.java
-@@ -1238,4 +1238,21 @@ public class TesterContext implements Context {
+@@ -1238,4 +1238,21 @@
@Override
public Charset getCookieEncodingCharset() { return StandardCharsets.UTF_8; }
@@ -369,11 +325,9 @@ index ac4d945..36bfdfe 100644
+ public boolean getMapperDirectoryRedirectEnabled() { return false; }
+
}
-diff --git a/test/org/apache/catalina/mapper/TestMapperWebapps.java b/test/org/apache/catalina/mapper/TestMapperWebapps.java
-index 9014efd..3778fdf 100644
--- a/test/org/apache/catalina/mapper/TestMapperWebapps.java
+++ b/test/org/apache/catalina/mapper/TestMapperWebapps.java
-@@ -18,6 +18,7 @@ package org.apache.catalina.mapper;
+@@ -18,6 +18,7 @@
import java.io.File;
import java.io.IOException;
@@ -381,7 +335,7 @@ index 9014efd..3778fdf 100644
import java.util.HashMap;
import java.util.List;
-@@ -33,7 +34,10 @@ import org.apache.catalina.Context;
+@@ -33,7 +34,10 @@
import org.apache.catalina.core.StandardContext;
import org.apache.catalina.startup.Tomcat;
import org.apache.catalina.startup.TomcatBaseTest;
@@ -392,7 +346,7 @@ index 9014efd..3778fdf 100644
import org.apache.tomcat.websocket.server.WsContextListener;
/**
-@@ -226,6 +230,66 @@ public class TestMapperWebapps extends TomcatBaseTest{
+@@ -226,6 +230,66 @@
Assert.assertEquals(HttpServletResponse.SC_NOT_FOUND, rc);
}
@@ -459,27 +413,11 @@ index 9014efd..3778fdf 100644
/**
* Prepare a string to search in messages that contain a timestamp, when it
* is known that the timestamp was printed between {@code timeA} and
-diff --git a/test/org/apache/catalina/startup/TomcatBaseTest.java b/test/org/apache/catalina/startup/TomcatBaseTest.java
-index 2808317..0856ea6 100644
---- a/test/org/apache/catalina/startup/TomcatBaseTest.java
-+++ b/test/org/apache/catalina/startup/TomcatBaseTest.java
-@@ -233,8 +233,7 @@ public abstract class TomcatBaseTest extends LoggingBaseTest {
- String method) throws IOException {
-
- URL url = new URL(path);
-- HttpURLConnection connection =
-- (HttpURLConnection) url.openConnection();
-+ HttpURLConnection connection = (HttpURLConnection) url.openConnection();
- connection.setUseCaches(false);
- connection.setReadTimeout(readTimeout);
- connection.setRequestMethod(method);
-diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
-index a0b4788..02762a0 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
-@@ -188,6 +188,16 @@
- <bug>58809</bug>: Correctly recycle cookies when mapping requests for
- parallel deployment. (markt)
+@@ -184,6 +184,16 @@
+ Reduce duplicated code. All AJP connectors use common method to
+ configuration of processor. (kfujino)
</fix>
+ <add>
+ Move the functionality that provides redirects for context roots and
@@ -494,7 +432,7 @@ index a0b4788..02762a0 100644
</changelog>
</subsection>
<subsection name="Jasper">
-@@ -279,6 +289,11 @@
+@@ -275,6 +285,11 @@
leak fixes and support for application provided eviction policies.
