[Git][java-team/tomcat8][stretch] Import Debian changes 8.5.54-0+deb9u2
Markus Koschany
gitlab at salsa.debian.org
Tue Jul 14 22:14:24 BST 2020
Markus Koschany pushed to branch stretch at Debian Java Maintainers / tomcat8
Commits:
3f2f4bb5 by Markus Koschany at 2020-07-14T23:13:31+02:00
Import Debian changes 8.5.54-0+deb9u2
tomcat8 (8.5.54-0+deb9u2) stretch-security; urgency=high
..
* Non-maintainer upload by the LTS team.
* Fix CVE-2020-9484:
When using Apache Tomcat an attacker is able to control the contents and
name of a file on the server; and b) the server is configured to use the
PersistenceManager with a FileStore; and c) the PersistenceManager is
configured with sessionAttributeValueClassNameFilter="null" (the default
unless a SecurityManager is used) or a sufficiently lax filter to allow the
attacker provided object to be deserialized; and d) the attacker knows the
relative file path from the storage location used by FileStore to the file
the attacker has control over; then, using a specifically crafted request,
the attacker will be able to trigger remote code execution via
deserialization of the file under their control. Note that all of
conditions a) to d) must be true for the attack to succeed.
* Fix CVE-2020-11996:
A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat could
trigger high CPU usage for several seconds. If a sufficient number of such
requests were made on concurrent HTTP/2 connections, the server could
become unresponsive.
- - - - -
4 changed files:
- debian/changelog
- + debian/patches/CVE-2020-11996.patch
- + debian/patches/CVE-2020-9484.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,26 @@
+tomcat8 (8.5.54-0+deb9u2) stretch-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * Fix CVE-2020-9484:
+ When using Apache Tomcat an attacker is able to control the contents and
+ name of a file on the server; and b) the server is configured to use the
+ PersistenceManager with a FileStore; and c) the PersistenceManager is
+ configured with sessionAttributeValueClassNameFilter="null" (the default
+ unless a SecurityManager is used) or a sufficiently lax filter to allow the
+ attacker provided object to be deserialized; and d) the attacker knows the
+ relative file path from the storage location used by FileStore to the file
+ the attacker has control over; then, using a specifically crafted request,
+ the attacker will be able to trigger remote code execution via
+ deserialization of the file under their control. Note that all of
+ conditions a) to d) must be true for the attack to succeed.
+ * Fix CVE-2020-11996:
+ A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat could
+ trigger high CPU usage for several seconds. If a sufficient number of such
+ requests were made on concurrent HTTP/2 connections, the server could
+ become unresponsive.
+
+ -- Markus Koschany <apo at debian.org> Sun, 12 Jul 2020 19:47:49 +0200
+
tomcat8 (8.5.54-0+deb9u1) stretch-security; urgency=high
* Team upload.
