[tomcat8] 03/11: Enhanced the description of the patches

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Sat Nov 12 00:15:02 UTC 2016


This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch jessie
in repository tomcat8.

commit d2125fc4a5a5d895650e3b539cc346919c273625
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Wed Jun 22 19:37:34 2016 +0200

    Enhanced the description of the patches
---
 debian/patches/CVE-2015-5174.patch | 20 ++++-----
 debian/patches/CVE-2015-5345.patch | 29 +++----------
 debian/patches/CVE-2015-5346.patch | 36 ++++++----------
 debian/patches/CVE-2015-5351.patch | 36 +++-------------
 debian/patches/CVE-2016-0706.patch | 21 +++------
 debian/patches/CVE-2016-0714.patch | 88 ++++++++++++--------------------------
 debian/patches/CVE-2016-0763.patch | 24 ++++-------
 7 files changed, 77 insertions(+), 177 deletions(-)

diff --git a/debian/patches/CVE-2015-5174.patch b/debian/patches/CVE-2015-5174.patch
index 989a383..5c927a4 100644
--- a/debian/patches/CVE-2015-5174.patch
+++ b/debian/patches/CVE-2015-5174.patch
@@ -1,15 +1,11 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sat, 28 May 2016 01:54:08 +0000
-Subject: CVE-2015-5174
-
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1696281
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1700897
----
- java/org/apache/tomcat/util/http/RequestUtil.java  |  45 ++++++----
- .../apache/tomcat/util/http/TestRequestUtil.java   | 100 +++++++++++++++++++--
- webapps/docs/changelog.xml                         |  11 +++
- 3 files changed, 135 insertions(+), 21 deletions(-)
-
+Description: Fixes CVE-2015-5174: Directory traversal vulnerability in RequestUtil
+ allows remote authenticated users to bypass intended SecurityManager restrictions
+ and list a parent directory via a /.. (slash dot dot) in a pathname used by a
+ web application in a getResource, getResourceAsStream, or getResourcePaths call,
+ as demonstrated by the $CATALINA_BASE/webapps directory.
+Author: Markus Koschany <apo at debian.org>
+Origin: backport, https://svn.apache.org/r1696281
+                  https://svn.apache.org/r1700897
 --- a/java/org/apache/tomcat/util/http/RequestUtil.java
 +++ b/java/org/apache/tomcat/util/http/RequestUtil.java
 @@ -56,9 +56,6 @@
diff --git a/debian/patches/CVE-2015-5345.patch b/debian/patches/CVE-2015-5345.patch
index 4e1547f..f771868 100644
--- a/debian/patches/CVE-2015-5345.patch
+++ b/debian/patches/CVE-2015-5345.patch
@@ -1,25 +1,10 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sun, 29 May 2016 18:09:44 +0200
-Subject: CVE-2015-5345
-
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1715207
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1717209
----
- java/org/apache/catalina/Context.java              | 40 ++++++++++++++
- .../catalina/authenticator/FormAuthenticator.java  | 14 +++++
- java/org/apache/catalina/core/StandardContext.java | 35 ++++++++++++
- .../apache/catalina/core/mbeans-descriptors.xml    |  8 +++
- java/org/apache/catalina/mapper/Mapper.java        | 31 ++++++-----
- .../apache/catalina/servlets/DefaultServlet.java   | 28 +++++++++-
- .../apache/catalina/servlets/WebdavServlet.java    |  5 ++
- .../org/apache/catalina/startup/FailedContext.java | 19 ++++++-
- test/org/apache/catalina/core/TesterContext.java   | 17 ++++++
- .../apache/catalina/mapper/TestMapperWebapps.java  | 64 ++++++++++++++++++++++
- .../apache/catalina/startup/TomcatBaseTest.java    |  3 +-
- webapps/docs/changelog.xml                         | 15 +++++
- webapps/docs/config/context.xml                    | 16 ++++++
- 13 files changed, 276 insertions(+), 19 deletions(-)
-
+Description: Fixes CVE-2015-5345: The Mapper component in Apache Tomcat processes
+ redirects before considering security constraints and Filters, which allows
+ remote attackers to determine the existence of a directory via a URL that lacks
+ a trailing / (slash) character.
+Author: Markus Koschany <apo at debian.org>
+Origin: backport, https://svn.apache.org/r1715207
+                  https://svn.apache.org/r1717209
 --- a/java/org/apache/catalina/Context.java
 +++ b/java/org/apache/catalina/Context.java
 @@ -1674,4 +1674,44 @@
diff --git a/debian/patches/CVE-2015-5346.patch b/debian/patches/CVE-2015-5346.patch
index 95f08bc..399196f 100644
--- a/debian/patches/CVE-2015-5346.patch
+++ b/debian/patches/CVE-2015-5346.patch
@@ -1,20 +1,14 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sat, 28 May 2016 03:11:58 +0000
-Subject: CVE-2015-5346
-
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1713185
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1723506
----
- .../apache/catalina/connector/CoyoteAdapter.java   |  8 ++--
- java/org/apache/catalina/connector/Request.java    | 52 ++++++++++++++--------
- webapps/docs/changelog.xml                         |  8 ++++
- 3 files changed, 46 insertions(+), 22 deletions(-)
-
-diff --git a/java/org/apache/catalina/connector/CoyoteAdapter.java b/java/org/apache/catalina/connector/CoyoteAdapter.java
-index e3ff219..775862d 100644
+Description: Fixes CVE-2015-5346: Session fixation vulnerability in Apache Tomcat
+ when different session settings are used for deployments of multiple versions
+ of the same web application, might allow remote attackers to hijack web sessions
+ by leveraging use of a requestedSessionSSL field for an unintended request,
+ related to CoyoteAdapter.java and Request.java.
+Author: Markus Koschany <apo at debian.org>
+Origin: backport, https://svn.apache.org/r1713185
+                  https://svn.apache.org/r1723506
 --- a/java/org/apache/catalina/connector/CoyoteAdapter.java
 +++ b/java/org/apache/catalina/connector/CoyoteAdapter.java
-@@ -941,9 +941,11 @@ public class CoyoteAdapter implements Adapter {
+@@ -941,9 +941,11 @@
                                  // Reset mapping
                                  request.getMappingData().recycle();
                                  mapRequired = true;
@@ -29,11 +23,9 @@ index e3ff219..775862d 100644
                              }
                              break;
                          }
-diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java
-index 2d24ba4..55682be 100644
 --- a/java/org/apache/catalina/connector/Request.java
 +++ b/java/org/apache/catalina/connector/Request.java
-@@ -287,6 +287,11 @@ public class Request
+@@ -287,6 +287,11 @@
       */
      protected boolean cookiesParsed = false;
  