(markt)
</fix>
@@ -506,8 +444,6 @@ index a0b4788..02762a0 100644
</changelog>
</subsection>
</section>
-diff --git a/webapps/docs/config/context.xml b/webapps/docs/config/context.xml
-index 41e66ae..91634f0 100644
--- a/webapps/docs/config/context.xml
+++ b/webapps/docs/config/context.xml
@@ -367,6 +367,22 @@
diff --git a/debian/patches/CVE-2015-5346.patch b/debian/patches/CVE-2015-5346.patch
index 95f08bc..d13aa24 100644
--- a/debian/patches/CVE-2015-5346.patch
+++ b/debian/patches/CVE-2015-5346.patch
@@ -1,20 +1,14 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sat, 28 May 2016 03:11:58 +0000
-Subject: CVE-2015-5346
-
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1713185
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1723506
----
- .../apache/catalina/connector/CoyoteAdapter.java | 8 ++--
- java/org/apache/catalina/connector/Request.java | 52 ++++++++++++++--------
- webapps/docs/changelog.xml | 8 ++++
- 3 files changed, 46 insertions(+), 22 deletions(-)
-
-diff --git a/java/org/apache/catalina/connector/CoyoteAdapter.java b/java/org/apache/catalina/connector/CoyoteAdapter.java
-index e3ff219..775862d 100644
+Description: Fixes CVE-2015-5346: Session fixation vulnerability in Apache Tomcat
+ when different session settings are used for deployments of multiple versions
+ of the same web application, might allow remote attackers to hijack web sessions
+ by leveraging use of a requestedSessionSSL field for an unintended request,
+ related to CoyoteAdapter.java and Request.java.
+Author: Markus Koschany <apo at debian.org>
+Origin: backport, https://svn.apache.org/r1713185
+ https://svn.apache.org/r1723506
--- a/java/org/apache/catalina/connector/CoyoteAdapter.java
+++ b/java/org/apache/catalina/connector/CoyoteAdapter.java
-@@ -941,9 +941,11 @@ public class CoyoteAdapter implements Adapter {
+@@ -941,9 +941,11 @@
// Reset mapping
request.getMappingData().recycle();
mapRequired = true;
@@ -29,11 +23,9 @@ index e3ff219..775862d 100644
}
break;
}
-diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java
-index 2d24ba4..55682be 100644
--- a/java/org/apache/catalina/connector/Request.java
+++ b/java/org/apache/catalina/connector/Request.java
-@@ -287,6 +287,11 @@ public class Request
+@@ -287,6 +287,11 @@
*/
protected boolean cookiesParsed = false;
@@ -45,7 +37,7 @@ index 2d24ba4..55682be 100644
/**
* Secure flag.
-@@ -461,7 +466,6 @@ public class Request
+@@ -461,7 +466,6 @@
parts = null;
}
partsParseException = null;
@@ -53,7 +45,7 @@ index 2d24ba4..55682be 100644
locales.clear();
localesParsed = false;
secure = false;
-@@ -475,20 +479,9 @@ public class Request
+@@ -475,20 +479,9 @@
attributes.clear();
sslAttributesParsed = false;
notes.clear();
@@ -76,15 +68,10 @@ index 2d24ba4..55682be 100644
if (Globals.IS_SECURITY_ENABLED || Connector.RECYCLE_FACADES) {
parameterMap = new ParameterMap<>();
-@@ -531,11 +524,32 @@ public class Request
+@@ -531,6 +524,31 @@
}
-- /**
-- * Clear cached encoders (to save memory for Comet requests).
-- */
-- public boolean read()
-- throws IOException {
+ protected void recycleSessionInfo() {
+ if (session != null) {
+ try {
@@ -110,17 +97,14 @@ index 2d24ba4..55682be 100644
+ }
+ }
+
-+ public boolean read() throws IOException {
- return (inputBuffer.realReadBytes(null, 0, 0) > 0);
- }
-
-diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
-index f552c88..cb4c914 100644
+ /**
+ * Clear cached encoders (to save memory for Comet requests).
