Hello community, here is the log from the commit of package tomcat6 for openSUSE:Factory checked in at Fri Nov 26 17:02:08 CET 2010. -------- --- tomcat6/tomcat6.changes 2010-11-02 11:20:31.000000000 +0100 +++ tomcat6/tomcat6.changes 2010-11-25 11:57:42.000000000 +0100 @@ -1,0 +2,10 @@ +Thu Nov 25 10:33:51 UTC 2010 - mvyskocil@suse.cz + +- fix bnc#655440 - VUL-0: tomcat6: Apache Tomcat Manager application XSS + vulnerability (CVE-2010-4172) + http://svn.apache.org/viewvc?view=revision&revision=1037779 +- fix bnc#653586 - spacewalk 1.2 requires jasper 5.5 + * add offline jasper compiler /usr/bin/jspc +- unpack tarball to apache-tomcat-$VERSION-src directory directly + +------------------------------------------------------------------- calling whatdependson for head-i586 New: ---- apache-tomcat-CVE-2010-4172.patch tomcat6-6.0.jasper.sh tomcat6-6.0.jspc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libtcnative-1-0.spec ++++++ --- /var/tmp/diff_new_pack.N3UGsc/_old 2010-11-26 16:58:39.000000000 +0100 +++ /var/tmp/diff_new_pack.N3UGsc/_new 2010-11-26 16:58:39.000000000 +0100 @@ -29,7 +29,7 @@ Name: libtcnative-1-0 Version: %{major}.%{minor}.%{micro} -Release: 8 +Release: 9 Summary: JNI wrappers for Apache Portable Runtime for Tomcat Group: Productivity/Networking/Web/Servers License: Apache Software License .. ++++++ tomcat6.spec ++++++ --- /var/tmp/diff_new_pack.N3UGsc/_old 2010-11-26 16:58:39.000000000 +0100 +++ /var/tmp/diff_new_pack.N3UGsc/_new 2010-11-26 16:58:39.000000000 +0100 @@ -41,7 +41,7 @@ Name: tomcat6 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 2 +Release: 3 Summary: Apache Servlet/JSP Engine, RI for Servlet 2.5/JSP 2.1 API Group: Productivity/Networking/Web/Servers License: Apache Software License .. @@ -56,11 +56,16 @@ Source6: %{name}-%{major_version}.%{minor_version}-digest.script Source7: %{name}-%{major_version}.%{minor_version}-tool-wrapper.script Source8: %{name}-%{major_version}.%{minor_version}.starter +#bnc#653586: offline jasper compiler for spacewalk - rewritten from tomcat5.5/jasper/bin +Source100: tomcat6-6.0.jasper.sh +Source101: tomcat6-6.0.jspc Source1000: tomcat6-rpmlintrc #PATCH-FIX-UPSTREAM: from jpackage.org package Patch0: %{name}-%{major_version}.%{minor_version}.bootstrap-MANIFEST.MF.patch #PATCH-FIX-UPSTREAM: from jpackage.org package Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch +#PATCH-FIX-UPSTREAM: http://svn.apache.org/viewvc?view=revision&revision=1037779 +Patch2: apache-tomcat-CVE-2010-4172.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch BuildRequires: ant @@ -209,30 +214,30 @@ %prep -%setup -q -c -T -a 0 +%setup -q -n %{packdname} # remove pre-built binaries and windows files find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "*.gz" -o \ -name "*.jar" -o -name "*.war" -o -name "*.zip" \) | xargs -t %{__rm} %patch0 -p1 %patch1 -p0 +%patch2 -p1 %build export CLASSPATH= export OPT_JAR_LIST="ant/ant-trax" -pushd %{packdname} - # remove pre-built binaries and windows files - find . \( -name "*.bat" -o -name "*.class" -o -name "*.gz" -o \ +# remove pre-built binaries and windows files +find . \( -name "*.bat" -o -name "*.class" -o -name "*.gz" -o \ -name "*.jar" -o -name "*.zip" \) | xargs -t %{__rm} -f - # we don't care about the tarballs and we're going to replace - # tomcat-dbcp.jar with jakarta-commons-{collections,dbcp,pool}-tomcat5.jar - # so just create a dummy file for later removal - touch HACK +# we don't care about the tarballs and we're going to replace +# tomcat-dbcp.jar with jakarta-commons-{collections,dbcp,pool}-tomcat5.jar +# so just create a dummy file for later removal +touch HACK %if %defined suse_version - export CLASSPATH="$(build-classpath xalan-j2-serializer)" - export ANT_OPTS=-Xmx500M +export CLASSPATH="$(build-classpath xalan-j2-serializer)" +export ANT_OPTS=-Xmx500M %endif - # who needs a build.properties file anyway - %{ant} -Dbase.path="." \ +# who needs a build.properties file anyway +%{ant} -Dbase.path="." \ -Dbuild.compiler="modern" \ -Dcommons-collections.jar="$(build-classpath commons-collections)" \ -Dcommons-daemon.jar="$(build-classpath commons-daemon)" \ @@ -243,17 +248,17 @@ -Dtomcat-native.tar.gz="HACK" \ -Dversion="%{version}" \ -Dversion.build="%{micro_version}" - # javadoc generation - %{ant} -f dist.xml dist-prepare - %{ant} -f dist.xml dist-source - %{ant} -f dist.xml dist-javadoc - # remove some jars that we'll replace with symlinks later - %{__rm} output/build/bin/commons-daemon.jar \ +# javadoc generation +%{ant} -f dist.xml dist-prepare +%{ant} -f dist.xml dist-source +%{ant} -f dist.xml dist-javadoc +# remove some jars that we'll replace with symlinks later +%{__rm} output/build/bin/commons-daemon.jar \ output/build/lib/ecj.jar - # remove the cruft we created - %{__rm} output/build/bin/tomcat-native.tar.gz -popd -pushd %{packdname}/output/dist/src/webapps/docs/appdev/sample/src +# remove the cruft we created +%{__rm} output/build/bin/tomcat-native.tar.gz + +pushd output/dist/src/webapps/docs/appdev/sample/src %{__mkdir_p} ../web/WEB-INF/classes %{javac} -cp ../../../../../../../../output/build/lib/servlet-api.jar -d ../web/WEB-INF/classes mypackage/Hello.java pushd ../web @@ -281,14 +286,14 @@ %{__install} -d -m 0755 ${RPM_BUILD_ROOT}%{tempdir} %{__install} -d -m 0755 ${RPM_BUILD_ROOT}%{cachedir}/Catalina/localhost # move things into place -pushd %{packdname}/output/build +pushd output/build %{__cp} -a bin/*.{jar,xml} ${RPM_BUILD_ROOT}%{bindir} %{__cp} -a conf/*.{policy,properties,xml} ${RPM_BUILD_ROOT}%{confdir} %{__cp} -a lib/*.jar ${RPM_BUILD_ROOT}%{libdir} %{__cp} -a webapps/* ${RPM_BUILD_ROOT}%{appdir} popd # javadoc -pushd %{packdname}/output/dist/webapps +pushd output/dist/webapps %{__cp} -a docs/api/* ${RPM_BUILD_ROOT}%{_javadocdir}/%{name} popd %{__sed} -e "s|\@\@\@TCHOME\@\@\@|%{homedir}|g" \ @@ -381,6 +386,9 @@ ln -sf %{_initrddir}/%{name} $RPM_BUILD_ROOT/%{_sbindir}/rc%{name} #bnc#565901 ln -sf %{_sbindir}/d%{name} %{buildroot}/%{bindir}/catalina.sh +#bnc#653586 - jasper.sh and jspc +install -m 0755 %{SOURCE100} %{buildroot}/%{bindir}/jasper.sh +install -m 0755 %{SOURCE101} %{buildroot}/%{_bindir}/jspc %endif %clean @@ -509,7 +517,7 @@ %files %defattr(0644,root,root,0755) -%doc %{packdname}/{LICENSE,NOTICE,RELEASE*} +%doc {LICENSE,NOTICE,RELEASE*} %attr(0755,root,root) %{_bindir}/%{name}-digest %attr(0755,root,root) %{_bindir}/%{name}-tool-wrapper %attr(0755,root,root) %{_sbindir}/d%{name} @@ -518,6 +526,9 @@ %if %{defined suse_version} #bnc#565901 %attr(0755,root,root) %{bindir}/catalina.sh +#bnc#653586 +%attr(0755,root,root) %{bindir}/jasper.sh +%attr(0755,root,root) %{_bindir}/jspc %endif %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/logrotate.d/%{name} %if ! %defined suse_version ++++++ apache-tomcat-CVE-2010-4172.patch ++++++ --- apache-tomcat-6.0.29-src/java/org/apache/catalina/manager/JspHelper.java | 2 - apache-tomcat-6.0.29-src/webapps/docs/changelog.xml | 3 ++ apache-tomcat-6.0.29-src/webapps/manager/sessionDetail.jsp | 10 ++++--- apache-tomcat-6.0.29-src/webapps/manager/sessionsList.jsp | 14 +++++----- 4 files changed, 18 insertions(+), 11 deletions(-) Index: apache-tomcat-6.0.29-src/java/org/apache/catalina/manager/JspHelper.java =================================================================== --- apache-tomcat-6.0.29-src/java/org/apache/catalina/manager/JspHelper.java 