commit tomcat.1180 for openSUSE:12.2:Update

Hello community, here is the log from the commit of package tomcat.1180 for openSUSE:12.2:Update checked in at 2012-12-27 16:10:01 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/tomcat.1180 (Old) and /work/SRC/openSUSE:12.2:Update/.tomcat.1180.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "tomcat.1180", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2012-12-21 01:49:00.356010756 +0100 +++ /work/SRC/openSUSE:12.2:Update/.tomcat.1180.new/tomcat.changes 2012-12-27 16:10:03.000000000 +0100 @@ -0,0 +1,100 @@ +------------------------------------------------------------------- +Mon Dec 10 10:33:24 UTC 2012 - mvyskocil@suse.com + +- fix bnc#793394 - bypass of security constraints (CVE-2012-3546) + * tomcat-CVE-2012-3546.patch + http://svn.apache.org/viewvc?view=revision&revision=1377892 + +- fix bnc#793391 - bypass of CSRF prevention filter (CVE-2012-4431) + * tomcat-CVE-2012-4431.patch + http://svn.apache.org/viewvc?view=revision&revision=1393088 + +------------------------------------------------------------------- +Fri Dec 7 11:17:46 UTC 2012 - mvyskocil@suse.com + +- document how to protect against slowloris DoS (CVE-2012-5568/bnc#791679) + in README.SUSE + +------------------------------------------------------------------- +Tue Dec 4 08:42:49 UTC 2012 - mvyskocil@suse.com + +- fixes + bnc#791423 - cnonce tracking weakness (CVE-2012-5885) + bnc#791424 - authentication caching weakness (CVE-2012-5886) + bnc#791426 - stale nonce weakness (CVE-2012-5887) + * tomcat-dont-parse-user-name-twice.patch + http://svn.apache.org/viewvc?view=revision&revision=1366723 + * tomcat-CVE-2009-2693-CVE-2009-2901-CVE-2009-2902.patch + http://svn.apache.org/viewvc?view=revision&revision=1377807 + +------------------------------------------------------------------- +Mon Nov 26 12:55:41 UTC 2012 - mvyskocil@suse.com + +- fix bnc#789406: HTTP NIO connector OOM DoS via a request with large + headers (CVE-2012-2733) + * http://svn.apache.org/viewvc?view=revision&revision=1350301 +- fix bnc#779538 - Tomcat7 default current workdir isn't /usr/share/tomcat + +------------------------------------------------------------------- +Thu Jul 19 08:48:31 UTC 2012 - mvyskocil@suse.cz + +- fix bnc#771802 - systemd support is broken + * change type froking to simple as it does not make a sense run java in a + background to emulate that + * remove the need of nested wrappers, so /usr/sbin/tomcat-sysd now relies on + systemd features like User/EnvironmentFile + * workaround the 143 exit code in Stop phase - return 0 in this case + * merge the jsvc into tomcat-sysd code, the -jsvc-sysd is a symlink + * properly use jsvc with pid file to start and stop + +------------------------------------------------------------------- +Wed Jun 13 12:37:49 UTC 2012 - mvyskocil@suse.cz + +- update to 7.0.26 (bugfix release) +- rename package to tomcat in order to emphasise a fact, there is only one + major release of tomcat maintained in distribution +- add manifest files and systemd support (thanks Fedora) +- create tomcat-jsvc package + +------------------------------------------------------------------- +Thu Feb 23 13:59:10 UTC 2012 - mvyskocil@suse.cz + +- update to 7.0.26 (bugfix release) +- fix bnc#747771 - don't use /var/lock/subsys + sync tomcat7 init with tomcat6 + +------------------------------------------------------------------- +Sun Feb 19 23:02:42 UTC 2012 - wittemar@googlemail.com + +- update to 7.0.25 (bugfix release) + +------------------------------------------------------------------- +Tue Nov 1 12:36:57 UTC 2011 - mvyskocil@suse.cz + +- update to 7.0.22 (bugfix release) +- wrote changes and prepare for inclusion to openSUSE distribution +- fix bnc#726307 + /etc/tomcat7 is writtable for tomcat group + +------------------------------------------------------------------- +Mon Sep 19 10:21:29 UTC 2011 - wittemar@googlemail.com + + - update to version 7.0.21 + +------------------------------------------------------------------- +Thu Jul 21 10:21:29 UTC 2011 - mvyskocil@suse.cz + + - update to version 7.0.16 (bugfix update) + +------------------------------------------------------------------- +Wed Mar 30 16:29:28 UTC 2011 - jrenner@suse.de + + - add rpmlintrc, digest, init and wrapper scripts and config file + - build require geronimo apis and wsdl4j + - disable webservices in javadoc target + +------------------------------------------------------------------- +Tue Jan 18 12:22:55 UTC 2011 - mvyskocil@suse.cz + + - initial packaging of tomcat7 7.0.6 + New: ---- README.SUSE.in apache-tomcat-7.0.27-src.tar.gz el-api-OSGi-MANIFEST.MF jasper-OSGi-MANIFEST.MF jasper-el-OSGi-MANIFEST.MF jsp-api-OSGi-MANIFEST.MF servlet-api-OSGi-MANIFEST.MF tomcat-7.0-bootstrap-MANIFEST.MF.patch tomcat-7.0-digest.script tomcat-7.0-jsvc.service tomcat-7.0-log4j.properties tomcat-7.0-tomcat-sysd tomcat-7.0-tomcat-users-webapp.patch tomcat-7.0-tool-wrapper.script tomcat-7.0.2-property-build.windows.patch tomcat-7.0.conf tomcat-7.0.init tomcat-7.0.logrotate tomcat-7.0.service tomcat-7.0.wrapper tomcat-CVE-2012-2733.patch tomcat-CVE-2012-3546.patch tomcat-CVE-2012-4431.patch tomcat-CVE-2012-5885-CVE-2012-5886-CVE-2012-5887.patch tomcat-api-OSGi-MANIFEST.MF tomcat-dont-parse-user-name-twice.patch tomcat-juli-OSGi-MANIFEST.MF tomcat-rpmlintrc tomcat.changes tomcat.