+ */
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
-@@ -184,6 +184,10 @@
- Reduce duplicated code. All AJP connectors use common method to
- configuration of processor. (kfujino)
+@@ -168,6 +168,10 @@
+ <bug>57011</bug>: Ensure that the request and response are correctly
+ recycled when processing errors during async processing. (markt)
</fix>
+ <fix>
+ <bug>58809</bug>: Correctly recycle cookies when mapping requests for
@@ -128,8 +112,8 @@ index f552c88..cb4c914 100644
+ </fix>
</changelog>
</subsection>
- <subsection name="Jasper">
-@@ -318,6 +322,10 @@
+ <subsection name="Coyote">
+@@ -333,6 +337,10 @@
page that has the <code>isErrorPage</code> page directive set to
<code>true</code>. (markt)
</fix>
diff --git a/debian/patches/CVE-2015-5351.patch b/debian/patches/CVE-2015-5351.patch
index 88b34d0..df65650 100644
--- a/debian/patches/CVE-2015-5351.patch
+++ b/debian/patches/CVE-2015-5351.patch
@@ -1,24 +1,12 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sat, 28 May 2016 03:13:41 +0000
-Subject: CVE-2015-5351
-
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1720658
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1720660
----
- webapps/docs/changelog.xml | 7 +++++++
- webapps/host-manager/WEB-INF/jsp/401.jsp | 1 +
- webapps/host-manager/WEB-INF/jsp/403.jsp | 1 +
- webapps/host-manager/WEB-INF/jsp/404.jsp | 3 ++-
- webapps/host-manager/index.jsp | 4 ++--
- webapps/manager/WEB-INF/web.xml | 1 -
- webapps/manager/index.jsp | 4 ++--
- 7 files changed, 15 insertions(+), 6 deletions(-)
-
-diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
-index cb4c914..92d5b3c 100644
+Description: Fixes CVE-2015-5351: The Manager and Host Manager applications establish
+ sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers
+ to bypass a CSRF protection mechanism by using a token.
+Author: Markus Koschany <apo at debian.org>
+Origin: backport, https://svn.apache.org/r1720658
+ https://svn.apache.org/r1720660
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
-@@ -326,6 +326,13 @@
+@@ -341,6 +341,13 @@
Handle the unlikely case where different versions of a web application
are deployed with different session settings. (markt)
</fix>
@@ -32,8 +20,6 @@ index cb4c914..92d5b3c 100644
</changelog>
</subsection>
<subsection name="WebSocket">
-diff --git a/webapps/host-manager/WEB-INF/jsp/401.jsp b/webapps/host-manager/WEB-INF/jsp/401.jsp
-index 83c8c6f..047766b 100644
--- a/webapps/host-manager/WEB-INF/jsp/401.jsp
+++ b/webapps/host-manager/WEB-INF/jsp/401.jsp
@@ -14,6 +14,7 @@
@@ -44,8 +30,6 @@ index 83c8c6f..047766b 100644
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
-diff --git a/webapps/host-manager/WEB-INF/jsp/403.jsp b/webapps/host-manager/WEB-INF/jsp/403.jsp
-index 2dbb448..5eff6f0 100644
--- a/webapps/host-manager/WEB-INF/jsp/403.jsp
+++ b/webapps/host-manager/WEB-INF/jsp/403.jsp
@@ -14,6 +14,7 @@
@@ -56,8 +40,6 @@ index 2dbb448..5eff6f0 100644
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
-diff --git a/webapps/host-manager/WEB-INF/jsp/404.jsp b/webapps/host-manager/WEB-INF/jsp/404.jsp
-index d1b5b0b..9816df5 100644
--- a/webapps/host-manager/WEB-INF/jsp/404.jsp
+++ b/webapps/host-manager/WEB-INF/jsp/404.jsp
@@ -14,7 +14,8 @@
@@ -70,8 +52,6 @@ index d1b5b0b..9816df5 100644
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
-diff --git a/webapps/host-manager/index.jsp b/webapps/host-manager/index.jsp
-index d4816e5..2806b76 100644
--- a/webapps/host-manager/index.jsp
+++ b/webapps/host-manager/index.jsp
@@ -14,5 +14,5 @@
@@ -84,8 +64,6 @@ index d4816e5..2806b76 100644
+<%@ page session="false" trimDirectiveWhitespaces="true" %>
+<% response.sendRedirect(request.getContextPath() + "/html"); %>
\ No newline at end of file
-diff --git a/webapps/manager/WEB-INF/web.xml b/webapps/manager/WEB-INF/web.xml
