[Git][java-team/tomcat9][bullseye] 2 commits: Fix CVE-2021-41079

Markus Koschany (@apo) gitlab at salsa.debian.org
Sat Sep 25 21:12:54 BST 2021 


Markus Koschany pushed to branch bullseye at Debian Java Maintainers / tomcat9


Commits:
2aeade1e by Markus Koschany at 2021-09-25T21:33:40+02:00
Fix CVE-2021-41079

- - - - -
cf7b34d3 by Markus Koschany at 2021-09-25T21:35:43+02:00
Update changelog

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2021-41079.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,21 @@
+tomcat9 (9.0.43-2~deb11u2) bullseye-security; urgency=high
+
+  * Team upload.
+  * CVE-2021-30640: Fix NullPointerException.
+    If no userRoleAttribute is specified in the user's Realm configuration its
+    default value will be null. This will cause a NPE in the methods
+    doFilterEscaping and doAttributeValueEscaping. This is upstream bug
+    https://bz.apache.org/bugzilla/show_bug.cgi?id=65308
+  * Set the fileOwner of catalina.out to tomcat explicitly.
+    Thanks to Adam Cecile for the report. (Closes: #987179)
+  * Fix CVE-2021-41079:
+    Apache Tomcat did not properly validate incoming TLS packets. When Tomcat
+    was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially
+    crafted packet could be used to trigger an infinite loop resulting in a
+    denial of service.
+
+ -- Markus Koschany <apo at debian.org>  Sat, 25 Sep 2021 21:34:00 +0200
+
 tomcat9 (9.0.43-2~deb11u1) bullseye-security; urgency=medium
 
   * Team upload.


=====================================
debian/patches/CVE-2021-41079.patch
=====================================
@@ -0,0 +1,55 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 25 Sep 2021 18:29:40 +0200
+Subject: CVE-2021-41079
+
+Origin: https://github.com/apache/tomcat/commit/d4b340fa8feaf55831f9a59350578f7b6ca048b8
+---
+ java/org/apache/tomcat/util/net/openssl/LocalStrings.properties | 1 +
+ java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java      | 6 ++++--
+ webapps/docs/changelog.xml                                      | 4 ++++
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
+index 84990f3..34ec880 100644
+--- a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
++++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
+@@ -17,6 +17,7 @@ engine.ciphersFailure=Failed getting cipher list
+ engine.emptyCipherSuite=Empty cipher suite
+ engine.engineClosed=Engine is closed
+ engine.failedCipherSuite=Failed to enable cipher suite [{0}]
++engine.failedToReadAvailableBytes=There are plain text bytes available to read but no bytes were read
+ engine.inboundClose=Inbound closed before receiving peer's close_notify
+ engine.invalidBufferArray=offset: [{0}], length: [{1}] (expected: offset <= offset + length <= srcs.length [{2}])
+ engine.invalidDestinationBuffersState=The state of the destination buffers changed concurrently while unwrapping bytes
+diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+index cdd0617..679fee4 100644
+--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
++++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+@@ -591,8 +591,10 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
+                     throw new SSLException(e);
+                 }
+ 
+-                if (bytesRead == 0) {
+-                    break;
++                if (bytesRead <= 0) {
++                    // This should not be possible. pendingApp is positive
++                    // therefore the read should have read at least one byte.
++                    throw new IllegalStateException(sm.getString("engine.failedToReadAvailableBytes"));
+                 }
+ 
+                 bytesProduced += bytesRead;
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index 1ce6df0..1815ab5 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -173,6 +173,10 @@
+         the access log file, include information on the current user in the
+         associated log message  (markt)
+       </fix>
++      <fix>
++        Make handling of OpenSSL read errors more robust when plain text data is
++        reported to be available to read. (markt)
++      </fix>
+     </changelog>
+   </subsection>
+   <subsection name="Coyote">


=====================================
debian/patches/series
=====================================
@@ -13,3 +13,4 @@
 0027-java11-compilation.patch
 CVE-2021-30640.patch
 CVE-2021-33037.patch
+CVE-2021-41079.patch



View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/compare/1e969ffcfa81899e782141cbe1e8e6fe2b73d4db...cf7b34d3c518fa556be825437479bfeba86a0b68

-- 
View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/compare/1e969ffcfa81899e782141cbe1e8e6fe2b73d4db...cf7b34d3c518fa556be825437479bfeba86a0b68
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20210925/5cbddaab/attachment.htm>

More information about the pkg-java-commits mailing list