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tomcat.spec ++++++ ++++ 732 lines (skipped) ++++++ README.SUSE.in ++++++ Slowloris DOS attack (CVE-2012-5568) ==================================== Your tomcat installation can be afected by the Slowloris [1] attack, if exposed through port 80 with default connection timeout settings. This kind of attack opens a lot of connections and hold them open for a long time by sending a few packets before the default timeout expires. The default value for tomcat is 60 seconds, which, with usage of threads for handling requests, make it very vulnerable to this kind of attack. The default installed tomcat on SUSE system has following timeout settings. 20000 (20s) for port 8080 protocol HTTP/1.1 60000 (60s) for port 8009 protocol AJP/1.3 Ports 8080 and 8009 are usually not exposed to public Internet, so the default installation is not vulnerable. In case your tomcat is configured to listen on port standard ports 80 (HTTP) or 443 (HTTPS), it is highly recommended to change the default timeout settings. For details about connectionTimeout/keepAliveTimeout consult the online documentation [2], or /srv/tomcat/webapps/docs/config/http.html from @@NAME@@-doc-webbapps [1] http://en.wikipedia.org/wiki/Slowloris [2] http://tomcat.apache.org/tomcat-@@MAJOR@@.@@MINOR@@-doc/config/http.html Your SUSE team ++++++ el-api-OSGi-MANIFEST.MF ++++++ Manifest-Version: 1.0 Export-Package: javax.el;version="2.2.0" Bundle-Vendor: %bundleProvider Bundle-ClassPath: . Bundle-Version: 2.2.0 Bundle-Name: %bundleName Bundle-Localization: plugin Bundle-ManifestVersion: 2 Bundle-SymbolicName: javax.el DynamicImport-Package: org.apache.el Bundle-RequiredExecutionEnvironment: J2SE-1.4,CDC-1.0/Foundation-1.0,J 2SE-1.3 ++++++ jasper-OSGi-MANIFEST.MF ++++++ Manifest-Version: 1.0 Export-Package: org.apache.jasper;version="7.0.21",org.apache.jasper.c ompiler;version="7.0.21",org.apache.jasper.compiler.tagplugin;version ="7.0.21",org.apache.jasper.resources;version="7.0.21",org.apache.jas per.runtime;version="7.0.21",org.apache.jasper.security;version="7.0. 19",org.apache.jasper.servlet;version="7.0.21",org.apache.jasper.tagp lugins.jstl;version="7.0.21",org.apache.jasper.tagplugins.jstl.core;v ersion="7.0.21",org.apache.jasper.util;version="7.0.21",org.apache.ja sper.xmlparser;version="7.0.21" Bundle-Vendor: %bundleProvider Bundle-ClassPath: . Bundle-Version: 7.0.21 Bundle-Localization: plugin Bundle-Name: %bundleName Bundle-ManifestVersion: 2 Bundle-SymbolicName: org.apache.jasper Import-Package: javax.servlet;version="[2.4.0, 3.0.0]",javax.servlet.h ttp;version="[2.4.0, 3.0.0]",javax.servlet.jsp;version="[2.0.0, 2.2.0 ]",javax.servlet.jsp.el;version="[2.0.0, 2.2.0]",javax.servlet.jsp.re sources;version="[2.0.0, 2.2.0]",javax.servlet.jsp.tagext;version="[2 .0.0, 2.2.0]",javax.servlet.resources;version="[2.4.0, 3.0.0]",javax. xml.parsers,org.apache.commons.el;version="[1.0.0,2.0.0)",org.apache. commons.logging;version="[1.0.0,2.0.0)",org.apache.tools.ant;resoluti on:=optional,org.apache.tools.ant.taskdefs;resolution:=optional,org.a pache.tools.ant.types;resolution:=optional,org.apache.tools.ant.util; resolution:=optional,org.w3c.dom,org.xml.sax,org.xml.sax.ext,org.xml. sax.helpers,org.apache.tomcat;version="7.0.21",org.apache.juli.loggin g;version="7.0.21",javax.el;version="2.2.0",org.eclipse.jdt.internal. compiler,org.eclipse.jdt.internal.compiler.parser,org.eclipse.jdt.int ernal.compiler.parser.diagnose,org.eclipse.jdt.internal.compiler.flow ,org.eclipse.jdt.internal.compiler.util,org.eclipse.jdt.internal.comp iler.impl,org.eclipse.jdt.internal.compiler.lookup,org.eclipse.jdt.in ternal.compiler.codegen,org.eclipse.jdt.internal.compiler.batch,org.e clipse.jdt.internal.compiler.classfmt,org.eclipse.jdt.internal.compil er.ast,org.eclipse.jdt.internal.compiler.problem,org.eclipse.jdt.inte rnal.compiler.env,org.eclipse.jdt.internal.core.util,org.eclipse.jdt. core.compiler Bundle-RequiredExecutionEnvironment: J2SE-1.4,CDC-1.0/Foundation-1.0,J 2SE-1.3 ++++++ jasper-el-OSGi-MANIFEST.MF ++++++ Manifest-Version: 1.0 Export-Package: org.apache.el;version="7.0.21" Bundle-Vendor: %bundleProvider Bundle-ClassPath: . Bundle-Version: 7.0.21 Bundle-Name: %bundleName Bundle-Localization: plugin Bundle-ManifestVersion: 2 Import-Package: javax.el;version="2.2" Bundle-SymbolicName: org.apache.el Bundle-RequiredExecutionEnvironment: J2SE-1.4,CDC-1.0/Foundation-1.0,J 2SE-1.3 ++++++ jsp-api-OSGi-MANIFEST.MF ++++++ Manifest-Version: 1.0 Bundle-Vendor: %bundleProvider Bundle-Localization: plugin Bundle-RequiredExecutionEnvironment: CDC-1.0/Foundation-1.0,J2SE-1.3 Bundle-Name: %bundleName Bundle-SymbolicName: javax.servlet.jsp Export-Package: javax.servlet.jsp; version=2.2,javax.servlet.jsp.el; v ersion=2.2,javax.servlet.jsp.resources; version=2.2,javax.servlet.jsp .tagext; version=2.2 Bundle-Version: 2.2.0.v200806031607 Bundle-ManifestVersion: 2 Import-Package: javax.servlet; version=3.0,javax.servlet.http; version =3.0,javax.servlet.resources; version=3.0,javax.el;version="2.2.0" ++++++ servlet-api-OSGi-MANIFEST.MF ++++++ Manifest-Version: 1.0 Bundle-RequiredExecutionEnvironment: CDC-1.1/Foundation-1.1,J2SE-1.4 Bundle-SymbolicName: javax.servlet Bundle-ManifestVersion: 2 Bundle-Name: %bundleName Bundle-Localization: plugin Bundle-Version: 3.0.0 Bundle-Vendor: %bundleProvider Export-Package: javax.servlet;version="3.0", javax.servlet;version="2.6", javax.servlet.http;version="3.0", javax.servlet.http;version="2.6", javax.servlet.annotation;version="2.6", javax.servlet.descriptor;version="3.0", javax.servlet.descriptor;version="2.6", javax.servlet.resources;version="3.0", javax.servlet.resources;version="2.6" ++++++ tomcat-7.0-bootstrap-MANIFEST.MF.patch ++++++ Index: apache-tomcat-7.0.2-src/res/META-INF/bootstrap.jar.manifest =================================================================== --- apache-tomcat-7.0.2-src.orig/res/META-INF/bootstrap.jar.manifest 2010-08-04 01:26:39.000000000 +0200 +++ apache-tomcat-7.0.2-src/res/META-INF/bootstrap.jar.manifest 2010-09-23 11:25:07.237277450 +0200 @@ -1,6 +1,5 @@ Manifest-Version: 1.0 Main-Class: org.apache.catalina.startup.Bootstrap -Class-Path: commons-daemon.jar Specification-Title: Apache Tomcat Bootstrap Specification-Version: @VERSION_MAJOR_MINOR@ Specification-Vendor: Apache Software Foundation ++++++ tomcat-7.0-digest.script ++++++ #!