@@ -45,7 +37,7 @@ index 2d24ba4..55682be 100644
  
      /**
       * Secure flag.
-@@ -461,7 +466,6 @@ public class Request
+@@ -461,7 +466,6 @@
              parts = null;
          }
          partsParseException = null;
@@ -53,7 +45,7 @@ index 2d24ba4..55682be 100644
          locales.clear();
          localesParsed = false;
          secure = false;
-@@ -475,20 +479,9 @@ public class Request
+@@ -475,20 +479,9 @@
          attributes.clear();
          sslAttributesParsed = false;
          notes.clear();
@@ -76,7 +68,7 @@ index 2d24ba4..55682be 100644
  
          if (Globals.IS_SECURITY_ENABLED || Connector.RECYCLE_FACADES) {
              parameterMap = new ParameterMap<>();
-@@ -531,11 +524,32 @@ public class Request
+@@ -531,11 +524,32 @@
      }
  
  
@@ -114,8 +106,6 @@ index 2d24ba4..55682be 100644
          return (inputBuffer.realReadBytes(null, 0, 0) > 0);
      }
  
-diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
-index f552c88..cb4c914 100644
 --- a/webapps/docs/changelog.xml
 +++ b/webapps/docs/changelog.xml
 @@ -184,6 +184,10 @@
diff --git a/debian/patches/CVE-2015-5351.patch b/debian/patches/CVE-2015-5351.patch
index 88b34d0..8ca74aa 100644
--- a/debian/patches/CVE-2015-5351.patch
+++ b/debian/patches/CVE-2015-5351.patch
@@ -1,21 +1,9 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sat, 28 May 2016 03:13:41 +0000
-Subject: CVE-2015-5351
-
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1720658
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1720660
----
- webapps/docs/changelog.xml               | 7 +++++++
- webapps/host-manager/WEB-INF/jsp/401.jsp | 1 +
- webapps/host-manager/WEB-INF/jsp/403.jsp | 1 +
- webapps/host-manager/WEB-INF/jsp/404.jsp | 3 ++-
- webapps/host-manager/index.jsp           | 4 ++--
- webapps/manager/WEB-INF/web.xml          | 1 -
- webapps/manager/index.jsp                | 4 ++--
- 7 files changed, 15 insertions(+), 6 deletions(-)
-
-diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
-index cb4c914..92d5b3c 100644
+Description: Fixes CVE-2015-5351: The Manager and Host Manager applications establish
+ sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers
+ to bypass a CSRF protection mechanism by using a token.
+Author: Markus Koschany <apo at debian.org>
+Origin: backport, https://svn.apache.org/r1720658
+                  https://svn.apache.org/r1720660
 --- a/webapps/docs/changelog.xml
 +++ b/webapps/docs/changelog.xml
 @@ -326,6 +326,13 @@
@@ -32,8 +20,6 @@ index cb4c914..92d5b3c 100644
      </changelog>
    </subsection>
    <subsection name="WebSocket">
-diff --git a/webapps/host-manager/WEB-INF/jsp/401.jsp b/webapps/host-manager/WEB-INF/jsp/401.jsp
-index 83c8c6f..047766b 100644
 --- a/webapps/host-manager/WEB-INF/jsp/401.jsp
 +++ b/webapps/host-manager/WEB-INF/jsp/401.jsp
 @@ -14,6 +14,7 @@
@@ -44,8 +30,6 @@ index 83c8c6f..047766b 100644
  <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
  <html>
   <head>
-diff --git a/webapps/host-manager/WEB-INF/jsp/403.jsp b/webapps/host-manager/WEB-INF/jsp/403.jsp
-index 2dbb448..5eff6f0 100644
 --- a/webapps/host-manager/WEB-INF/jsp/403.jsp
 +++ b/webapps/host-manager/WEB-INF/jsp/403.jsp
 @@ -14,6 +14,7 @@
@@ -56,8 +40,6 @@ index 2dbb448..5eff6f0 100644
  <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
  <html>
   <head>
-diff --git a/webapps/host-manager/WEB-INF/jsp/404.jsp b/webapps/host-manager/WEB-INF/jsp/404.jsp
-index d1b5b0b..9816df5 100644
 --- a/webapps/host-manager/WEB-INF/jsp/404.jsp
 +++ b/webapps/host-manager/WEB-INF/jsp/404.jsp
 @@ -14,7 +14,8 @@
@@ -70,8 +52,6 @@ index d1b5b0b..9816df5 100644
  <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
  <html>
   <head>
-diff --git a/webapps/host-manager/index.jsp b/webapps/host-manager/index.jsp
-index d4816e5..2806b76 100644
 --- a/webapps/host-manager/index.jsp
 +++ b/webapps/host-manager/index.jsp
 @@ -14,5 +14,5 @@
@@ -84,8 +64,6 @@ index d4816e5..2806b76 100644
 +<%@ page session="false" trimDirectiveWhitespaces="true" %>
 +<% response.sendRedirect(request.getContextPath() + "/html"); %>
 \ No newline at end of file
-diff --git a/webapps/manager/WEB-INF/web.xml b/webapps/manager/WEB-INF/web.xml
-index 230199e..ef917e6 100644
 --- a/webapps/manager/WEB-INF/web.xml
 +++ b/webapps/manager/WEB-INF/web.xml
 @@ -115,7 +115,6 @@
@@ -96,8 +74,6 @@ index 230199e..ef917e6 100644
    </filter-mapping>
  
