[tomcat8] 01/01: Import Debian changes 8.5.14-1+deb9u2
Markus Koschany
apo at moszumanska.debian.org
Thu Apr 12 23:25:45 UTC 2018
This is an automated email from the git hooks/post-receive script.
apo pushed a commit to branch stretch
in repository tomcat8.
commit b2b30054606d392a0dbf653ed06fcc23abb6eaf1
Author: Markus Koschany <apo at debian.org>
Date: Sun Sep 3 19:51:58 2017 +0200
Import Debian changes 8.5.14-1+deb9u2
tomcat8 (8.5.14-1+deb9u2) stretch-security; urgency=high
* Team upload.
* Fix CVE-2017-7674:
The CORS Filter did not add an HTTP Vary header indicating that the
response varies depending on Origin. This permitted client and server side
cache poisoning in some circumstances.
* Fix CVE-2017-7675:
The HTTP/2 implementation bypassed a number of security checks that
prevented directory traversal attacks. It was therefore possible to bypass
security constraints using a specially crafted URL.
---
debian/changelog | 14 ++++
debian/patches/CVE-2017-7674.patch | 39 ++++++++++
debian/patches/CVE-2017-7675.patch | 153 +++++++++++++++++++++++++++++++++++++
debian/patches/series | 2 +
4 files changed, 208 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 49649e0..180efba 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+tomcat8 (8.5.14-1+deb9u2) stretch-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2017-7674:
+ The CORS Filter did not add an HTTP Vary header indicating that the
+ response varies depending on Origin. This permitted client and server side
+ cache poisoning in some circumstances.
+ * Fix CVE-2017-7675:
+ The HTTP/2 implementation bypassed a number of security checks that
+ prevented directory traversal attacks. It was therefore possible to bypass
+ security constraints using a specially crafted URL.
+
+ -- Markus Koschany <apo at debian.org> Sun, 03 Sep 2017 19:51:58 +0200
+
tomcat8 (8.5.14-1+deb9u1) stretch-security; urgency=high
* Team upload.
diff --git a/debian/patches/CVE-2017-7674.patch b/debian/patches/CVE-2017-7674.patch
new file mode 100644
index 0000000..3131b06
--- /dev/null
+++ b/debian/patches/CVE-2017-7674.patch
@@ -0,0 +1,39 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 2 Sep 2017 14:59:09 +0200
+Subject: CVE-2017-7674
+
+Bug-Debian: https://bugs.debian.org/802312
+Origin: http://svn.apache.org/r1795814
+---
+ java/org/apache/catalina/filters/CorsFilter.java | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/java/org/apache/catalina/filters/CorsFilter.java b/java/org/apache/catalina/filters/CorsFilter.java
+index fcb8d2d..03ef78d 100644
+--- a/java/org/apache/catalina/filters/CorsFilter.java
++++ b/java/org/apache/catalina/filters/CorsFilter.java
+@@ -286,6 +286,10 @@ public class CorsFilter implements Filter {
+ exposedHeadersString);
+ }
+
++ // Indicate the response depends on the origin
++ response.addHeader(CorsFilter.REQUEST_HEADER_VARY,
++ CorsFilter.REQUEST_HEADER_ORIGIN);
++
+ // Forward the request down the filter chain.
+ filterChain.doFilter(request, response);
+ }
+@@ -981,6 +985,13 @@ public class CorsFilter implements Filter {
+ "Access-Control-Allow-Headers";
+
+ // -------------------------------------------------- CORS Request Headers
++
++ /**
++ * The Vary header indicates allows disabling proxy caching by indicating
++ * the the response depends on the origin.
++ */
++ public static final String REQUEST_HEADER_VARY = "Vary";
++
+ /**
+ * The Origin header indicates where the cross-origin request or preflight
+ * request originates from.