/bin/sh # # tomcat-digest script # JPackage Project <http://www.jpackage.org/> # Source functions library if [ -f /usr/share/java-utils/java-functions ] ; then . /usr/share/java-utils/java-functions else echo "Can't find functions library, aborting" exit 1 fi # Get the tomcat config (use this for environment specific settings) if [ -z "${TOMCAT_CFG}" ]; then TOMCAT_CFG="/etc/tomcat/tomcat.conf" fi if [ -r "$TOMCAT_CFG" ]; then . $TOMCAT_CFG fi set_javacmd # CLASSPATH munging if [ -n "$JSSE_HOME" ]; then CLASSPATH="${CLASSPATH}:$(build-classpath jcert jnet jsse 2>/dev/null)" fi CLASSPATH="${CLASSPATH}:${CATALINA_HOME}/bin/bootstrap.jar" CLASSPATH="${CLASSPATH}:${CATALINA_HOME}/bin/tomcat-juli.jar" export CLASSPATH # Configuration MAIN_CLASS="org.apache.catalina.startup.Tool" BASE_FLAGS="-Dcatalina.home=\"$CATALINA_HOME\"" BASE_OPTIONS="" BASE_JARS="commons-daemon tomcat/catalina servlet" # Set parameters set_classpath $BASE_JARS set_flags $BASE_FLAGS set_options $BASE_OPTIONS # Let's start run -server org.apache.catalina.realm.RealmBase "$@" ++++++ tomcat-7.0-jsvc.service ++++++ # Systemd unit file for tomcat # # You can clone this service by: # 1.) Add a new EnvironmentFile declaring the new values for CATALINA_BASE # and others # 2.) Define new Environment=JSVC_PIDFILE=/var/run/tomcat-foo.pid if you want # to run more than one service [Unit] Description=Apache Tomcat Web Application Container JSVC wrapper After=network.target [Service] Type=simple EnvironmentFile=/etc/tomcat/tomcat.conf ExecStart=/usr/sbin/tomcat-jsvc-sysd start ExecStop=/usr/sbin/tomcat-jsvc-sysd stop [Install] WantedBy=multi-user.target ++++++ tomcat-7.0-log4j.properties ++++++ log4j.rootLogger=debug, R log4j.appender.R=org.apache.log4j.RollingFileAppender log4j.appender.R.File=${catalina.home}/logs/tomcat.log log4j.appender.R.MaxFileSize=10MB log4j.appender.R.MaxBackupIndex=10 log4j.appender.R.layout=org.apache.log4j.PatternLayout log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n log4j.logger.org.apache.catalina=DEBUG, R log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost]=DEBUG, R log4j.logger.org.apache.catalina.core=DEBUG, R log4j.logger.org.apache.catalina.session=DEBUG, R ++++++ tomcat-7.0-tomcat-sysd ++++++ #!/bin/bash # # This script provides systemd activation of the tomcat service and tomcat # throught jsvc wrapper # check the basic environment variables if [[ -z "${CATALINA_BASE}" || \ -z "${CATALINA_HOME}" || \ -z "${CATALINA_TMPDIR}" ]]; then echo "ERROR: one of CATALINA_BASE, CATALINA_HOME or CATALINA_TMPDIR is not defined" >&2 echo " use proper EnvironmentFile= in your .service file" >&2 exit 1 fi if [[ "${0}" =~ tomcat-jsvc ]]; then if [[ ! -x /usr/bin/jsvc ]]; then echo "ERROR: cannot use ${0}, /usr/bin/jsvc does not exists" >&2 exit 1 fi USE_JSVC=true JSVC_PIDFILE=${JSVC_PIDFILE:-/var/run/${0##*/}} else USE_JSVC=false fi #### from /usr/sbin/dtomcat if [[ -r /usr/share/java-utils/java-functions ]]; then . /usr/share/java-utils/java-functions else echo "ERROR: Can't read Java functions library, aborting" >&2 exit 1 fi set_javacmd # CLASSPATH munging if [[ -n "$JSSE_HOME" ]]; then CLASSPATH="${CLASSPATH}:$(build-classpath jcert jnet jsse 2>/dev/null)" fi CLASSPATH="${CLASSPATH}:${CATALINA_HOME}/bin/bootstrap.jar" CLASSPATH="${CLASSPATH}:${CATALINA_HOME}/bin/tomcat-juli.jar" CLASSPATH="${CLASSPATH}:$(build-classpath commons-daemon 2>/dev/null)" # See how we were called. function start() { local ret # running as root is not allowed if not running with jsvc if ! ${USE_JSVC} && [[ $(id -u) == 0 ]]; then echo "ERROR: starting tomcat under uid 0 is not supported" >&2 echo " use appropriate User/Group settings in service file" >&2 echo " see man systemd.exec for details" >&2 exit 2 fi if [[ "$SECURITY_MANAGER" = "true" ]]; then DSECURITY_MANAGER="-Djava.security.manager" else unset DSECURITY_MANAGER fi if ${USE_JSVC}; then JAVACMD="/usr/bin/jsvc -pidfile ${JSVC_PIDFILE} -nodetach -user ${TOMCAT_USER:-tomcat}" fi #bnc#779538 cd ${CATALINA_BASE} ${JAVACMD} $JAVA_OPTS $CATALINA_OPTS \ -classpath "$CLASSPATH" \ -Dcatalina.base="$CATALINA_BASE" \ -Dcatalina.home="$CATALINA_HOME" \ -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" \ -Djava.io.tmpdir="$CATALINA_TMPDIR" ${DSECURITY_MANAGER} \ -Djava.util.logging.config.file="${CATALINA_BASE}/conf/logging.properties" \ -Djava.util.logging.manager="org.apache.juli.ClassLoaderLogManager" \ org.apache.catalina.startup.Bootstrap start ret=${?} return $ret } function stop() { local ret if ${USE_JSVC}; then #XXX: foo is needed because of funny jsvc parser needs a class name /usr/bin/jsvc -stop -pidfile ${JSVC_PIDFILE} foo ret=${?