    <!-- Define a Security Constraint on this Application -->
-diff --git a/webapps/manager/index.jsp b/webapps/manager/index.jsp
-index d4816e5..ff4f47b 100644
 --- a/webapps/manager/index.jsp
 +++ b/webapps/manager/index.jsp
 @@ -14,5 +14,5 @@
diff --git a/debian/patches/CVE-2016-0706.patch b/debian/patches/CVE-2016-0706.patch
index 4f497d4..84cdd5d 100644
--- a/debian/patches/CVE-2016-0706.patch
+++ b/debian/patches/CVE-2016-0706.patch
@@ -1,15 +1,10 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sat, 28 May 2016 13:15:51 +0000
-Subject: CVE-2016-0706
-
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1722800
----
- java/org/apache/catalina/core/RestrictedServlets.properties | 1 +
- webapps/docs/changelog.xml                                  | 4 ++++
- 2 files changed, 5 insertions(+)
-
-diff --git a/java/org/apache/catalina/core/RestrictedServlets.properties b/java/org/apache/catalina/core/RestrictedServlets.properties
-index d336968..cefa249 100644
+Description: Fixes CVE-2016-0706: Apache Tomcat does not place StatusManagerServlet
+ on the RestrictedServlets.properties list, which allows remote authenticated
+ users to bypass intended SecurityManager restrictions  and read arbitrary HTTP
+ requests, and consequently discover session ID  values, via a crafted web
+ application.
+Author: Markus Koschany <apo at debian.org>
+Origin: backport, https://svn.apache.org/r1722800
 --- a/java/org/apache/catalina/core/RestrictedServlets.properties
 +++ b/java/org/apache/catalina/core/RestrictedServlets.properties
 @@ -16,3 +16,4 @@
@@ -17,8 +12,6 @@ index d336968..cefa249 100644
  org.apache.catalina.servlets.CGIServlet=restricted
  org.apache.catalina.manager.JMXProxyServlet=restricted
 +org.apache.catalina.manager.StatusManagerServlet=restricted
-diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
-index 92d5b3c..f075094 100644
 --- a/webapps/docs/changelog.xml
 +++ b/webapps/docs/changelog.xml
 @@ -333,6 +333,10 @@
diff --git a/debian/patches/CVE-2016-0714.patch b/debian/patches/CVE-2016-0714.patch
index f3fd235..5d6fae2 100644
--- a/debian/patches/CVE-2016-0714.patch
+++ b/debian/patches/CVE-2016-0714.patch
@@ -1,28 +1,13 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sun, 29 May 2016 15:11:37 +0200
-Subject: CVE-2016-0714
-
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1726196
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1726203
----
- .../catalina/ha/session/ClusterManagerBase.java    |   3 +
- .../catalina/ha/session/mbeans-descriptors.xml     |  24 +++
- .../catalina/session/LocalStrings.properties       |   2 +
- java/org/apache/catalina/session/ManagerBase.java  | 172 ++++++++++++++++++++-
- .../apache/catalina/session/StandardManager.java   |   9 +-
- .../apache/catalina/session/mbeans-descriptors.xml |  20 +++
- .../catalina/util/CustomObjectInputStream.java     |  89 ++++++++++-
- .../apache/catalina/util/LocalStrings.properties   |   2 +
- webapps/docs/changelog.xml                         |   8 +
- webapps/docs/config/cluster-manager.xml            |  71 +++++++++
- webapps/docs/config/manager.xml                    |  69 +++++++++
- 11 files changed, 463 insertions(+), 6 deletions(-)
-
-diff --git a/java/org/apache/catalina/ha/session/ClusterManagerBase.java b/java/org/apache/catalina/ha/session/ClusterManagerBase.java
-index 8eb284d..ee601a8 100644