=====================================
debian/patches/CVE-2020-11996.patch
=====================================
@@ -0,0 +1,100 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 12 Jul 2020 12:44:44 +0200
+Subject: CVE-2020-11996
+
+Origin: https://github.com/apache/tomcat/commit/c8acd2ab7371e39aeca7c306f3b5380f00afe552
+---
+ .../apache/coyote/http2/Http2UpgradeHandler.java | 10 +++----
+ .../apache/coyote/http2/TestHttp2Section_5_1.java | 31 +++++++++++++++++++---
+ webapps/docs/changelog.xml | 4 +++
+ 3 files changed, 36 insertions(+), 9 deletions(-)
+
+diff --git a/java/org/apache/coyote/http2/Http2UpgradeHandler.java b/java/org/apache/coyote/http2/Http2UpgradeHandler.java
+index 40a379b..bf05d4e 100644
+--- a/java/org/apache/coyote/http2/Http2UpgradeHandler.java
++++ b/java/org/apache/coyote/http2/Http2UpgradeHandler.java
+@@ -1582,11 +1582,11 @@ public class Http2UpgradeHandler extends AbstractStream implements InternalHttpU
+ }
+
+
+- private void closeIdleStreams(int newMaxActiveRemoteStreamId) throws Http2Exception {
+- for (int i = maxActiveRemoteStreamId + 2; i < newMaxActiveRemoteStreamId; i += 2) {
+- Stream stream = getStream(i, false);
+- if (stream != null) {
+- stream.closeIfIdle();
++ private void closeIdleStreams(int newMaxActiveRemoteStreamId) {
++ for (Entry<Integer,Stream> entry : streams.entrySet()) {
++ if (entry.getKey().intValue() > maxActiveRemoteStreamId &&
++ entry.getKey().intValue() < newMaxActiveRemoteStreamId) {
++ entry.getValue().closeIfIdle();
+ }
+ }
+ maxActiveRemoteStreamId = newMaxActiveRemoteStreamId;
+diff --git a/test/org/apache/coyote/http2/TestHttp2Section_5_1.java b/test/org/apache/coyote/http2/TestHttp2Section_5_1.java
+index 78fe1d6..e9433b7 100644
+--- a/test/org/apache/coyote/http2/TestHttp2Section_5_1.java
++++ b/test/org/apache/coyote/http2/TestHttp2Section_5_1.java
+@@ -152,21 +152,44 @@ public class TestHttp2Section_5_1 extends Http2TestBase {
+
+ @Test
+ public void testImplicitClose() throws Exception {
++ doTestImplicitClose(5);
++ }
++
++
++ // https://bz.apache.org/bugzilla/show_bug.cgi?id=64467
++ @Test
++ public void testImplicitCloseLargeId() throws Exception {
++ doTestImplicitClose(Integer.MAX_VALUE - 8);
++ }
++
++
++ private void doTestImplicitClose(int lastStreamId) throws Exception {
++
++ long startFirst = System.nanoTime();
+ http2Connect();
++ long durationFirst = System.nanoTime() - startFirst;
+
+ sendPriority(3, 0, 16);
+- sendPriority(5, 0, 16);
++ sendPriority(lastStreamId, 0, 16);
+
+- sendSimpleGetRequest(5);
++ long startSecond = System.nanoTime();
++ sendSimpleGetRequest(lastStreamId);
+ readSimpleGetResponse();
+- Assert.assertEquals(getSimpleResponseTrace(5), output.getTrace());
++ long durationSecond = System.nanoTime() - startSecond;
++
++ Assert.assertEquals(getSimpleResponseTrace(lastStreamId), output.getTrace());
+ output.clearTrace();
+
++ // Allow second request to take up to 5 times first request or up to 1 second - whichever is the larger - mainly
++ // to allow for CI systems under load that can exhibit significant timing variation.
++ Assert.assertTrue("First request took [" + durationFirst/1000000 + "ms], second request took [" +
++ durationSecond/1000000 + "ms]", durationSecond < 1000000000 || durationSecond < durationFirst * 3);
++
+ // Should trigger an error since stream 3 should have been implicitly
+ // closed.
+ sendSimpleGetRequest(3);
+
+- handleGoAwayResponse(5);
++ handleGoAwayResponse(lastStreamId);
+ }
+
+
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index 248d71d..823944e 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -1009,6 +1009,10 @@
+ Service to crash on start when running on an operating system that had
+ not been fully updated. (markt)
+ </update>
++ <fix>
++ <bug>64467</bug>: Improve performance of closing idle HTTP/2 streams.