-index 230199e..ef917e6 100644
--- a/webapps/manager/WEB-INF/web.xml
+++ b/webapps/manager/WEB-INF/web.xml
@@ -115,7 +115,6 @@
@@ -96,8 +74,6 @@ index 230199e..ef917e6 100644
</filter-mapping>
<!-- Define a Security Constraint on this Application -->
-diff --git a/webapps/manager/index.jsp b/webapps/manager/index.jsp
-index d4816e5..ff4f47b 100644
--- a/webapps/manager/index.jsp
+++ b/webapps/manager/index.jsp
@@ -14,5 +14,5 @@
diff --git a/debian/patches/CVE-2016-0706.patch b/debian/patches/CVE-2016-0706.patch
index 4f497d4..c896c24 100644
--- a/debian/patches/CVE-2016-0706.patch
+++ b/debian/patches/CVE-2016-0706.patch
@@ -1,15 +1,10 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sat, 28 May 2016 13:15:51 +0000
-Subject: CVE-2016-0706
-
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1722800
----
- java/org/apache/catalina/core/RestrictedServlets.properties | 1 +
- webapps/docs/changelog.xml | 4 ++++
- 2 files changed, 5 insertions(+)
-
-diff --git a/java/org/apache/catalina/core/RestrictedServlets.properties b/java/org/apache/catalina/core/RestrictedServlets.properties
-index d336968..cefa249 100644
+Description: Fixes CVE-2016-0706: Apache Tomcat does not place StatusManagerServlet
+ on the RestrictedServlets.properties list, which allows remote authenticated
+ users to bypass intended SecurityManager restrictions and read arbitrary HTTP
+ requests, and consequently discover session ID values, via a crafted web
+ application.
+Author: Markus Koschany <apo at debian.org>
+Origin: backport, https://svn.apache.org/r1722800
--- a/java/org/apache/catalina/core/RestrictedServlets.properties
+++ b/java/org/apache/catalina/core/RestrictedServlets.properties
@@ -16,3 +16,4 @@
@@ -17,11 +12,9 @@ index d336968..cefa249 100644
org.apache.catalina.servlets.CGIServlet=restricted
org.apache.catalina.manager.JMXProxyServlet=restricted
+org.apache.catalina.manager.StatusManagerServlet=restricted
-diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
-index 92d5b3c..f075094 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
-@@ -333,6 +333,10 @@
+@@ -348,6 +348,10 @@
Don't create sessions unnecessarily in the Host Manager application.
(markt)
</fix>
diff --git a/debian/patches/CVE-2016-0714.patch b/debian/patches/CVE-2016-0714.patch
index cb5434c..d587408 100644
--- a/debian/patches/CVE-2016-0714.patch
+++ b/debian/patches/CVE-2016-0714.patch
@@ -1,28 +1,13 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sun, 29 May 2016 15:11:37 +0200
-Subject: CVE-2016-0714
-
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1726196
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1726203
----
- .../catalina/ha/session/ClusterManagerBase.java | 3 +
- .../catalina/ha/session/mbeans-descriptors.xml | 24 +++
- .../catalina/session/LocalStrings.properties | 2 +
- java/org/apache/catalina/session/ManagerBase.java | 172 ++++++++++++++++++++-
- .../apache/catalina/session/StandardManager.java | 9 +-
- .../apache/catalina/session/mbeans-descriptors.xml | 20 +++
- .../catalina/util/CustomObjectInputStream.java | 89 ++++++++++-
- .../apache/catalina/util/LocalStrings.properties | 2 +
- webapps/docs/changelog.xml | 8 +
- webapps/docs/config/cluster-manager.xml | 71 +++++++++
- webapps/docs/config/manager.xml | 69 +++++++++
- 11 files changed, 463 insertions(+), 6 deletions(-)
-
-diff --git a/java/org/apache/catalina/ha/session/ClusterManagerBase.java b/java/org/apache/catalina/ha/session/ClusterManagerBase.java
-index 8eb284d..ee601a8 100644
+Description: Fixes CVE-2016-0714: The session-persistence implementation mishandles
+ session attributes, which allows remote authenticated users to bypass intended
+ SecurityManager restrictions and execute arbitrary code in a privileged context
+ via a web application that places a crafted object in a session.