+Description: Fixes CVE-2016-0714: The session-persistence implementation mishandles
+ session attributes, which allows remote authenticated users to bypass intended
+ SecurityManager restrictions and execute arbitrary code in a privileged context
+ via a web application that places a crafted object in a session.
+Author: Markus Koschany <apo at debian.org>
+Origin: backport, https://svn.apache.org/r1726196
+                  https://svn.apache.org/r1726203
 --- a/java/org/apache/catalina/ha/session/ClusterManagerBase.java
 +++ b/java/org/apache/catalina/ha/session/ClusterManagerBase.java
-@@ -196,6 +196,9 @@ public abstract class ClusterManagerBase extends ManagerBase implements ClusterM
+@@ -196,6 +196,9 @@
          copy.setProcessExpiresFrequency(getProcessExpiresFrequency());
          copy.setNotifyListenersOnReplication(isNotifyListenersOnReplication());
          copy.setSessionAttributeFilter(getSessionAttributeFilter());
@@ -32,8 +17,6 @@ index 8eb284d..ee601a8 100644
          copy.setSecureRandomClass(getSecureRandomClass());
          copy.setSecureRandomProvider(getSecureRandomProvider());
          copy.setSecureRandomAlgorithm(getSecureRandomAlgorithm());
-diff --git a/java/org/apache/catalina/ha/session/mbeans-descriptors.xml b/java/org/apache/catalina/ha/session/mbeans-descriptors.xml
-index 76a689e..feff5cc 100644
 --- a/java/org/apache/catalina/ha/session/mbeans-descriptors.xml
 +++ b/java/org/apache/catalina/ha/session/mbeans-descriptors.xml
 @@ -309,6 +309,18 @@
@@ -74,11 +57,9 @@ index 76a689e..feff5cc 100644
      <operation
        name="expireSession"
        description="Expired the given session"
-diff --git a/java/org/apache/catalina/session/LocalStrings.properties b/java/org/apache/catalina/session/LocalStrings.properties
-index 7b00a4c..67eb04e 100644
 --- a/java/org/apache/catalina/session/LocalStrings.properties
 +++ b/java/org/apache/catalina/session/LocalStrings.properties
-@@ -32,6 +32,8 @@ JDBCStore.missingDataSourceName=No valid JNDI name was given.
+@@ -32,6 +32,8 @@
  JDBCStore.commitSQLException=SQLException committing connection before closing
  managerBase.container.noop=Managers added to containers other than Contexts will never be used
  managerBase.createSession.ise=createSession: Too many active sessions
@@ -87,11 +68,9 @@ index 7b00a4c..67eb04e 100644
  managerBase.sessionTimeout=Invalid session timeout setting {0}
  standardManager.loading=Loading persisted sessions from {0}
  standardManager.loading.exception=Exception while loading persisted sessions
-diff --git a/java/org/apache/catalina/session/ManagerBase.java b/java/org/apache/catalina/session/ManagerBase.java
-index b09348a..ada88f1 100644
 --- a/java/org/apache/catalina/session/ManagerBase.java
 +++ b/java/org/apache/catalina/session/ManagerBase.java
-@@ -32,10 +32,13 @@ import java.util.List;
+@@ -32,10 +32,13 @@
  import java.util.Map;
  import java.util.concurrent.ConcurrentHashMap;
  import java.util.concurrent.atomic.AtomicLong;
@@ -105,7 +84,7 @@ index b09348a..ada88f1 100644
  import org.apache.catalina.LifecycleException;
  import org.apache.catalina.Manager;
  import org.apache.catalina.Session;
-@@ -210,8 +213,57 @@ public abstract class ManagerBase extends LifecycleMBeanBase
+@@ -210,8 +213,57 @@
      protected final PropertyChangeSupport support =
              new PropertyChangeSupport(this);
  