++ (markt)
++ </fix>
+ </changelog>
+ </subsection>
+ </section>
=====================================
debian/patches/CVE-2020-9484.patch
=====================================
@@ -0,0 +1,85 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 12 Jul 2020 12:45:37 +0200
+Subject: CVE-2020-9484
+
+Bug-Debian: https://bugs.debian.org/961209
+Origin: https://github.com/apache/tomcat/commit/ec08af18d0f9ddca3f2d800ef66fe7fd20afef2f
+---
+ java/org/apache/catalina/session/FileStore.java | 19 +++++++++++++++++--
+ .../apache/catalina/session/LocalStrings.properties | 1 +
+ webapps/docs/changelog.xml | 3 +++
+ 3 files changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/java/org/apache/catalina/session/FileStore.java b/java/org/apache/catalina/session/FileStore.java
+index 73016ff..2e2c6c6 100644
+--- a/java/org/apache/catalina/session/FileStore.java
++++ b/java/org/apache/catalina/session/FileStore.java
+@@ -33,6 +33,8 @@ import org.apache.catalina.Context;
+ import org.apache.catalina.Globals;
+ import org.apache.catalina.Session;
+ import org.apache.juli.logging.Log;
++import org.apache.juli.logging.LogFactory;
++import org.apache.tomcat.util.res.StringManager;
+
+ /**
+ * Concrete implementation of the <b>Store</b> interface that utilizes
+@@ -43,6 +45,10 @@ import org.apache.juli.logging.Log;
+ */
+ public final class FileStore extends StoreBase {
+
++ private static final Log log = LogFactory.getLog(FileStore.class);
++ private static final StringManager sm = StringManager.getManager(FileStore.class);
++
++
+ // ----------------------------------------------------- Constants
+
+ /**
+@@ -336,11 +342,20 @@ public final class FileStore extends StoreBase {
+ * used in the file naming.
+ */
+ private File file(String id) throws IOException {
+- if (this.directory == null) {
++ File storageDir = directory();
++ if (storageDir == null) {
+ return null;
+ }
++
+ String filename = id + FILE_EXT;
+- File file = new File(directory(), filename);
++ File file = new File(storageDir, filename);
++
++ // Check the file is within the storage directory
++ if (!file.getCanonicalPath().startsWith(storageDir.getCanonicalPath())) {
++ log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
++ return null;
++ }
++
+ return file;
+ }
+ }
+diff --git a/java/org/apache/catalina/session/LocalStrings.properties b/java/org/apache/catalina/session/LocalStrings.properties
+index 289b272..da92bd7 100644
+--- a/java/org/apache/catalina/session/LocalStrings.properties
++++ b/java/org/apache/catalina/session/LocalStrings.properties
+@@ -29,6 +29,7 @@ JDBCStore.wrongDataSource=Cannot open JNDI DataSource [{0}]
+ fileStore.createFailed=Unable to create directory [{0}] for the storage of session data
+ fileStore.deleteFailed=Unable to delete file [{0}] which is preventing the creation of the session storage location
+ fileStore.deleteSessionFailed=Unable to delete file [{0}] which is no longer required
++fileStore.invalid=Invalid persistence file [{0}] for session ID [{1}]
+ fileStore.loading=Loading Session [{0}] from file [{1}]
+ fileStore.removing=Removing Session [{0}] at file [{1}]
+ fileStore.saving=Saving Session [{0}] to file [{1}]
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index 823944e..bb17a96 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -79,6 +79,9 @@
+ replacement in configuration files. Based on a pull request provided by
+ Bernd Bohmann. (markt)
+ </fix>
++ <add>
++ Improve validation of storage location when using FileStore. (markt)
++ </add>
+ </changelog>
+ </subsection>
+ <subsection name="Coyote">
=====================================
debian/patches/series
=====================================
@@ -7,3 +7,5 @@
0010-debianize-build-xml.patch
0021-dont-test-unsupported-ciphers.patch
0018-fix-manager-webapp.patch
+CVE-2020-11996.patch
+CVE-2020-9484.patch
View it on GitLab: https://salsa.debian.org/java-team/tomcat8/-/commit/3f2f4bb56e9c6340a23abbdd6ff09a75d9db5d5e
--
View it on GitLab: https://salsa.debian.org/java-team/tomcat8/-/commit/3f2f4bb56e9c6340a23abbdd6ff09a75d9db5d5e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20200714/0ad8550c/attachment.html>
More information about the pkg-java-commits
mailing list