Hello community, here is the log from the commit of package tomcat6 checked in at Thu Aug 7 01:36:13 CEST 2008. -------- --- tomcat6/tomcat6.changes 2008-07-21 15:46:05.000000000 +0200 +++ /mounts/work_src_done/STABLE/tomcat6/tomcat6.changes 2008-08-06 11:12:18.000000000 +0200 @@ -1,0 +2,6 @@ +Wed Aug 6 11:11:58 CEST 2008 - mvyskocil@suse.cz + +- fix CVE-2008-1232 and CVE-2008-2370: VUL-0: Apache Tomcat Cross-Site + Scripting and Security Bypass [bnc#414657] + +------------------------------------------------------------------- New: ---- apache-tomcat-CVE-2008-1232.patch apache-tomcat-CVE-2008-2370.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libtcnative-1-0.spec ++++++ --- /var/tmp/diff_new_pack.h13643/_old 2008-08-07 01:36:01.000000000 +0200 +++ /var/tmp/diff_new_pack.h13643/_new 2008-08-07 01:36:01.000000000 +0200 @@ -2,9 +2,16 @@ # spec file for package libtcnative-1-0 (Version MACRO) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. -# This file and all modifications and additions to the pristine -# package are under the same license as the package itself. # +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + # Please submit bugfixes or comments via http://bugs.opensuse.org/ # @@ -22,7 +29,7 @@ Name: libtcnative-1-0 Version: %{major}.%{minor}.%{micro} -Release: 2 +Release: 3 Summary: JNI wrappers for Apache Portable Runtime for Tomcat Group: Productivity/Networking/Web/Servers License: The Apache Software License ++++++ tomcat6.spec ++++++ --- /var/tmp/diff_new_pack.h13643/_old 2008-08-07 01:36:02.000000000 +0200 +++ /var/tmp/diff_new_pack.h13643/_new 2008-08-07 01:36:02.000000000 +0200 @@ -2,9 +2,16 @@ # spec file for package tomcat6 (Version MACRO) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. -# This file and all modifications and additions to the pristine -# package are under the same license as the package itself. # +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + # Please submit bugfixes or comments via http://bugs.opensuse.org/ # @@ -29,7 +36,7 @@ Name: tomcat6 Version: %{major_version}.%{minor_version}.%{macro_version} -Release: 9 +Release: 10 Summary: Apache Servlet/JSP Engine, RI for Servlet 2.5/JSP 2.1 API Group: Productivity/Networking/Web/Servers License: The Apache Software License @@ -41,6 +48,8 @@ Source4: %{name}-%{major_version}.%{minor_version}.wrapper Patch0: %{name}-%{major_version}.%{minor_version}.bootstrap-MANIFEST.MF.patch Patch1: apache-tomcat-CVE-2008-1947.patch +Patch2: apache-tomcat-CVE-2008-2370.patch +Patch3: apache-tomcat-CVE-2008-1232.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch BuildRequires: ant @@ -175,6 +184,8 @@ %setup -q -c -T -a 0 %patch0 %patch1 -b .sav1 +%patch2 -b .sav2 +%patch3 -b .sav3 %build pushd ${RPM_BUILD_DIR}/%{name}-%{version}/%{packdname} @@ -448,6 +459,9 @@ %{appdir}/examples %changelog +* Wed Aug 06 2008 mvyskocil@suse.cz +- fix CVE-2008-1232 and CVE-2008-2370: VUL-0: Apache Tomcat Cross-Site + Scripting and Security Bypass [bnc#414657] * Mon Jul 21 2008 mvyskocil@suse.cz - fixed [bnc#394503]: tomcat6 is missing rctomcat6 link - add a /usr/sbin/rctomcat6 symlink ++++++ apache-tomcat-CVE-2008-1232.patch ++++++ --- apache-tomcat-6.0.16-src/java/org/apache/catalina/core/StandardContextValve.java +++ apache-tomcat-6.0.16-src/java/org/apache/catalina/core/StandardContextValve.java @@ -120,8 +120,7 @@ || (requestPathMB.equalsIgnoreCase("/META-INF")) || (requestPathMB.startsWithIgnoreCase("/WEB-INF/", 0)) || (requestPathMB.equalsIgnoreCase("/WEB-INF"))) { - String requestURI = request.getDecodedRequestURI(); - notFound(requestURI, response); + notFound(response); return; } @@ -138,7 +137,7 @@ Wrapper wrapper = request.getWrapper(); if (wrapper == null) { String requestURI = request.getDecodedRequestURI(); - notFound(requestURI, response); + notFound(response); return; } @@ -289,10 +288,10 @@ * @param requestURI The request URI for the requested resource * @param response The response we are creating */ - private void notFound(String requestURI, HttpServletResponse response) { + private void notFound(HttpServletResponse response) { try { - response.sendError(HttpServletResponse.SC_NOT_FOUND, requestURI); + response.sendError(HttpServletResponse.SC_NOT_FOUND); } catch (IllegalStateException e) { ; } catch (IOException e) { --- apache-tomcat-6.0.16-src/java/org/apache/coyote/Constants.java +++ apache-tomcat-6.0.16-src/java/org/apache/coyote/Constants.java @@ -59,6 +59,12 @@ public static final boolean IS_SECURITY_ENABLED = (System.getSecurityManager() != null); - + /** + * If true, custom HTTP status messages will be used in headers. + */ + public static final boolean USE_CUSTOM_STATUS_MSG_IN_HEADER = + Boolean.valueOf(System.getProperty( + "org.