diff --git a/debian/patches/CVE-2017-7675.patch b/debian/patches/CVE-2017-7675.patch
new file mode 100644
index 0000000..19e1e4a
--- /dev/null
+++ b/debian/patches/CVE-2017-7675.patch
@@ -0,0 +1,153 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 2 Sep 2017 15:03:42 +0200
+Subject: CVE-2017-7675
+
+Bug-Debian: https://bugs.debian.org/802312
+Origin: http://svn.apache.org/r1796091
+---
+ java/org/apache/coyote/http2/Stream.java | 15 +++--
+ test/org/apache/coyote/http2/TestStream.java | 97 ++++++++++++++++++++++++++++
+ 2 files changed, 105 insertions(+), 7 deletions(-)
+ create mode 100644 test/org/apache/coyote/http2/TestStream.java
+
+diff --git a/java/org/apache/coyote/http2/Stream.java b/java/org/apache/coyote/http2/Stream.java
+index 2e3ff88..dfe4daa 100644
+--- a/java/org/apache/coyote/http2/Stream.java
++++ b/java/org/apache/coyote/http2/Stream.java
+@@ -18,6 +18,7 @@ package org.apache.coyote.http2;
+
+ import java.io.IOException;
+ import java.nio.ByteBuffer;
++import java.nio.charset.StandardCharsets;
+ import java.security.AccessController;
+ import java.security.PrivilegedActionException;
+ import java.security.PrivilegedExceptionAction;
+@@ -307,18 +308,18 @@ public class Stream extends AbstractStream implements HeaderEmitter {
+ getConnectionId(), getIdentifier()));
+ }
+ int queryStart = value.indexOf('?');
++ String uri;
+ if (queryStart == -1) {
+- coyoteRequest.requestURI().setString(value);
+- coyoteRequest.decodedURI().setString(
+- coyoteRequest.getURLDecoder().convert(value, false));
++ uri = value;
+ } else {
+- String uri = value.substring(0, queryStart);
++ uri = value.substring(0, queryStart);
+ String query = value.substring(queryStart + 1);
+- coyoteRequest.requestURI().setString(uri);
+- coyoteRequest.decodedURI().setString(
+- coyoteRequest.getURLDecoder().convert(uri, false));
+ coyoteRequest.queryString().setString(query);
+ }
++ // Bug 61120. Set the URI as bytes rather than String so any path
++ // parameters are correctly processed
++ byte[] uriBytes = uri.getBytes(StandardCharsets.ISO_8859_1);
++ coyoteRequest.requestURI().setBytes(uriBytes, 0, uriBytes.length);
+ break;
+ }
+ case ":authority": {
+diff --git a/test/org/apache/coyote/http2/TestStream.java b/test/org/apache/coyote/http2/TestStream.java
+new file mode 100644
+index 0000000..52ff016
+--- /dev/null
++++ b/test/org/apache/coyote/http2/TestStream.java
+@@ -0,0 +1,97 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.coyote.http2;
++
++import java.io.IOException;
++import java.nio.ByteBuffer;
++
++import javax.servlet.ServletException;
++import javax.servlet.http.HttpServlet;
++import javax.servlet.http.HttpServletRequest;
++import javax.servlet.http.HttpServletResponse;
++
++import org.junit.Assert;
++import org.junit.Test;
++
++import org.apache.catalina.Context;
++import org.apache.catalina.startup.Tomcat;
++
++public class TestStream extends Http2TestBase {
++
++ /*
++ * https://bz.apache.org/bugzilla/show_bug.cgi?id=61120
++ */
++ @Test
++ public void testPathParam() throws Exception {
++
++ enableHttp2();
++
++ Tomcat tomcat = getTomcatInstance();
++
++ Context ctxt = tomcat.addContext("", null);
++ Tomcat.addServlet(ctxt, "simple", new SimpleServlet());
++ ctxt.addServletMappingDecoded("/simple", "simple");
++ Tomcat.addServlet(ctxt, "pathparam", new PathParam());
++ ctxt.addServletMappingDecoded("/pathparam", "pathparam");
++
++ tomcat.start();
++
++ openClientConnection();
++ doHttpUpgrade();
++ sendClientPreface();
++ validateHttp2InitialResponse();
++
++ byte[] frameHeader = new byte[9];
++ ByteBuffer headersPayload = ByteBuffer.allocate(128);
++ buildGetRequest(frameHeader, headersPayload, null, 3,
++ "/pathparam;jsessionid=" + PathParam.EXPECTED_SESSION_ID);
++ writeFrame(frameHeader, headersPayload);
++
++ readSimpleGetResponse();
++
++ Assert.assertEquals(
++ "3-HeadersStart\n" +
++ "3-Header-[:status]-[200]\n" +
++ "3-Header-[content-type]-[text/plain;charset=UTF-8]\n" +
++ "3-Header-[date]-[Wed, 11 Nov 2015 19:18:42 GMT]\n" +
++ "3-HeadersEnd\n" +
++ "3-Body-2\n" +
++ "3-EndOfStream\n", output.getTrace());
++ }
++
++
++ private static final class PathParam extends HttpServlet {
++
++ private static final long serialVersionUID = 1L;
++
++ public static final String EXPECTED_SESSION_ID = "0123456789ABCDEF";
++
++ @Override
++ protected void doGet(HttpServletRequest request, HttpServletResponse response)
++ throws ServletException, IOException {
++
++ response.setContentType("text/plain");
++ response.setCharacterEncoding("UTF-8");
++
++ if (EXPECTED_SESSION_ID.equals(request.getRequestedSessionId())) {
++ response.getWriter().write("OK");
++ } else {
++ response.getWriter().write("FAIL");
++ }
++ }
++ }
++}
diff --git a/debian/patches/series b/debian/patches/series
index fe0ccae..d67efd9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,5 @@
0019-add-distribution-to-error-page.patch
0021-dont-test-unsupported-ciphers.patch
CVE-2017-5664.patch
+CVE-2017-7674.patch
+CVE-2017-7675.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git
More information about the pkg-java-commits
mailing list