} if [[ $ret == 0 ]]; then rm -f ${JSVC_PIDFILE} fi else ${JAVACMD} $JAVA_OPTS \ -classpath "$CLASSPATH" \ -Dcatalina.base="$CATALINA_BASE" \ -Dcatalina.home="$CATALINA_HOME" \ -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" \ -Djava.io.tmpdir="$CATALINA_TMPDIR" \ org.apache.catalina.startup.Bootstrap stop ret=${?} # workaround the 143 code emmited by jvm in case of sigterm # using ExecStart=- will ignore all other failures as well if [[ ret == 143 ]]; then ret=0 fi fi return $ret } function version() { exec ${JAVACMD} -classpath ${CATALINA_HOME}/lib/catalina.jar \ org.apache.catalina.util.ServerInfo } # See how we were called. case "$1" in start) start ;; stop) stop ;; restart) stop start ;; version) version ;; *) echo "Usage: $0 {start|stop|restart|version}" >&2 exit 1 esac ++++++ tomcat-7.0-tomcat-users-webapp.patch ++++++ Index: apache-tomcat-7.0.2-src/conf/tomcat-users.xml =================================================================== --- apache-tomcat-7.0.2-src/conf/tomcat-users.xml 2010-08-04 01:26:35.000000000 +0200 +++ apache-tomcat-7.0.2-src/conf/tomcat-users.xml 2010-09-23 11:27:11.819276755 +0200 @@ -23,4 +23,14 @@ <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="role1" password="tomcat" roles="role1"/> --> + +<!-- <role rolename="admin"/> --> +<!-- <role rolename="admin-gui"/> --> +<!-- <role rolename="admin-script"/> --> +<!-- <role rolename="manager"/> --> +<!-- <role rolename="manager-gui"/> --> +<!-- <role rolename="manager-script"/> --> +<!-- <role rolename="manager-jmx"/> --> +<!-- <role rolename="manager-status"/> --> +<!-- <user name="admin" password="adminadmin" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" /> --> </tomcat-users> ++++++ tomcat-7.0-tool-wrapper.script ++++++ #!/bin/sh # # tomcat-digest script # JPackage Project <http://www.jpackage.org/> # Source functions library if [ -f /usr/share/java-utils/java-functions ] ; then . /usr/share/java-utils/java-functions else echo "Can't find functions library, aborting" exit 1 fi # Get the tomcat config (use this for environment specific settings) if [ -z "${TOMCAT_CFG}" ]; then TOMCAT_CFG="/etc/tomcat/tomcat.conf" fi if [ -r "$TOMCAT_CFG" ]; then . $TOMCAT_CFG fi set_javacmd # CLASSPATH munging if [ -n "$JSSE_HOME" ]; then CLASSPATH="${CLASSPATH}:$(build-classpath jcert jnet jsse 2>/dev/null)" fi CLASSPATH="${CLASSPATH}:${CATALINA_HOME}/bin/bootstrap.jar" CLASSPATH="${CLASSPATH}:${CATALINA_HOME}/bin/tomcat-juli.jar" export CLASSPATH # Configuration MAIN_CLASS="org.apache.catalina.startup.Tool" BASE_OPTIONS="" BASE_FLAGS="-Dcatalina.home=\"$CATALINA_HOME\"" BASE_JARS="commons-daemon tomcat/catalina servlet" # Set parameters set_classpath $BASE_JARS set_flags $BASE_FLAGS set_options $BASE_OPTIONS # Let's start run "$@" ++++++ tomcat-7.0.2-property-build.windows.patch ++++++ Index: apache-tomcat-7.0.27-src/build.properties.default =================================================================== --- apache-tomcat-7.0.27-src.orig/build.properties.default 2012-03-31 16:46:49.000000000 +0200 +++ apache-tomcat-7.0.27-src/build.properties.default 2012-06-13 13:56:38.272947593 +0200 @@ -197,3 +197,5 @@ dojo-js.loc=http://download.dojotoolkit.org/release-1.1.1/dojo-release-1.1.1.tar.gz dojo-js.jar=${dojo-js.home}/dojo/dojo.js +# ----- Build on Windows ---- +build.windows=false Index: apache-tomcat-7.0.27-src/build.xml =================================================================== --- apache-tomcat-7.0.27-src.orig/build.xml 2012-03-31 16:46:49.000000000 +0200 +++ apache-tomcat-7.0.27-src/build.xml 2012-06-13 13:56:38.274947593 +0200 @@ -2341,7 +2341,7 @@ </target> <target name="download-dist" - description="Download additional components for a distribution" > + description="Download additional components for a distribution" if="${build.windows}"> <antcall target="downloadzip-2"> <param name="sourcefile.1" value="${tomcat-native.win.1}"/> ++++++ tomcat-7.0.conf ++++++ # System-wide configuration file for tomcat services # This will be sourced by tomcat and any secondary service # Where your java installation lives JAVA_HOME="@@@JAVAHOME@@@" # Where your tomcat installation lives CATALINA_BASE="@@@TCHOME@@@" CATALINA_HOME="@@@TCHOME@@@" CATALINA_TMPDIR="@@@TCTEMP@@@" # You can pass some parameters to java here if you wish to #JAVA_OPTS="-Xminf0.1 -Xmaxf0.3" # Use JAVA_OPTS to set java.library.path for libtcnative.so #JAVA_OPTS="-Djava.library.path=@@@LIBDIR@@@" # What user should run tomcat # This value is interpreted differently # 1.) for systemd units derived from tomcat.service, the User/Group settings is used # 2.) for systemd units derived from tomcat-jsvc.service this value is respected (with tomcat as a default) # 3.) for sysv init script, this value is respected (with tomcat as a default) #TOMCAT_USER="tomcat" # You can change your tomcat locale here #LANG="en_US" # Run tomcat under the Java Security Manager SECURITY_MANAGER="false" # Time to wait in seconds, before killing process SHUTDOWN_WAIT="30" # Whether to annoy the user with "attempting to shut down" messages or not SHUTDOWN_VERBOSE="false" # Set the TOMCAT_PID location # WARNING: does not make any sense for systemd users #CATALINA_PID="/var/run/tomcat.pid" # Connector port is 8080 for this tomcat instance #CONNECTOR_PORT="8080" # If you wish to further customize your tomcat environment, # put your own definitions here # (i.e. LD_LIBRARY_PATH for some jdbc drivers) # Clear work directory when tomcat is stopped or restarted CLEAR_WORK="false" # Java runtime options used when the "start", or "run" command is executed # Use # it if you want: # Set a location of JAAS config file # CATALINA_OPTS="-Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.config" # To collect data on how long garbage collection is taking # CATALINA_OPTS="-verbose:gc" # Make jikes error messages compatible with jasper # CATALINA_OPTS="-Dbuild.compiler.emacs=true" # Debug the permission (WARNING - This will generate many megabytes of output!) # CATALINA_OPTS="-Djava.security.debug=all" ++++++ tomcat-7.0.init ++++++ #!