[Git][java-team/tomcat9][buster] 2 commits: Fix CVE-2021-41079

Markus Koschany (@apo) gitlab at salsa.debian.org
Sat Sep 25 21:38:37 BST 2021



Markus Koschany pushed to branch buster at Debian Java Maintainers / tomcat9


Commits:
d654582d by Markus Koschany at 2021-09-25T22:17:00+02:00
Fix CVE-2021-41079

- - - - -
3cb22204 by Markus Koschany at 2021-09-25T22:18:05+02:00
Update changelog

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2021-41079.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,19 @@
+tomcat9 (9.0.31-1~deb10u6) buster-security; urgency=high
+
+  * Team upload.
+  * CVE-2021-30640: Fix NullPointerException.
+    If no userRoleAttribute is specified in the user's Realm configuration its
+    default value will be null. This will cause a NPE in the methods
+    doFilterEscaping and doAttributeValueEscaping. This is upstream bug
+    https://bz.apache.org/bugzilla/show_bug.cgi?id=65308
+  * Fix CVE-2021-41079:
+    Apache Tomcat did not properly validate incoming TLS packets. When Tomcat
+    was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially
+    crafted packet could be used to trigger an infinite loop resulting in a
+    denial of service.
+
+ -- Markus Koschany <apo at debian.org>  Sat, 25 Sep 2021 22:17:13 +0200
+
 tomcat9 (9.0.31-1~deb10u5) buster-security; urgency=high
 
   * Team upload.


=====================================
debian/patches/CVE-2021-41079.patch
=====================================
@@ -0,0 +1,55 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 25 Sep 2021 22:14:23 +0200
+Subject: CVE-2021-41079
+
+Origin: https://github.com/apache/tomcat/commit/d4b340fa8feaf55831f9a59350578f7b6ca048b8
+---
+ java/org/apache/tomcat/util/net/openssl/LocalStrings.properties | 1 +
+ java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java      | 6 ++++--
+ webapps/docs/changelog.xml                                      | 4 ++++
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
+index 2b5e31f..c757295 100644
+--- a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
++++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
+@@ -17,6 +17,7 @@ engine.ciphersFailure=Failed getting cipher list
+ engine.emptyCipherSuite=Empty cipher suite
+ engine.engineClosed=Engine is closed
+ engine.failedCipherSuite=Failed to enable cipher suite [{0}]
++engine.failedToReadAvailableBytes=There are plain text bytes available to read but no bytes were read
+ engine.inboundClose=Inbound closed before receiving peer's close_notify
+ engine.invalidBufferArray=offset: [{0}], length: [{1}] (expected: offset <= offset + length <= srcs.length [{2}])
+ engine.noSSLContext=No SSL context
+diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+index ede30a8..22f412c 100644
+--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
++++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+@@ -586,8 +586,10 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
+                     throw new SSLException(e);
+                 }
+ 
+-                if (bytesRead == 0) {
+-                    break;
++                if (bytesRead <= 0) {
++                    // This should not be possible. pendingApp is positive
++                    // therefore the read should have read at least one byte.
++                    throw new IllegalStateException(sm.getString("engine.failedToReadAvailableBytes"));
+                 }
+ 
+                 bytesProduced += bytesRead;
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index 436c92b..9c45802 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -226,6 +226,10 @@
+         <bug>64043</bug>: Ensure that session ID changes are replicated during
+         form-authentication. (kfujino)
+       </fix>
++      <fix>
++        Make handling of OpenSSL read errors more robust when plain text data is
++        reported to be available to read. (markt)
++      </fix>
+     </changelog>
+   </subsection>
+   <subsection name="Web applications">


=====================================
debian/patches/series
=====================================
@@ -23,3 +23,4 @@ CVE-2021-25122.patch
 CVE-2021-25329.patch
 CVE-2021-30640.patch
 CVE-2021-33037.patch
+CVE-2021-41079.patch



View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/compare/c6ee4323957e6171451affc7c2927d168677bb3f...3cb22204fbe0a69f1466ecf43dc3a8563660f094

-- 
View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/compare/c6ee4323957e6171451affc7c2927d168677bb3f...3cb22204fbe0a69f1466ecf43dc3a8563660f094
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20210925/c57e5ce4/attachment.htm>


More information about the pkg-java-commits mailing list