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER", + "false")).booleanValue(); } --- apache-tomcat-6.0.16-src/java/org/apache/coyote/ajp/AjpAprProcessor.java +++ apache-tomcat-6.0.16-src/java/org/apache/coyote/ajp/AjpAprProcessor.java @@ -917,7 +917,10 @@ // HTTP header contents responseHeaderMessage.appendInt(response.getStatus()); - String message = response.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = response.getMessage(); + } if (message == null){ message = HttpMessages.getMessage(response.getStatus()); } else { --- apache-tomcat-6.0.16-src/java/org/apache/coyote/ajp/AjpProcessor.java +++ apache-tomcat-6.0.16-src/java/org/apache/coyote/ajp/AjpProcessor.java @@ -923,7 +923,10 @@ // HTTP header contents responseHeaderMessage.appendInt(response.getStatus()); - String message = response.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = response.getMessage(); + } if (message == null){ message = HttpMessages.getMessage(response.getStatus()); } else { --- apache-tomcat-6.0.16-src/java/org/apache/coyote/http11/InternalAprOutputBuffer.java +++ apache-tomcat-6.0.16-src/java/org/apache/coyote/http11/InternalAprOutputBuffer.java @@ -421,11 +421,14 @@ buf[pos++] = Constants.SP; // Write message - String message = response.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = response.getMessage(); + } if (message == null) { write(HttpMessages.getMessage(status)); } else { - write(message); + write(message.replace('\n', ' ').replace('\r', ' ')); } // End the response status line --- apache-tomcat-6.0.16-src/java/org/apache/coyote/http11/InternalNioOutputBuffer.java +++ apache-tomcat-6.0.16-src/java/org/apache/coyote/http11/InternalNioOutputBuffer.java @@ -479,11 +479,14 @@ buf[pos++] = Constants.SP; // Write message - String message = response.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = response.getMessage(); + } if (message == null) { write(HttpMessages.getMessage(status)); } else { - write(message); + write(message.replace('\n', ' ').replace('\r', ' ')); } // End the response status line --- apache-tomcat-6.0.16-src/java/org/apache/coyote/http11/InternalOutputBuffer.java +++ apache-tomcat-6.0.16-src/java/org/apache/coyote/http11/InternalOutputBuffer.java @@ -438,11 +438,14 @@ buf[pos++] = Constants.SP; // Write message - String message = response.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = response.getMessage(); + } if (message == null) { write(getMessage(status)); } else { - write(message); + write(message.replace('\n', ' ').replace('\r', ' ')); } // End the response status line --- apache-tomcat-6.0.16-src/java/org/apache/jk/common/JkInputStream.java +++ apache-tomcat-6.0.16-src/java/org/apache/jk/common/JkInputStream.java @@ -272,7 +272,10 @@ outputMsg.appendByte(AjpConstants.JK_AJP13_SEND_HEADERS); outputMsg.appendInt( res.getStatus() ); - String message=res.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = res.getMessage(); + } if( message==null ){ message= HttpMessages.getMessage(res.getStatus()); } else { ++++++ apache-tomcat-CVE-2008-2370.patch ++++++ --- apache-tomcat-6.0.16-src/java/org/apache/catalina/core/ApplicationContext.java +++ apache-tomcat-6.0.16-src/java/org/apache/catalina/core/ApplicationContext.java @@ -368,10 +368,22 @@ throw new IllegalArgumentException (sm.getString ("applicationContext.requestDispatcher.iae", path)); + + // Get query string + String queryString = null; + int pos = path.indexOf('?'); + if (pos >= 0) { + queryString = path.substring(pos + 1); + } else { + pos = path.length(); + } + path = normalize(path); if (path == null) return (null); + pos = path.length(); + // Use the thread local URI and mapping data DispatchData dd = dispatchData.get(); if (dd == null) { @@ -382,14 +394,6 @@ MessageBytes uriMB = dd.uriMB; uriMB.recycle(); - // Get query string - String queryString = null; - int pos = path.indexOf('?'); - if (pos >= 0) { - queryString = path.substring(pos + 1); - } else { - pos = path.length(); - } // Use the thread local mapping data MappingData mappingData = dd.mappingData; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org