/bin/bash # Copyright (c) 2008 SuSE Linux AG Nuernberg, Germany. # # - originally written by Henri Gomez, Keith Irwin, and Nicolas Mailhot # - heavily rewritten by Deepak Bhole and Jason Corley # - merged with previous SUSE's rctomcat55 by Petr Mladek and jpackage.org # original by Michal Vyskocil # # /etc/init.d/tomcat # # and its symbolic link # # /usr/sbin/rctomcat # # System startup script for the Tomcat servlet container # ### BEGIN INIT INFO # Provides: tomcat # Required-Start: $network $syslog $remote_fs # Should-Start: $named $syslog $time # Required-Stop: $network $syslog $remote_fs # Should-Stop: $named $syslog $time # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: Tomcat Servlet Container # Description: Start and Stop Apache Tomcat ### END INIT INFO # set a minimalist PATH PATH="/bin:/sbin" # Source LSB function library. if [ -r /lib/lsb/init-functions ]; then . /lib/lsb/init-functions else exit 1 fi DISTRIB_ID=`lsb_release -i -s 2>/dev/null` NAME="$(basename $0)" unset ISBOOT if [ "${NAME:0:1}" = "S" -o "${NAME:0:1}" = "K" ]; then NAME="${NAME:3}" ISBOOT="1" fi # remove SUSE's rc name if [ "${NAME:0:2}" = "rc" ]; then NAME="${NAME:2}" fi # For SELinux we need to use 'runuser' not 'su' if [ -x "/sbin/runuser" ]; then SU="/sbin/runuser" else SU="/bin/su" fi # Get the tomcat config (use this for environment specific settings) TOMCAT_CFG="/etc/tomcat/tomcat.conf" if [ -r "$TOMCAT_CFG" ]; then . $TOMCAT_CFG fi # Define which connector port to use CONNECTOR_PORT="${CONNECTOR_PORT:-8080}" # Path to the tomcat launch script TOMCAT_SCRIPT="/usr/sbin/dtomcat" # Tomcat program name TOMCAT_PROG="${NAME}" # Define the tomcat username TOMCAT_USER="${TOMCAT_USER:-tomcat}" # Define the tomcat log file TOMCAT_LOG="${TOMCAT_LOG:-${CATALINA_HOME}/logs/${NAME}-initd.log}" # Define the tomcat pid file export CATALINA_PID="/var/run/${NAME}.pid" RETVAL="0" # pulled from RHEL4 /etc/rc.d/init.d/functions function checkpid() { local i for i in $* ; do if [ -d "/proc/${i}" ]; then return 0 fi done return 1 } # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v ditto but be verbose in local rc status # rc_status -v -r ditto and clear the local rc status # rc_failed set local and overall rc status to failed # rc_failed <num> set local and overall rc status to <num><num> # rc_reset clear local rc status (overall remains) # rc_exit exit appropriate to overall rc status . /etc/rc.status # First reset status of this service rc_reset # Return values acc. to LSB for all commands but status: # 0 - success # 1 - generic or unspecified error # 2 - invalid or excess argument(s) # 3 - unimplemented feature (e.g. "reload") # 4 - insufficient privilege # 5 - program is not installed # 6 - program is not configured # 7 - program is not running # # Note that starting an already running service, stopping # or restarting a not-running service as well as the restart # with force-reload (in case signalling is not supported) are # considered a success. # Look for open ports, as the function name might imply function findFreePorts() { local isSet1="false" local isSet2="false" local isSet3="false" local lower="8000" randomPort1="0" randomPort2="0" randomPort3="0" local -a listeners="( $( netstat -ntl | \ awk '/^tcp/ {gsub("(.)*:", "", $4); print $4}' ) )" while [ "$isSet1" = "false" ] || \ [ "$isSet2" = "false" ] || \ [ "$isSet3" = "false" ]; do let port="${lower}+${RANDOM:0:4}" if [ -z `expr " ${listeners[*]} " : ".*\( $port \).*"` ]; then if [ "$isSet1" = "false" ]; then export randomPort1="$port" isSet1="true" elif [ "$isSet2" = "false" ]; then export randomPort2="$port" isSet2="true" elif [ "$isSet3" = "false" ]; then export randomPort3="$port" isSet3="true" fi fi done } function makeHomeDir() { if [ ! -d "$CATALINA_HOME" ]; then echo "$CATALINA_HOME does not exist, creating" if [ ! -d "/usr/share/${NAME}" ]; then mkdir /usr/share/${NAME} cp -pLR /usr/share/tomcat/* /usr/share/${NAME} fi mkdir -p /var/log/${NAME} \ /var/cache/${NAME} \ /var/tmp/${NAME} ln -fs /var/cache/${NAME} ${CATALINA_HOME}/work ln -fs /var/tmp/${NAME} ${CATALINA_HOME}/temp cp -pLR /usr/share/${NAME}/bin $CATALINA_HOME cp -pLR /usr/share/${NAME}/conf $CATALINA_HOME ln -fs /usr/share/java/tomcat ${CATALINA_HOME}/lib ln -fs /usr/share/tomcat/webapps ${CATALINA_HOME}/webapps chown ${TOMCAT_USER}:${TOMCAT_USER} /var/log/${NAME} fi } function parseOptions() { options="" options="$options $( awk '!/^#/ && !/^$/ { ORS=" "; print "export ", $0, ";" }' \ $TOMCAT_CFG )" # if [ -r "/etc/sysconfig/${NAME}" ]; then # options="$options $( # awk '!/^#/ && !