+Author: Markus Koschany <apo at debian.org>
+Origin: backport, https://svn.apache.org/r1726196
+ https://svn.apache.org/r1726203
--- a/java/org/apache/catalina/ha/session/ClusterManagerBase.java
+++ b/java/org/apache/catalina/ha/session/ClusterManagerBase.java
-@@ -196,6 +196,9 @@ public abstract class ClusterManagerBase extends ManagerBase implements ClusterM
+@@ -196,6 +196,9 @@
copy.setProcessExpiresFrequency(getProcessExpiresFrequency());
copy.setNotifyListenersOnReplication(isNotifyListenersOnReplication());
copy.setSessionAttributeFilter(getSessionAttributeFilter());
@@ -32,8 +17,6 @@ index 8eb284d..ee601a8 100644
copy.setSecureRandomClass(getSecureRandomClass());
copy.setSecureRandomProvider(getSecureRandomProvider());
copy.setSecureRandomAlgorithm(getSecureRandomAlgorithm());
-diff --git a/java/org/apache/catalina/ha/session/mbeans-descriptors.xml b/java/org/apache/catalina/ha/session/mbeans-descriptors.xml
-index 76a689e..feff5cc 100644
--- a/java/org/apache/catalina/ha/session/mbeans-descriptors.xml
+++ b/java/org/apache/catalina/ha/session/mbeans-descriptors.xml
@@ -309,6 +309,18 @@
@@ -74,11 +57,9 @@ index 76a689e..feff5cc 100644
<operation
name="expireSession"
description="Expired the given session"
-diff --git a/java/org/apache/catalina/session/LocalStrings.properties b/java/org/apache/catalina/session/LocalStrings.properties
-index 7b00a4c..67eb04e 100644
--- a/java/org/apache/catalina/session/LocalStrings.properties
+++ b/java/org/apache/catalina/session/LocalStrings.properties
-@@ -32,6 +32,8 @@ JDBCStore.missingDataSourceName=No valid JNDI name was given.
+@@ -32,6 +32,8 @@
JDBCStore.commitSQLException=SQLException committing connection before closing
managerBase.container.noop=Managers added to containers other than Contexts will never be used
managerBase.createSession.ise=createSession: Too many active sessions
@@ -87,11 +68,9 @@ index 7b00a4c..67eb04e 100644
managerBase.sessionTimeout=Invalid session timeout setting {0}
standardManager.loading=Loading persisted sessions from {0}
standardManager.loading.exception=Exception while loading persisted sessions
-diff --git a/java/org/apache/catalina/session/ManagerBase.java b/java/org/apache/catalina/session/ManagerBase.java
-index b09348a..ada88f1 100644
--- a/java/org/apache/catalina/session/ManagerBase.java
+++ b/java/org/apache/catalina/session/ManagerBase.java
-@@ -32,10 +32,13 @@ import java.util.List;
+@@ -32,10 +32,13 @@
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicLong;
@@ -105,7 +84,7 @@ index b09348a..ada88f1 100644
import org.apache.catalina.LifecycleException;
import org.apache.catalina.Manager;
import org.apache.catalina.Session;
-@@ -210,8 +213,57 @@ public abstract class ManagerBase extends LifecycleMBeanBase
+@@ -210,8 +213,57 @@
protected final PropertyChangeSupport support =
new PropertyChangeSupport(this);
@@ -164,7 +143,7 @@ index b09348a..ada88f1 100644
@Override
@Deprecated
-@@ -220,6 +272,86 @@ public abstract class ManagerBase extends LifecycleMBeanBase
+@@ -220,6 +272,86 @@
}
@@ -251,7 +230,7 @@ index b09348a..ada88f1 100644
@Override
@Deprecated
public void setContainer(Container container) {