@@ -164,7 +143,7 @@ index b09348a..ada88f1 100644
  
      @Override
      @Deprecated
-@@ -220,6 +272,86 @@ public abstract class ManagerBase extends LifecycleMBeanBase
+@@ -220,6 +272,86 @@
      }
  
  
@@ -251,7 +230,7 @@ index b09348a..ada88f1 100644
      @Override
      @Deprecated
      public void setContainer(Container container) {
-@@ -839,6 +971,44 @@ public abstract class ManagerBase extends LifecycleMBeanBase
+@@ -839,6 +971,44 @@
                  notifySessionListeners, notifyContainerListeners);
      }
  
@@ -296,11 +275,9 @@ index b09348a..ada88f1 100644
  
      // ------------------------------------------------------ Protected Methods
  
-diff --git a/java/org/apache/catalina/session/StandardManager.java b/java/org/apache/catalina/session/StandardManager.java
-index b1eb80b..a63ae7e 100644
 --- a/java/org/apache/catalina/session/StandardManager.java
 +++ b/java/org/apache/catalina/session/StandardManager.java
-@@ -208,19 +208,24 @@ public class StandardManager extends ManagerBase {
+@@ -208,19 +208,24 @@
          BufferedInputStream bis = null;
          ObjectInputStream ois = null;
          Loader loader = null;
@@ -327,8 +304,6 @@ index b1eb80b..a63ae7e 100644
              } else {
                  if (log.isDebugEnabled())
                      log.debug("Creating standard object input stream");
-diff --git a/java/org/apache/catalina/session/mbeans-descriptors.xml b/java/org/apache/catalina/session/mbeans-descriptors.xml
-index 4f9b01e..4edf79b 100644
 --- a/java/org/apache/catalina/session/mbeans-descriptors.xml
 +++ b/java/org/apache/catalina/session/mbeans-descriptors.xml
 @@ -132,6 +132,15 @@
@@ -365,11 +340,9 @@ index 4f9b01e..4edf79b 100644
      <operation   name="backgroundProcess"
            description="Invalidate all sessions that have expired."
                 impact="ACTION"
-diff --git a/java/org/apache/catalina/util/CustomObjectInputStream.java b/java/org/apache/catalina/util/CustomObjectInputStream.java
-index f63d777..25793e4 100644
 --- a/java/org/apache/catalina/util/CustomObjectInputStream.java
 +++ b/java/org/apache/catalina/util/CustomObjectInputStream.java
-@@ -19,9 +19,18 @@ package org.apache.catalina.util;
+@@ -19,9 +19,18 @@
  