/^$/ { ORS=" "; # print "export ", $0, ";" }' \ # /etc/sysconfig/${NAME} # )" # fi TOMCAT_SCRIPT="$options ${TOMCAT_SCRIPT}" } # See how we were called. function start() { echo -n "Starting Tomcat ($CATALINA_BASE)" if [ -f "/var/run/rc${NAME}" ] ; then if [ -f "/var/run/${NAME}.pid" ]; then read kpid < /var/run/${NAME}.pid if checkpid $kpid 2>&1; then echo "$NAME process already running" rc_failed 0 else echo -n "lock file found but no process running for pid $kpid, continuing" rc_failed 7 fi fi fi # fix permissions on the log and pid files export CATALINA_PID="/var/run/${NAME}.pid" touch $CATALINA_PID chown ${TOMCAT_USER}:${TOMCAT_USER} $CATALINA_PID touch $TOMCAT_LOG chown ${TOMCAT_USER}:${TOMCAT_USER} $TOMCAT_LOG if [ "$CATALINA_HOME" != "/usr/share/tomcat" ]; then # Create a tomcat directory if it doesn't exist makeHomeDir # If CATALINA_HOME doesn't exist modify port number so that # multiple instances don't interfere with each other findFreePorts sed -i -e "s/8005/${randomPort1}/g" -e "s/8080/${CONNECTOR_PORT}/g" \ -e "s/8009/${randomPort2}/g" -e "s/8443/${randomPort3}/g" \ ${CATALINA_HOME}/conf/server.xml fi parseOptions if [ "$SECURITY_MANAGER" = "true" ]; then $SU - $TOMCAT_USER -c "${TOMCAT_SCRIPT} start-security" \ >> $TOMCAT_LOG 2>&1 else $SU - $TOMCAT_USER -c "${TOMCAT_SCRIPT} start" >> $TOMCAT_LOG 2>&1 fi RETVAL="$?" if [ "$RETVAL" -eq 0 ]; then rc_failed 0 touch /var/run/rc${NAME} else rc_failed 7 fi rc_status -v } ## Check status with checkproc(8), if process is running ## checkproc will return with exit status 0. # Status has a slightly different for the status command: # 0 - service running # 1 - service dead, but /var/run/ pid file exists # 2 - service dead, but /var/lock/ lock file exists # 3 - service not running # NOTE: checkproc returns LSB compliant status values. function status() { echo -n "Checking for Tomcat ($CATALINA_BASE)" if [ -f "/var/run/${NAME}.pid" ]; then read kpid < /var/run/${NAME}.pid if checkpid $kpid 2>&1; then rc_failed 0 else rc_failed 2 fi else #don't be dependent on procps #pid="$(/usr/bin/pgrep -u tomcat java)" pid="$(ps U tomcat o pid,cmd | grep java | grep -v 'grep java')" if [ -n "$pid" ]; then echo "$0 running (${pid}) but no PID file exists" rc_failed 0 else rc_failed 3 fi fi rc_status -v } function stop() { echo -n "Shutting down Tomcat ($CATALINA_BASE)" if [ -f "/var/run/rc${NAME}" ]; then parseOptions $SU - $TOMCAT_USER -c "${TOMCAT_SCRIPT} stop" >> $TOMCAT_LOG 2>&1 RETVAL="$?" if [ "$RETVAL" -eq "0" ]; then count="0" if [ -f "/var/run/${NAME}.pid" ]; then read kpid < /var/run/${NAME}.pid until [ "$(ps --pid $kpid | grep -c $kpid)" -eq "0" ] || \ [ "$count" -gt "$SHUTDOWN_WAIT" ]; do if [ "$SHUTDOWN_VERBOSE" = "true" ]; then echo "waiting for processes $kpid to exit" fi sleep 1 let count="${count}+1" done if [ "$count" -gt "$SHUTDOWN_WAIT" ]; then if [ "$SHUTDOWN_VERBOSE" = "true" ]; then echo "killing processes which didn't stop after $SHUTDOWN_WAIT seconds" echo -n -e "after " echo -n "$SHUTDOWN_WAIT seconds" fi kill -9 $kpid fi rc_failed 0 if [ "$count" -gt "0" ]; then echo -n -e "\n" fi fi rm -f /var/run/rc${NAME} /var/run/${NAME}.pid if [ "${CLEAR_WORK}" = "true" ]; then echo -n "Cleaning work directory: " #rm -rf ${CATALINA_HOME}/work/* find ${CATALINA_HOME}/work/ -maxdepth 1 -type 'd' \! -name 'Catalina' \! -name 'temp' -print0 | xargs -0 rm -rf find ${CATALINA_HOME}/work/Catalina/ ${CATALINA_HOME}/work/temp/ -print0 | xargs -0 rm -rf if [ "$?" -eq "0" ]; then echo_success echo -n -e "\n" fi fi else rc_failed 1 fi fi rc_status -v } # See how we were called. case "$1" in start) start ;; stop) stop ;; try-restart) ## Stop the service and if this succeeds (i.e. the ## service was running before), start it again. ## Note: try-restart is not (yet) part of LSB (as of 0.7.5) $0 status >/dev/null && $0 restart # Remember status and be quiet rc_status ;; restart) stop sleep 2 start rc_status ;; force-reload) ## Signal the daemon to reload its config. Most daemons ## do this on signal 1 (SIGHUP). ## If it does not support it, restart. echo -n "Reload service Tomcat $($CATALINA_BASE)" ## if it supports it: #killproc -HUP $TOMCAT_BIN #touch /var/run/FOO.pid #rc_status -v ## Otherwise: $0 stop && $0 start rc_status ;; reload) ## Like force-reload, but if daemon does not support ## signalling, do nothing (!) # If it supports signalling: #echo -n "Reload service FOO" #killproc -HUP $TOMCAT_BIN #touch /var/run/FOO.pid #rc_status -v ## Otherwise if it does not support reload: rc_failed 3 rc_status -v ;; status) status ;; probe) ## Optional: Probe for the necessity of a reload, ## give out the argument which is required for a reload. ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit ++++++ tomcat-7.0.logrotate ++++++ @@@TCLOG@@@/catalina.out { copytruncate weekly rotate 52 compress missingok create 0644 tomcat tomcat } ++++++ tomcat-7.0.service ++++++ # Systemd unit file for tomcat # # You can clone this service by: # 1.) Add a new EnvironmentFile declaring the new values for CATALINA_BASE # and others [Unit] Description=Apache Tomcat Web Application Container After=network.target [Service] Type=simple EnvironmentFile=/etc/tomcat/tomcat.conf User=tomcat Group=tomcat ExecStart=/usr/sbin/tomcat-sysd start ExecStop=/usr/sbin/tomcat-sysd stop [Install] WantedBy=multi-user.target ++++++ tomcat-7.0.wrapper ++++++ #!