-@@ -839,6 +971,44 @@ public abstract class ManagerBase extends LifecycleMBeanBase
+@@ -839,6 +971,44 @@
notifySessionListeners, notifyContainerListeners);
}
@@ -296,11 +275,9 @@ index b09348a..ada88f1 100644
// ------------------------------------------------------ Protected Methods
-diff --git a/java/org/apache/catalina/session/StandardManager.java b/java/org/apache/catalina/session/StandardManager.java
-index b1eb80b..a63ae7e 100644
--- a/java/org/apache/catalina/session/StandardManager.java
+++ b/java/org/apache/catalina/session/StandardManager.java
-@@ -208,19 +208,24 @@ public class StandardManager extends ManagerBase {
+@@ -208,19 +208,24 @@
BufferedInputStream bis = null;
ObjectInputStream ois = null;
Loader loader = null;
@@ -327,8 +304,6 @@ index b1eb80b..a63ae7e 100644
} else {
if (log.isDebugEnabled())
log.debug("Creating standard object input stream");
-diff --git a/java/org/apache/catalina/session/mbeans-descriptors.xml b/java/org/apache/catalina/session/mbeans-descriptors.xml
-index 4f9b01e..4edf79b 100644
--- a/java/org/apache/catalina/session/mbeans-descriptors.xml
+++ b/java/org/apache/catalina/session/mbeans-descriptors.xml
@@ -132,6 +132,15 @@
@@ -365,11 +340,9 @@ index 4f9b01e..4edf79b 100644
<operation name="backgroundProcess"
description="Invalidate all sessions that have expired."
impact="ACTION"
-diff --git a/java/org/apache/catalina/util/CustomObjectInputStream.java b/java/org/apache/catalina/util/CustomObjectInputStream.java
-index f63d777..25793e4 100644
--- a/java/org/apache/catalina/util/CustomObjectInputStream.java
+++ b/java/org/apache/catalina/util/CustomObjectInputStream.java
-@@ -19,9 +19,18 @@ package org.apache.catalina.util;
+@@ -19,9 +19,18 @@
import java.io.IOException;
import java.io.InputStream;
@@ -388,7 +361,7 @@ index f63d777..25793e4 100644
/**
* Custom subclass of <code>ObjectInputStream</code> that loads from the
-@@ -35,14 +44,26 @@ public final class CustomObjectInputStream
+@@ -35,14 +44,26 @@
extends ObjectInputStream {
@@ -416,7 +389,7 @@ index f63d777..25793e4 100644
*
* @param stream The input stream we will read from
* @param classLoader The class loader used to instantiate objects
-@@ -53,10 +74,56 @@ public final class CustomObjectInputStream
+@@ -53,11 +74,57 @@
ClassLoader classLoader)
throws IOException {
@@ -451,7 +424,6 @@ index f63d777..25793e4 100644
+ sm.getString("customObjectInputStream.logRequired"));
+ }
this.classLoader = classLoader;
-- }
+ this.log = log;
+ this.allowedClassNamePattern = allowedClassNamePattern;
+ if (allowedClassNamePattern == null) {
@@ -460,7 +432,7 @@ index f63d777..25793e4 100644
+ this.allowedClassNameFilter = allowedClassNamePattern.toString();
+ }
+ this.warnOnFailure = warnOnFailure;
-
++
+ Set<String> reportedClasses;
+ synchronized (reportedClassCache) {
+ reportedClasses = reportedClassCache.get(classLoader);
@@ -470,11 +442,13 @@ index f63d777..25793e4 100644
+ }
+ }
+ this.reportedClasses = reportedClasses;
-+ }
+ }
+-
/**
* Load the local class equivalent of the specified stream class
-@@ -70,8 +137,24 @@ public final class CustomObjectInputStream
+ * description, by using the class loader assigned to this Context.
