Hello community,
here is the log from the commit of package tomcat6 for openSUSE:11.4
checked in at Mon Jan 9 11:09:52 CET 2012.
--------
--- old-versions/11.4/UPDATES/all/tomcat6/tomcat6.changes 2011-09-15 16:14:01.000000000 +0200
+++ 11.4/tomcat6/tomcat6.changes 2012-01-06 13:53:11.000000000 +0100
@@ -1,0 +2,16 @@
+Thu Jan 5 14:06:11 UTC 2012 - mvyskocil@suse.cz
+
+- fix bnc#727543 - VUL-0: Apache tomcat vulnerable to hash collision attack
+ backport upstream changes:
+ * add getCharset method for B2Converter
+ http://svn.apache.org/viewvc?view=revision&revision=1140904
+ * add isConfigProblemFatal method
+ http://svn.apache.org/viewvc?view=revision&revision=1199122
+ * GET POST parameter processing performance. Adds maximum number of
+ parameters per request (defaults to 10000) and new FailedRequestFilter for
+ rejecting requests with excessive number of parameters
+ http://svn.apache.org/viewvc?view=revision&revision=1200601
+- fix bnc#712784 - tomcat6: add missing Requires on java >= 1.6.0
+ * add recommends on java >= 1.6.0 and java-devel >= 1.6.0
+
+-------------------------------------------------------------------
calling whatdependson for 11.4-i586
New:
----
apache-tomcat-get-charset.patch
apache-tomcat-isconfigproblemfatal.patch
apache-tomcat-parameter-processing-performance.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libtcnative-1-0.spec ++++++
--- /var/tmp/diff_new_pack.6uLlji/_old 2012-01-09 11:09:33.000000000 +0100
+++ /var/tmp/diff_new_pack.6uLlji/_new 2012-01-09 11:09:33.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package libtcnative-1-0
#
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -29,7 +29,7 @@
Name: libtcnative-1-0
Version: %{major}.%{minor}.%{micro}
-Release: 11.<RELEASE2>
+Release: 11.<RELEASE3>
Summary: JNI wrappers for Apache Portable Runtime for Tomcat
Group: Productivity/Networking/Web/Servers
License: Apache Software License ..
++++++ tomcat6.spec ++++++
--- /var/tmp/diff_new_pack.6uLlji/_old 2012-01-09 11:09:33.000000000 +0100
+++ /var/tmp/diff_new_pack.6uLlji/_new 2012-01-09 11:09:33.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package tomcat6
#
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2000-2009, JPackage Project
# All rights reserved.
#
@@ -41,7 +41,7 @@
Name: tomcat6
Version: %{major_version}.%{minor_version}.%{micro_version}
-Release: 7.<RELEASE10>
+Release: 7.<RELEASE12>
Summary: Apache Servlet/JSP Engine, RI for Servlet 2.5/JSP 2.1 API
Group: Productivity/Networking/Web/Servers
License: Apache Software License ..
@@ -70,6 +70,14 @@
Patch3: apache-tomcat-CVE-2011-2526.patch
#PATCH-FIX-UPSTREAM: http://svn.apache.org/viewvc?view=revision&revision=1162959
Patch4: apache-tomcat-CVE-2011-3190.patch
+# PATCH-FIX-UPSTREAM: http://svn.apache.org/viewvc?view=revision&revision=1140904
+# add getCharset method for B2CConverter expected by parameter-processing patch
+Patch5: apache-tomcat-get-charset.patch
+# PATCH-FIX-UPSTREAM: http://svn.apache.org/viewvc?view=revision&revision=1199122
+# add isConfigProblemFatal method expected by parameter-processing patch
+Patch6: apache-tomcat-isconfigproblemfatal.patch
+#PATCH-FIX-UPSTREAM: http://svn.apache.org/viewvc?view=revision&revision=1200601
+Patch7: apache-tomcat-parameter-processing-performance.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
BuildRequires: ant
@@ -99,6 +107,11 @@
Requires(preun): /sbin/chkconfig
Requires(post): findutils
Requires(post): coreutils
+# bnc#712784 - we need java and javac (for jsps)
+# to have a possibility use tomcat with third-party java
+# let's use recommends instead
+Recommends: java >= 1.6.0
+Recommends: java-devel >= 1.6.0
%description
Tomcat is the servlet container that is used in the official Reference
@@ -229,6 +242,9 @@
%patch2 -p1 -b .CVE-2011-2204
%patch3 -p1 -b .CVE-2011-2526
%patch4 -p1 -b .CVE-2011-3190
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
%build
export CLASSPATH=
++++++ apache-tomcat-get-charset.patch ++++++
Index: apache-tomcat-6.0.32-src/java/org/apache/tomcat/util/buf/ByteChunk.java
===================================================================
--- apache-tomcat-6.0.32-src.orig/java/org/apache/tomcat/util/buf/ByteChunk.java 2011-02-02 20:07:33.000000000 +0100
+++ apache-tomcat-6.0.32-src/java/org/apache/tomcat/util/buf/ByteChunk.java 2012-01-05 14:10:21.099521215 +0100
@@ -19,6 +19,8 @@
import java.io.IOException;
import java.io.Serializable;
+import java.nio.ByteBuffer;
+import java.nio.charset.Charset;
/*
* In a server it is very important to be able to operate on
@@ -95,7 +97,12 @@
8859_1, and this object is used mostly for servlets.
*/
public static final String DEFAULT_CHARACTER_ENCODING="ISO-8859-1";
-
+
+ /** Default Charset to use for interpreting byte[] as as String
+ */
+ public static final Charset DEFAULT_CHARSET =
+ Charset.forName(DEFAULT_CHARACTER_ENCODING);
+
// byte[]
private byte[] buff;
@@ -493,8 +500,14 @@
public String toStringInternal() {
String strValue=null;
try {
- if( enc==null ) enc=DEFAULT_CHARACTER_ENCODING;
- strValue = new String( buff, start, end-start, enc );
+ Charset charset;
+ if (enc == null) {
+ charset = DEFAULT_CHARSET;
+ } else {
+ charset = B2CConverter.getCharset(enc);
+ }
+ strValue = charset.decode(
+ ByteBuffer.wrap(buff, start, end-start)).toString();
/*
Does not improve the speed too much on most systems,
it's safer to use the "clasical" new String().
Index: apache-tomcat-6.0.32-src/java/org/apache/tomcat/util/buf/B2CConverter.java
===================================================================
--- apache-tomcat-6.0.32-src.orig/java/org/apache/tomcat/util/buf/B2CConverter.java 2011-02-02 20:07:33.000000000 +0100
+++ apache-tomcat-6.0.32-src/java/org/apache/tomcat/util/buf/B2CConverter.java 2012-01-05 14:10:21.101521285 +0100
@@ -22,6 +22,10 @@
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
+import java.nio.charset.Charset;
+import java.util.HashMap;
+import java.util.Locale;
+import java.util.Map;
/** Efficient conversion of bytes to character .
*
@@ -39,7 +43,36 @@
private static org.apache.juli.logging.Log log=
org.apache.juli.logging.LogFactory.getLog( B2CConverter.class );
+
+ private static final Map