/bin/bash if [ -r /usr/share/java-utils/java-functions ]; then . /usr/share/java-utils/java-functions else echo "Can't read Java functions library, aborting" exit 1 fi # Get the tomcat config (use this for environment specific settings) if [ -z "${TOMCAT_CFG}" ]; then TOMCAT_CFG="/etc/tomcat/tomcat.conf" fi if [ -r "$TOMCAT_CFG" ]; then . $TOMCAT_CFG fi set_javacmd # CLASSPATH munging if [ -n "$JSSE_HOME" ]; then CLASSPATH="${CLASSPATH}:$(build-classpath jcert jnet jsse 2>/dev/null)" fi CLASSPATH="${CLASSPATH}:${CATALINA_HOME}/bin/bootstrap.jar" CLASSPATH="${CLASSPATH}:${CATALINA_HOME}/bin/tomcat-juli.jar" CLASSPATH="${CLASSPATH}:$(build-classpath commons-daemon 2>/dev/null)" if [ "$1" = "start" ]; then ${JAVACMD} $JAVA_OPTS $CATALINA_OPTS \ -classpath "$CLASSPATH" \ -Dcatalina.base="$CATALINA_BASE" \ -Dcatalina.home="$CATALINA_HOME" \ -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" \ -Djava.io.tmpdir="$CATALINA_TMPDIR" \ -Djava.util.logging.config.file="${CATALINA_BASE}/conf/logging.properties" \ -Djava.util.logging.manager="org.apache.juli.ClassLoaderLogManager" \ org.apache.catalina.startup.Bootstrap start \ >> ${CATALINA_BASE}/logs/catalina.out 2>&1 & if [ ! -z "$CATALINA_PID" ]; then echo $! > $CATALINA_PID fi elif [ "$1" = "start-security" ]; then ${JAVACMD} $JAVA_OPTS $CATALINA_OPTS \ -classpath "$CLASSPATH" \ -Dcatalina.base="$CATALINA_BASE" \ -Dcatalina.home="$CATALINA_HOME" \ -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" \ -Djava.io.tmpdir="$CATALINA_TMPDIR" \ -Djava.security.manager \ -Djava.security.policy="${CATALINA_BASE}/conf/catalina.policy" \ -Djava.util.logging.config.file="${CATALINA_BASE}/conf/logging.properties" \ -Djava.util.logging.manager="org.apache.juli.ClassLoaderLogManager" \ org.apache.catalina.startup.Bootstrap start \ >> ${CATALINA_BASE}/logs/catalina.out 2>&1 & if [ ! -z "$CATALINA_PID" ]; then echo $! > $CATALINA_PID fi elif [ "$1" = "stop" ]; then ${JAVACMD} $JAVA_OPTS \ -classpath "$CLASSPATH" \ -Dcatalina.base="$CATALINA_BASE" \ -Dcatalina.home="$CATALINA_HOME" \ -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" \ -Djava.io.tmpdir="$CATALINA_TMPDIR" \ org.apache.catalina.startup.Bootstrap stop \ >> ${CATALINA_BASE}/logs/catalina.out 2>&1 elif [ "$1" = "version" ]; then ${JAVACMD} -classpath ${CATALINA_HOME}/lib/catalina.jar \ org.apache.catalina.util.ServerInfo else echo "Usage: $0 {start|start-security|stop|version}" exit 1 fi ++++++ tomcat-CVE-2012-2733.patch ++++++

From 4b57ec6240c7d60939a8cc9c5f1ddac13fcbff73 Mon Sep 17 00:00:00 2001 From: Konstantin Kolinko <kkolinko@apache.org> Date: Thu, 14 Jun 2012 15:48:28 +0000 Subject: [PATCH] Merged revision 1350294 from tomcat/trunk: Improve InternalNioInputBuffer#parseHeaders() Move the code and s/end/pos/

mv: This fixes CVE-2012-2733 Apache Tomcat Denial of Service mv: removed changelog.xml git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1350301 13f79535-47bb-0310-9956-ffa450edef68 --- java/org/apache/coyote/http11/InternalNioInputBuffer.java | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/java/org/apache/coyote/http11/InternalNioInputBuffer.java b/java/org/apache/coyote/http11/InternalNioInputBuffer.java index d094729..d6c43bf 100644 --- a/java/org/apache/coyote/http11/InternalNioInputBuffer.java +++ b/java/org/apache/coyote/http11/InternalNioInputBuffer.java @@ -473,10 +473,6 @@ public class InternalNioInputBuffer extends AbstractInputBuffer<NioChannel> { do { status = parseHeader(); - } while ( status == HeaderParseStatus.HAVE_MORE_HEADERS ); - if (status == HeaderParseStatus.DONE) { - parsingHeader = false; - end = pos; // Checking that // (1) Headers plus request line size does not exceed its limit // (2) There are enough bytes to avoid expanding the buffer when @@ -485,11 +481,15 @@ public class InternalNioInputBuffer extends AbstractInputBuffer<NioChannel> { // limitation to enforce the meaning of headerBufferSize // From the way how buf is allocated and how blank lines are being // read, it should be enough to check (1) only. - if (end - skipBlankLinesBytes > headerBufferSize - || buf.length - end < socketReadBufferSize) { + if (pos - skipBlankLinesBytes > headerBufferSize + || buf.length - pos < socketReadBufferSize) { throw new IllegalArgumentException( sm.getString("iib.requestheadertoolarge.error")); } + } while ( status == HeaderParseStatus.HAVE_MORE_HEADERS ); + if (status == HeaderParseStatus.DONE) { + parsingHeader = false; + end = pos; return true; } else { return false; -- 1.7.10.4 ++++++ tomcat-CVE-2012-3546.patch ++++++ commit f78c0cdfc8a3c2efdfe6df6b69e5e3daafa3f588 Author: Konstantin Kolinko <kkolinko@apache.org> Date: Mon Aug 27 22:28:43 2012 +0000 Merged revision 1377887 from tomcat/trunk: Remove unneeded handling of FORM authentication in RealmBase. The login and error pages are handled via forward, so processing completes before this code is ever reached. The action page is handled elsewhere. git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1377892 13f79535-47bb-0310-9956-ffa450edef68 Index: apache-tomcat-7.0.27-src/java/org/apache/catalina/realm/RealmBase.java =================================================================== --- apache-tomcat-7.0.27-src.orig/java/org/apache/catalina/realm/RealmBase.java 2012-12-10 13:08:02.263573648 +0100 +++ apache-tomcat-7.0.27-src/java/org/apache/catalina/realm/RealmBase.java 2012-12-10 13:08:04.327645438 +0100 @@ -45,7 +45,6 @@ import org.apache.catalina.Wrapper; import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; -import org.apache.catalina.deploy.LoginConfig; import org.apache.catalina.deploy.SecurityCollection; import org.apache.catalina.deploy.SecurityConstraint; import org.apache.catalina.mbeans.MBeanUtils; @@ -819,31 +818,6 @@ if (constraints == null || constraints.length == 0) return (true); - // Specifically allow access to the form login and form error pages - // and the "j_security_check" action - LoginConfig config = context.getLoginConfig(); - if ((config != null) && - (Constants.FORM_METHOD.equals(config.getAuthMethod()))) { - String requestURI = request.getRequestPathMB().toString(); - String loginPage = config.getLoginPage(); - if (loginPage.equals(requestURI)) { - if (log.isDebugEnabled()) - log.debug(" Allow access to login page " + loginPage); - return (true); - } - String errorPage = config.getErrorPage(); - if (errorPage.equals(requestURI)) { - if (log.isDebugEnabled()) - log.debug(" Allow access to error page " + errorPage); - return (true); - } - if (requestURI.endsWith(Constants.FORM_ACTION)) { - if (log.isDebugEnabled()) - log.debug(" Allow access to username/password submission"); - return (true); - } - } - // Which user principal have we already authenticated? Principal principal = request.getPrincipal(); boolean status = false; ++++++ tomcat-CVE-2012-4431.patch ++++++ commit bd325e29762ca3f7a0801907bfbe5471effbbfff Author: Konstantin Kolinko <kkolinko@apache.org> Date: Tue Oct 2 18:40:22 2012 +0000 Merged revision 1393071 from tomcat/trunk: Improve session management in CsrfPreventionFilter git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1393088 13f79535-47bb-0310-9956-ffa450edef68 Index: apache-tomcat-7.0.27-src/java/org/apache/catalina/filters/CsrfPreventionFilter.java =================================================================== --- apache-tomcat-7.0.27-src.orig/java/org/apache/catalina/filters/CsrfPreventionFilter.java 2012-12-10 13:11:44.437300870 +0100 +++ apache-tomcat-7.0.27-src/java/org/apache/catalina/filters/CsrfPreventionFilter.java 2012-12-10 13:18:31.437455749 +0100 @@ -33,6 +33,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponseWrapper; +import javax.servlet.http.HttpSession; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; @@ -153,16 +154,19 @@ } } + HttpSession session = req.getSession(false); + @SuppressWarnings("unchecked") - LruCache<String> nonceCache = - (LruCache<String>) req.getSession(true).getAttribute( - Constants.CSRF_NONCE_SESSION_ATTR_NAME); - + LruCache<String> nonceCache = (session == null) ? null + : (LruCache<String>) session.getAttribute( + Constants.CSRF_NONCE_SESSION_ATTR_NAME); + if (!skipNonceCheck) { String previousNonce = req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM); - if (nonceCache != null && !nonceCache.contains(previousNonce)) { + if (nonceCache == null || previousNonce == null || + !nonceCache.contains(previousNonce)) { res.sendError(HttpServletResponse.SC_FORBIDDEN); return; } @@ -170,7 +174,10 @@ if (nonceCache == null) { nonceCache = new LruCache<String>(nonceCacheSize); - req.getSession().setAttribute( + if (session == null) { + session = req.getSession(true); + } + session.setAttribute( Constants.CSRF_NONCE_SESSION_ATTR_NAME, nonceCache); } ++++++ tomcat-CVE-2012-5885-CVE-2012-5886-CVE-2012-5887.patch ++++++ ++++ 614 lines (skipped) ++++++ tomcat-api-OSGi-MANIFEST.MF ++++++ Manifest-Version: 1.0 Export-Package: org.apache.tomcat;version="7.0.21" Bundle-Vendor: %bundleProvider Bundle-ClassPath: . Bundle-Version: 7.0.21 Bundle-Name: %bundleName Bundle-Localization: plugin Bundle-ManifestVersion: 2 Bundle-SymbolicName: org.apache.tomcat Bundle-RequiredExecutionEnvironment: J2SE-1.4,CDC-1.0/Foundation-1.0,J 2SE-1.3 ++++++ tomcat-dont-parse-user-name-twice.patch ++++++ commit c6ea8be09f706f417ddd5036c2d5508873a919bc Author: Mark Emlyn David Thomas <markt@apache.org> Date: Sat Jul 28 18:04:29 2012 +0000 Don't parse username twice with different methods git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1366723 13f79535-47bb-0310-9956-ffa450edef68 Index: apache-tomcat-7.0.27-src/java/org/apache/catalina/authenticator/DigestAuthenticator.java =================================================================== --- apache-tomcat-7.0.27-src.orig/java/org/apache/catalina/authenticator/DigestAuthenticator.java 2012-12-10 13:14:48.814713348 +0100 +++ apache-tomcat-7.0.27-src/java/org/apache/catalina/authenticator/DigestAuthenticator.java 2012-12-10 13:15:23.948935265 +0100 @@ -270,7 +270,7 @@ } if (principal != null) { - String username = parseUsername(authorization); + String username = digestInfo.getUsername(); register(request, response, principal, HttpServletRequest.DIGEST_AUTH, username, null); @@ -307,7 +307,10 @@ * can be identified, return <code>null</code> * * @param authorization Authorization string to be parsed + * + * @deprecated Unused. Will be removed in Tomcat 8.0.x */ + @Deprecated protected String parseUsername(String authorization) { // Validate the authorization credentials format @@ -515,6 +518,11 @@ this.validateUri = validateUri; } + + public String getUsername() { + return userName; + } + public boolean validate(Request request, String authorization, LoginConfig config) { // Validate the authorization credentials format ++++++ tomcat-juli-OSGi-MANIFEST.MF ++++++ Manifest-Version: 1.0 Export-Package: org.apache.juli;version="7.0.21",org.apache.juli.loggi ng;version="7.0.21" Bundle-Vendor: %bundleProvider Bundle-ClassPath: . Bundle-Version: 7.0.21 Bundle-Name: %bundleName Bundle-Localization: plugin Bundle-ManifestVersion: 2 Bundle-SymbolicName: org.apache.juli Bundle-RequiredExecutionEnvironment: J2SE-1.4,CDC-1.0/Foundation-1.0,J 2SE-1.3 ++++++ tomcat-rpmlintrc ++++++ s is OK - fix of bnc#520532 addFilter(".*non-etc-or-var-file-marked-as-conffile /srv/tomcat6/webapps/ROOT.*") -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org