+@@ -70,8 +137,24 @@
@Override
public Class<?> resolveClass(ObjectStreamClass classDesc)
throws ClassNotFoundException, IOException {
@@ -500,11 +474,9 @@ index f63d777..25793e4 100644
} catch (ClassNotFoundException e) {
try {
// Try also the superclass because of primitive types
-diff --git a/java/org/apache/catalina/util/LocalStrings.properties b/java/org/apache/catalina/util/LocalStrings.properties
-index 55dea98..6aeb973 100644
--- a/java/org/apache/catalina/util/LocalStrings.properties
+++ b/java/org/apache/catalina/util/LocalStrings.properties
-@@ -17,6 +17,8 @@ parameterMap.locked=No modifications are allowed to a locked ParameterMap
+@@ -17,6 +17,8 @@
resourceSet.locked=No modifications are allowed to a locked ResourceSet
hexUtil.bad=Bad hexadecimal digit
hexUtil.odd=Odd number of hexadecimal digits
@@ -513,11 +485,9 @@ index 55dea98..6aeb973 100644
#Default Messages Utilized by the ExtensionValidator
extensionValidator.web-application-manifest=Web Application Manifest
extensionValidator.extension-not-found-error=ExtensionValidator[{0}][{1}]: Required extension [{2}] not found.
-diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
-index d18692c..a0b4788 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
-@@ -308,6 +308,14 @@
+@@ -323,6 +323,14 @@
Add support for the EECDH alias when using the OpenSSL cipher syntax to
define JSSE ciphers. (markt)
</add>
@@ -532,19 +502,9 @@ index d18692c..a0b4788 100644
</changelog>
</subsection>
<subsection name="Jasper">
-diff --git a/webapps/docs/config/cluster-manager.xml b/webapps/docs/config/cluster-manager.xml
-index 377884a..4958a39 100644
--- a/webapps/docs/config/cluster-manager.xml
+++ b/webapps/docs/config/cluster-manager.xml
-@@ -97,6 +97,7 @@
- varied by a servlet via the
- <code>setMaxInactiveInterval</code> method of the <code>HttpSession</code> object.</p>
- </attribute>
-+
- <attribute name="sessionIdLength" required="false">
- <p>The length of session ids created by this Manager, measured in bytes,
- excluding subsequent conversion to a hexadecimal string and
-@@ -182,6 +183,30 @@
+@@ -182,6 +182,30 @@
effective only when <code>sendAllSessions</code> is <code>false</code>.
Default is <code>2000</code> milliseconds.
</attribute>
@@ -575,7 +535,7 @@ index 377884a..4958a39 100644
<attribute name="stateTimestampDrop" required="false">
When this node sends a <code>GET_ALL_SESSIONS</code> message to other
node, all session messages that are received as a response are queued.
-@@ -193,6 +218,17 @@
+@@ -193,6 +217,17 @@
If set to <code>false</code>, all queued session messages are handled.
Default is <code>true</code>.
</attribute>
@@ -593,7 +553,7 @@ index 377884a..4958a39 100644
</attributes>
</subsection>
<subsection name="org.apache.catalina.ha.session.BackupManager Attributes">
-@@ -216,6 +252,30 @@
+@@ -216,6 +251,30 @@
another map.
Default value is <code>15000</code> milliseconds.
</attribute>
@@ -624,7 +584,7 @@ index 377884a..4958a39 100644
<attribute name="terminateOnStartFailure" required="false">
Set to true if you wish to terminate replication map when replication
map fails to start. If replication map is terminated, associated context
-@@ -223,6 +283,17 @@
+@@ -223,6 +282,17 @@
does not end. It will try to join the map membership in the heartbeat.
Default value is <code>false</code> .