  import java.io.IOException;
  import java.io.InputStream;
@@ -388,7 +361,7 @@ index f63d777..25793e4 100644
  
  /**
   * Custom subclass of <code>ObjectInputStream</code> that loads from the
-@@ -35,14 +44,26 @@ public final class CustomObjectInputStream
+@@ -35,14 +44,26 @@
      extends ObjectInputStream {
  
  
@@ -416,7 +389,7 @@ index f63d777..25793e4 100644
       *
       * @param stream The input stream we will read from
       * @param classLoader The class loader used to instantiate objects
-@@ -53,10 +74,56 @@ public final class CustomObjectInputStream
+@@ -53,11 +74,57 @@
                                     ClassLoader classLoader)
          throws IOException {
  
@@ -451,7 +424,6 @@ index f63d777..25793e4 100644
 +                    sm.getString("customObjectInputStream.logRequired"));
 +        }
          this.classLoader = classLoader;
--    }
 +        this.log = log;
 +        this.allowedClassNamePattern = allowedClassNamePattern;
 +        if (allowedClassNamePattern == null) {
@@ -460,7 +432,7 @@ index f63d777..25793e4 100644
 +            this.allowedClassNameFilter = allowedClassNamePattern.toString();
 +        }
 +        this.warnOnFailure = warnOnFailure;
- 
++
 +        Set<String> reportedClasses;
 +        synchronized (reportedClassCache) {
 +            reportedClasses = reportedClassCache.get(classLoader);
@@ -470,11 +442,13 @@ index f63d777..25793e4 100644
 +            }
 +        }
 +        this.reportedClasses = reportedClasses;
-+    }
+     }
  