2010-01-19 14:43:39.000000000 +0100 +++ apache-tomcat-6.0.29-src/java/org/apache/catalina/manager/JspHelper.java 2010-11-24 14:11:27.959022725 +0100 @@ -58,7 +58,7 @@ } private static String localeToString(Locale locale) { if (locale != null) { - return locale.toString();//locale.getDisplayName(); + return escapeXml(locale.toString());//locale.getDisplayName(); } else { return ""; } Index: apache-tomcat-6.0.29-src/webapps/docs/changelog.xml =================================================================== --- apache-tomcat-6.0.29-src/webapps/docs/changelog.xml 2010-01-19 14:43:41.000000000 +0100 +++ apache-tomcat-6.0.29-src/webapps/docs/changelog.xml 2010-11-24 14:11:27.959022725 +0100 @@ -1931,6 +1931,9 @@ <bug>44968</bug>: Provide more information when the load of a keystore fails. (markt) </fix> + <fix> + CVE-2010-4172: Multiple XSS in Manager application. (markt/kkolinko) + </fix> </changelog> </subsection> <subsection name="Jasper"> Index: apache-tomcat-6.0.29-src/webapps/manager/WEB-INF/jsp/sessionDetail.jsp =================================================================== --- apache-tomcat-6.0.29-src/webapps/manager/WEB-INF/jsp/sessionDetail.jsp 2010-01-19 14:43:41.000000000 +0100 +++ apache-tomcat-6.0.29-src/webapps/manager/WEB-INF/jsp/sessionDetail.jsp 2010-11-24 14:11:27.979023045 +0100 @@ -30,8 +30,10 @@ <% String path = (String) request.getAttribute("path"); Session currentSession = (Session)request.getAttribute("currentSession"); HttpSession currentHttpSession = currentSession.getSession(); - String currentSessionId = currentSession.getId(); - String submitUrl = ((HttpServletRequest)pageContext.getRequest()).getRequestURL().toString(); + String currentSessionId = JspHelper.escapeXml(currentSession.getId()); + String submitUrl = JspHelper.escapeXml(response.encodeURL( + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() + + "?path=" + path)); %> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/> @@ -45,7 +47,7 @@ <title>Sessions Administration: details for <%= currentSessionId %></title> </head> <body> -<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1> +<h1>Details for Session <%= currentSessionId %></h1> <table style="text-align: left;" border="0"> <tr> @@ -120,7 +122,7 @@ String attributeName = (String) attributeNamesEnumeration.nextElement(); %> <tr> - <td align="center"><form action="<%= submitUrl %>"><div><input type="hidden" name="path" value="<%= path %>" /><input type="hidden" name="action" value="removeSessionAttribute" /><input type="hidden" name="sessionId" value="<%= currentSessionId %>" /><input type="hidden" name="attributeName" value="<%= attributeName %>" /><input type="submit" value="Remove" /></div></form></td> + <td align="center"><form action="<%= submitUrl %>"><div><input type="hidden" name="action" value="removeSessionAttribute" /><input type="hidden" name="sessionId" value="<%= currentSessionId %>" /><input type="hidden" name="attributeName" value="<%= attributeName %>" /><input type="submit" value="Remove" /></div></form></td> <td><%= JspHelper.escapeXml(attributeName) %></td> <td><% Object attributeValue = currentHttpSession.getAttribute(attributeName); %>"><%= JspHelper.escapeXml(attributeValue) %></span></td> </tr> Index: apache-tomcat-6.0.29-src/webapps/manager/WEB-INF/jsp/sessionsList.jsp =================================================================== --- apache-tomcat-6.0.29-src/webapps/manager/WEB-INF/jsp/sessionsList.jsp 2010-01-19 14:43:41.000000000 +0100 +++ apache-tomcat-6.0.29-src/webapps/manager/WEB-INF/jsp/sessionsList.jsp 2010-11-24 14:13:16.292757413 +0100 @@ -26,7 +26,9 @@ <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <% String path = (String) request.getAttribute("path"); - String submitUrl = ((HttpServletRequest)pageContext.getRequest()).getRequestURI() + "?path=" + path; + String submitUrl = JspHelper.escapeXml(response.encodeURL( + ((HttpServletRequest) pageContext.getRequest()).getRequestURI() + + "?path=" + path)); Collection activeSessions = (Collection) request.getAttribute("activeSessions"); %> <head> @@ -38,10 +40,10 @@ <meta name="author" content="Cedrik LIME"/> <meta name="copyright" content="copyright 2005-2010 the Apache Software Foundation"/> <meta name="robots" content="noindex,nofollow,noarchive"/> - <title>Sessions Administration for <%= path %></title> + <title>Sessions Administration for <%= JspHelper.escapeXml(path) %></title> </head> <body> -<h1>Sessions Administration for <%= path %></h1> +<h1>Sessions Administration for <%= JspHelper.escapeXml(path) %></h1> <p>Tips:</p> <ul> @@ -55,13 +57,13 @@ <form action="<%= submitUrl %>" method="post" id="sessionsForm"> <fieldset><legend>Active HttpSessions informations</legend> <input type="hidden" name="action" id="sessionsFormAction" value="injectSessions"/> - "/> + "/> <% String order = (String) request.getAttribute("order"); if (order == null || "".equals(order)) { order = "ASC"; } %> - <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= order %>"/> + <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= JspHelper.escapeXml(order) %>"/> <input type="submit" name="refresh" id="refreshButton" value="Refresh Sessions list" onclick="document.getElementById('sessionsFormAction').value='refreshSessions'; return true;"/> <%= JspHelper.formatNumber(activeSessions.size()) %> active Sessions<br/> <table border="1" cellpadding="2" cellspacing="2" width="100%"> @@ -95,11 +97,11 @@ <% Iterator iter = activeSessions.iterator(); while (iter.hasNext()) { Session currentSession = (Session) iter.next(); - String currentSessionId = currentSession.getId(); + String currentSessionId = JspHelper.escapeXml(currentSession.getId()); %> <tr> <td> -<input type="checkbox" name="sessionIds" value="<%= currentSessionId %>" /><a href="<%= submitUrl %>&action=sessionDetail&sessionId=<%= currentSessionId %>" target="_blank"><%= JspHelper.escapeXml(currentSessionId) %></a> +<input type="checkbox" name="sessionIds" value="<%= currentSessionId %>" /><a href="<%= submitUrl %>&action=sessionDetail&sessionId=<%= currentSessionId %>" target="_new"><%= currentSessionId %></a> </td> <td style="text-align: center;"><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td> <td style="text-align: center;"><%= JspHelper.guessDisplayUserFromSession(currentSession) %></td> ++++++ tomcat6-6.0-tomcat-users-webapp.patch ++++++ --- /var/tmp/diff_new_pack.N3UGsc/_old 2010-11-26 16:58:39.000000000 +0100 +++ /var/tmp/diff_new_pack.N3UGsc/_new 2010-11-26 16:58:39.000000000 +0100 @@ -1,7 +1,7 @@ -Index: apache-tomcat-6.0.29-src/conf/tomcat-users.xml +Index: conf/tomcat-users.xml =================================================================== ---- apache-tomcat-6.0.29-src/conf/tomcat-users.xml.orig 2010-06-29 16:33:40.000000000 +0200 -+++ apache-tomcat-6.0.29-src/conf/tomcat-users.xml 2010-07-15 09:35:36.400001376 +0200 +--- conf/tomcat-users.xml.orig 2010-06-29 16:33:40.000000000 +0200 ++++ conf/tomcat-users.xml 2010-07-15 09:35:36.400001376 +0200 @@ -33,4 +33,9 @@ <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="role1" password="tomcat" roles="role1"/> ++++++ tomcat6-6.0.bootstrap-MANIFEST.MF.patch ++++++ --- /var/tmp/diff_new_pack.N3UGsc/_old 2010-11-26 16:58:39.000000000 +0100 +++ /var/tmp/diff_new_pack.N3UGsc/_new 2010-11-26 16:58:39.000000000 +0100 @@ -1,7 +1,7 @@ -Index: tomcat6-6.0.29/apache-tomcat-6.0.29-src/res/META-INF/bootstrap.jar.manifest +Index: apache-tomcat-6.0.29-src/res/META-INF/bootstrap.jar.manifest =================================================================== ---- tomcat6-6.0.29.orig/apache-tomcat-6.0.29-src/res/META-INF/bootstrap.jar.manifest 2010-06-29 16:33:42.000000000 +0200 -+++ tomcat6-6.0.29/apache-tomcat-6.0.29-src/res/META-INF/bootstrap.jar.manifest 2010-07-15 09:35:10.044876580 +0200 +--- apache-tomcat-6.0.29-src/res/META-INF/bootstrap.jar.manifest 2010-06-29 16:33:42.000000000 +0200 ++++ apache-tomcat-6.0.29-src/res/META-INF/bootstrap.jar.manifest 2010-07-15 09:35:10.044876580 +0200 @@ -1,6 +1,5 @@ Manifest-Version: 1.0 Main-Class: org.apache.catalina.startup.Bootstrap ++++++ tomcat6-6.0.jasper.sh ++++++ #!/bin/bash # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # ----------------------------------------------------------------------------- # Script for Jasper compiler # - mvyskocil reworked for SUSE tomcat6 package - see # https://bugzilla.novell.com/show_bug.cgi?id=653586 # # Environment Variable Prequisites # # JASPER_HOME May point at your Catalina "build" directory. # # JASPER_OPTS (Optional) Java runtime options used when the "start", # "stop", or "run" command is executed. # # JAVA_HOME Must point at your Java Development Kit installation. # # JAVA_OPTS (Optional) Java runtime options used when the "start", # "stop", or "run" command is executed. # Get the tomcat config (use this for environment specific settings) if [ -z "${TOMCAT_CFG}" ]; then TOMCAT_CFG="/etc/tomcat6/tomcat6.conf" fi if [ -r "$TOMCAT_CFG" ]; then . $TOMCAT_CFG fi CLASSPATH="${CLASSPATH}:$(build-classpath tomcat6 ant)" CLASSPATH="${CLASSPATH}:$(build-classpath tomcat6-servlet-2.5-api tomcat6-jsp-2.1-api tomcat6-el-1.0-api)" # CLASSPATH munging if [ -n "$JSSE_HOME" ]; then CLASSPATH="${CLASSPATH}:$(build-classpath jcert jnet jsse 2>/dev/null)" fi CLASSPATH="${CLASSPATH}:${CATALINA_HOME}/bin/bootstrap.jar" CLASSPATH="${CLASSPATH}:${CATALINA_HOME}/bin/tomcat-juli.jar" CLASSPATH="${CLASSPATH}:$(build-classpath commons-daemon 2>/dev/null)" # ----- Execute The Requested Command ----------------------------------------- if [ "$1" = "jspc" ] ; then shift exec "${JAVA_HOME}/bin/java" $JAVA_OPTS $JASPER_OPTS \ -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ -Djasper.home="$JASPER_HOME" \ -Dcatalina.home="$JASPER_HOME" \ org.apache.jasper.JspC "$@" elif [ "$1" = "debug" ] ; then shift exec "${JAVA_HOME}/bin/jdb" $JAVA_OPTS $JASPER_OPTS \ -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ -Djasper.home="$JASPER_HOME" \ -Dcatalina.home="$JASPER_HOME" \ org.apache.jasper.JspC "$@" else echo "Usage: jasper.sh ( jspc )" echo "Commands:" echo " jspc - Run the offline JSP compiler" exit 1 fi ++++++ tomcat6-6.0.jspc ++++++ #!/bin/sh # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # ----------------------------------------------------------------------------- # Script to run the Jasper "offline JSP compiler" # - mvyskocil reworked for SUSE tomcat6 package - see # https://bugzilla.novell.com/show_bug.cgi?id=653586 # # $Id: jspc.sh 565193 2007-08-12 22:53:10Z markt $ # ----------------------------------------------------------------------------- PRGDIR=/usr/share/tomcat6/bin EXECUTABLE=jasper.sh # Check that target executable exists if [ ! -x "$PRGDIR"/"$EXECUTABLE" ]; then echo "Cannot find $PRGDIR/$EXECUTABLE" echo "This file is needed to run this program" exit 1 fi if [ "$1" = "debug" ]; then shift exec "$PRGDIR"/"$EXECUTABLE" debug "$@" else exec "$PRGDIR"/"$EXECUTABLE" jspc "$@" fi ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org