</attribute>
@@ -642,8 +602,6 @@ index 377884a..4958a39 100644
</attributes>
</subsection>
</section>
-diff --git a/webapps/docs/config/manager.xml b/webapps/docs/config/manager.xml
-index 3ab728b..3726fe5 100644
--- a/webapps/docs/config/manager.xml
+++ b/webapps/docs/config/manager.xml
@@ -175,6 +175,40 @@
diff --git a/debian/patches/CVE-2016-0763.patch b/debian/patches/CVE-2016-0763.patch
index 1e8e34e..39f5785 100644
--- a/debian/patches/CVE-2016-0763.patch
+++ b/debian/patches/CVE-2016-0763.patch
@@ -1,18 +1,14 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sat, 28 May 2016 15:46:37 +0200
-Subject: CVE-2016-0763
-
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1725929
----
- java/org/apache/naming/factory/ResourceLinkFactory.java | 5 +++++
- webapps/docs/changelog.xml | 4 ++++
- 2 files changed, 9 insertions(+)
-
-diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java b/java/org/apache/naming/factory/ResourceLinkFactory.java
-index 808192c..8a43e74 100644
+Description: Fixes CVE-2016-0763: The setGlobalContext method in ResourceLinkFactory
+ in Apache Tomcat does not consider whether ResourceLinkFactory.setGlobalContext
+ callers are authorized, which allows remote authenticated users to bypass intended
+ SecurityManager restrictions and read or write to arbitrary application data,
+ or cause a denial of service (application disruption), via a web application
+ that sets a crafted global context.
+Author: Markus Koschany <apo at debian.org>
+Origin: backport, https://svn.apache.org/r1725929
--- a/java/org/apache/naming/factory/ResourceLinkFactory.java
+++ b/java/org/apache/naming/factory/ResourceLinkFactory.java
-@@ -60,6 +60,11 @@ public class ResourceLinkFactory
+@@ -60,6 +60,11 @@
* @param newGlobalContext new global context value
*/
public static void setGlobalContext(Context newGlobalContext) {
@@ -24,11 +20,9 @@ index 808192c..8a43e74 100644
globalContext = newGlobalContext;
}
-diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
-index f075094..d18692c 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
-@@ -337,6 +337,10 @@
+@@ -360,6 +360,10 @@
Add the <code>StatusManagerServlet</code> to the list of Servlets that
can only be loaded by privileged applications. (markt)
</fix>
diff --git a/debian/patches/CVE-2016-3092.patch b/debian/patches/CVE-2016-3092.patch
new file mode 100644
index 0000000..09f88c1
--- /dev/null
+++ b/debian/patches/CVE-2016-3092.patch
@@ -0,0 +1,29 @@
+Description: Fixes CVE-2016-3092: Denial-of-Service vulnerability
+Origin: backport, https://svn.apache.org/r1743480
+--- a/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
++++ b/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
+@@ -289,11 +289,6 @@
+ throw new IllegalArgumentException("boundary may not be null");
+ }
+
+- this.input = input;
+- this.bufSize = bufSize;
+- this.buffer = new byte[bufSize];
+- this.notifier = pNotifier;
+-
+ // We prepend CR/LF to the boundary to chop trailing CR/LF from
+ // body-data tokens.
+ this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
+@@ -301,6 +296,12 @@
+ throw new IllegalArgumentException(
+ "The buffer size specified for the MultipartStream is too small");
+ }
++
++ this.input = input;
++ this.bufSize = Math.max(bufSize, boundaryLength*2);
++ this.buffer = new byte[this.bufSize];
++ this.notifier = pNotifier;
++
+ this.boundary = new byte[this.boundaryLength];
+ this.keepRegion = this.boundary.length;
+
diff --git a/debian/patches/series b/debian/patches/series
index 3b86510..d69cdee 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,9 +14,10 @@
#0020-disable-java8-support-with-jdtcompiler.patch
CVE-2014-7810.patch
CVE-2015-5174.patch
+CVE-2015-5345.patch
CVE-2015-5346.patch
CVE-2015-5351.patch
CVE-2016-0706.patch
-CVE-2016-0763.patch
CVE-2016-0714.patch
-CVE-2015-5345.patch
+CVE-2016-0763.patch
+CVE-2016-3092.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git
More information about the pkg-java-commits
mailing list