+-
      /**
       * Load the local class equivalent of the specified stream class
-@@ -70,8 +137,24 @@ public final class CustomObjectInputStream
+      * description, by using the class loader assigned to this Context.
+@@ -70,8 +137,24 @@
      @Override
      public Class<?> resolveClass(ObjectStreamClass classDesc)
          throws ClassNotFoundException, IOException {
@@ -500,11 +474,9 @@ index f63d777..25793e4 100644
          } catch (ClassNotFoundException e) {
              try {
                  // Try also the superclass because of primitive types
-diff --git a/java/org/apache/catalina/util/LocalStrings.properties b/java/org/apache/catalina/util/LocalStrings.properties
-index 55dea98..6aeb973 100644
 --- a/java/org/apache/catalina/util/LocalStrings.properties
 +++ b/java/org/apache/catalina/util/LocalStrings.properties
-@@ -17,6 +17,8 @@ parameterMap.locked=No modifications are allowed to a locked ParameterMap
+@@ -17,6 +17,8 @@
  resourceSet.locked=No modifications are allowed to a locked ResourceSet
  hexUtil.bad=Bad hexadecimal digit
  hexUtil.odd=Odd number of hexadecimal digits
@@ -513,8 +485,6 @@ index 55dea98..6aeb973 100644
  #Default Messages Utilized by the ExtensionValidator
  extensionValidator.web-application-manifest=Web Application Manifest
  extensionValidator.extension-not-found-error=ExtensionValidator[{0}][{1}]: Required extension [{2}] not found.
-diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
-index d18692c..a0b4788 100644
 --- a/webapps/docs/changelog.xml
 +++ b/webapps/docs/changelog.xml
 @@ -308,6 +308,14 @@
@@ -532,11 +502,9 @@ index d18692c..a0b4788 100644
      </changelog>
    </subsection>
    <subsection name="Jasper">
-diff --git a/webapps/docs/config/cluster-manager.xml b/webapps/docs/config/cluster-manager.xml
-index 377884a..4958a39 100644
 --- a/webapps/docs/config/cluster-manager.xml
 +++ b/webapps/docs/config/cluster-manager.xml
-@@ -182,6 +183,30 @@
+@@ -182,6 +182,30 @@
          effective only when <code>sendAllSessions</code> is <code>false</code>.
          Default is <code>2000</code> milliseconds.
        </attribute>
@@ -567,7 +535,7 @@ index 377884a..4958a39 100644
        <attribute name="stateTimestampDrop" required="false">
          When this node sends a <code>GET_ALL_SESSIONS</code> message to other
          node, all session messages that are received as a response are queued.
-@@ -193,6 +218,17 @@
+@@ -193,6 +217,17 @@
          If set to <code>false</code>, all queued session messages are handled.
          Default is <code>true</code>.
        </attribute>
@@ -585,7 +553,7 @@ index 377884a..4958a39 100644
      </attributes>
    </subsection>
    <subsection name="org.apache.catalina.ha.session.BackupManager Attributes">
-@@ -216,6 +252,30 @@
+@@ -216,6 +251,30 @@
          another map.
          Default value is <code>15000</code> milliseconds.
        </attribute>
@@ -616,7 +584,7 @@ index 377884a..4958a39 100644
        <attribute name="terminateOnStartFailure" required="false">
          Set to true if you wish to terminate replication map when replication
          map fails to start. If replication map is terminated, associated context
-@@ -223,6 +283,17 @@
+@@ -223,6 +282,17 @@
          does not end. It will try to join the map membership in the heartbeat.
          Default value is <code>false</code> .
        </attribute>
@@ -634,8 +602,6 @@ index 377884a..4958a39 100644
      </attributes>
    </subsection>
  </section>
-diff --git a/webapps/docs/config/manager.xml b/webapps/docs/config/manager.xml
-index 3ab728b..3726fe5 100644
 --- a/webapps/docs/config/manager.xml
 +++ b/webapps/docs/config/manager.xml
 @@ -175,6 +175,40 @@
diff --git a/debian/patches/CVE-2016-0763.patch b/debian/patches/CVE-2016-0763.patch
index 1e8e34e..313cc21 100644
--- a/debian/patches/CVE-2016-0763.patch
+++ b/debian/patches/CVE-2016-0763.patch
@@ -1,18 +1,14 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sat, 28 May 2016 15:46:37 +0200
-Subject: CVE-2016-0763
-
-Origin: https://svn.apache.org/viewvc?view=revision&revision=1725929
----
- java/org/apache/naming/factory/ResourceLinkFactory.java | 5 +++++
- webapps/docs/changelog.xml                              | 4 ++++
- 2 files changed, 9 insertions(+)
-
-diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java b/java/org/apache/naming/factory/ResourceLinkFactory.java
-index 808192c..8a43e74 100644
+Description: Fixes CVE-2016-0763: The setGlobalContext method in ResourceLinkFactory
+ in Apache Tomcat does not consider whether ResourceLinkFactory.setGlobalContext
+ callers are authorized, which allows remote authenticated users to bypass intended
+ SecurityManager restrictions and read or write to arbitrary application data,
+ or cause a denial of service (application disruption), via a web application
+ that sets a crafted global context.
+Author: Markus Koschany <apo at debian.org>
+Origin: backport, https://svn.apache.org/r1725929
 --- a/java/org/apache/naming/factory/ResourceLinkFactory.java
 +++ b/java/org/apache/naming/factory/ResourceLinkFactory.java
-@@ -60,6 +60,11 @@ public class ResourceLinkFactory
+@@ -60,6 +60,11 @@
       * @param newGlobalContext new global context value
       */
      public static void setGlobalContext(Context newGlobalContext) {
@@ -24,8 +20,6 @@ index 808192c..8a43e74 100644
          globalContext = newGlobalContext;
      }
  
-diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
-index f075094..d18692c 100644
 --- a/webapps/docs/changelog.xml
 +++ b/webapps/docs/changelog.xml
 @@ -337,6 +337,10 @@

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git



More information about the pkg-java-commits mailing list