Hello community,
here is the log from the commit of package tomcat6.1181 for openSUSE:12.1:Update checked in at 2012-12-27 16:10:14
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.1:Update/tomcat6.1181 (Old)
and /work/SRC/openSUSE:12.1:Update/.tomcat6.1181.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tomcat6.1181", Maintainer is ""
Changes:
--------
New Changes file:
--- /dev/null 2012-12-21 01:49:00.356010756 +0100
+++ /work/SRC/openSUSE:12.1:Update/.tomcat6.1181.new/libtcnative-1-0.changes 2012-12-27 16:10:17.000000000 +0100
@@ -0,0 +1,33 @@
+-------------------------------------------------------------------
+Thu Aug 5 15:30:21 UTC 2010 - mvyskocil@suse.cz
+
+- fixes bnc#622430 - move .so file to main package
+
+-------------------------------------------------------------------
+Tue Mar 16 12:35:08 CET 2010 - ro@suse.de
+
+- build from tomcat-native-1.1.20-src.tar.gz
+- package needs work, does not have to live in tomcat src any more
+
+-------------------------------------------------------------------
+Wed Jun 3 11:10:45 CEST 2009 - mvyskocil@suse.cz
+
+- Tomcat update to 6.0.20
+- APR update to 1.3.3 - the bugfix release
+
+-------------------------------------------------------------------
+Fri Sep 12 09:33:38 CEST 2008 - mvyskocil@suse.cz
+
+- Tomcat update to 6.0.18
+
+-------------------------------------------------------------------
+Thu Aug 7 15:59:03 CEST 2008 - mvyskocil@suse.cz
+
+- move the .so file to -devel subpackage to prevent of an rpmlint error
+
+-------------------------------------------------------------------
+Wed Jul 9 15:52:08 CEST 2008 - mvyskocil@suse.cz
+
+- The first release in SUSE (1.2.12)
+ - fix of enhancenment request [bnc#202339]
+
New Changes file:
--- /dev/null 2012-12-21 01:49:00.356010756 +0100
+++ /work/SRC/openSUSE:12.1:Update/.tomcat6.1181.new/tomcat6.changes 2012-12-27 16:10:17.000000000 +0100
@@ -0,0 +1,299 @@
+-------------------------------------------------------------------
+Mon Dec 10 09:57:57 UTC 2012 - mvyskocil@suse.com
+
+- fix bnc#793394 - bypass of security constraints (CVE-2012-3546)
+ * apache-tomcat-CVE-2012-3546.patch
+ http://svn.apache.org/viewvc?view=revision&revision=1381035
+- fix bnc#793391 - bypass of CSRF prevention filter (CVE-2012-4431)
+ * apache-tomcat-CVE-2012-4431.patch
+ http://svn.apache.org/viewvc?view=revision&revision=1394456
+
+-------------------------------------------------------------------
+Fri Dec 7 12:29:30 UTC 2012 - mvyskocil@suse.com
+
+- document how to protect against slowloris DoS (CVE-2012-5568/bnc#791679)
+ in README.SUSE
+
+-------------------------------------------------------------------
+Tue Dec 4 08:42:49 UTC 2012 - mvyskocil@suse.com
+
+- fixes
+ bnc#791423 - cnonce tracking weakness (CVE-2012-5885)
+ bnc#791424 - authentication caching weakness (CVE-2012-5886)
+ bnc#791426 - stale nonce weakness (CVE-2012-5887)
+ * apache-tomcat-CVE-2009-2693-CVE-2009-2901-CVE-2009-2902.patch
+ http://svn.apache.org/viewvc?view=revision&revision=1380829
+
+-------------------------------------------------------------------
+Fri Nov 23 15:07:48 UTC 2012 - mvyskocil@suse.com
+
+- fix bnc#789406 - HTTP NIO connector OOM DoS via a request with
+ large headers (CVE-2012-2733)
+ * http://svn.apache.org/viewvc?view=revision&revision=1356208
+
+-------------------------------------------------------------------
+Mon Feb 6 12:58:09 UTC 2012 - mvyskocil@suse.cz
+
+- fix bnc#742477 - iManager throws exception in its basic functionalities
+ * http://svn.apache.org/viewvc?view=revision&revision=1206324
+ * http://svn.apache.org/viewvc?view=revision&revision=1229027
+- fix bnc#743055 - VUL-1: CVE-2011-3375: tomcat: information disclosure
+ due to improper response and request object recycling
+
+-------------------------------------------------------------------
+Thu Jan 5 10:40:33 UTC 2012 - mvyskocil@suse.cz
+
+- fix bnc#727543 - VUL-0: Apache tomcat vulnerable to hash collision attack
+ backport upstream changes:
+ * add isConfigProblemFatal method
+ http://svn.apache.org/viewvc?view=revision&revision=1199122
+ * GET POST parameter processing performance. Adds maximum number of
+ parameters per request (defaults to 10000) and new FailedRequestFilter for
+ rejecting requests with excessive number of parameters
+ http://svn.apache.org/viewvc?view=revision&revision=1200601
+- fix bnc#712784 - tomcat6: add missing Requires on java >= 1.6.0
+ * add recommends on java >= 1.6.0 and java-devel >= 1.6.0
+
+-------------------------------------------------------------------
+Mon Aug 29 13:33:51 UTC 2011 - mvyskocil@suse.cz
+
+- update to latest upstream version 6.0.33 (bugfix release)
+- fix bnc#714620 - tomcat6: use of /var/lock/subsys unsupported
+ use /var/run/rctomcat6 instead
+
+-------------------------------------------------------------------
+Fri Feb 11 08:27:50 UTC 2011 - mvyskocil@suse.cz
+
+- update to latest upstream version 6.0.32 (bugfix release)
+- obsolete CVE-2010-4172 patch
+- fixes bnc#669897 (CVE-2010-3718), bnc#669926 (CVE-2010-4476), bnc#669928
+ (CVE-2011-0013) and bnc#669930 (CVE-2011-0534)
+
+-------------------------------------------------------------------
+Thu Dec 9 10:50:46 UTC 2010 - mvyskocil@suse.cz
+
+- fix bnc#655440#c14 - clean workdir of tomcat's webapps to be sure
+ our fixed jsps will be redeployed on each update
+
+-------------------------------------------------------------------
+Thu Nov 25 10:33:51 UTC 2010 - mvyskocil@suse.cz
+
+- fix bnc#655440 - VUL-0: tomcat6: Apache Tomcat Manager application XSS
+ vulnerability (CVE-2010-4172)
+ http://svn.apache.org/viewvc?view=revision&revision=1037779
+- fix bnc#653586 - spacewalk 1.2 requires jasper 5.5
+ * add offline jasper compiler /usr/bin/jspc
+- unpack tarball to apache-tomcat-$VERSION-src directory directly
+
+-------------------------------------------------------------------
+Tue Nov 2 10:19:13 UTC 2010 - mvyskocil@suse.cz
+
+- Fix bnc#650130 - Update of tomcat6 not possible (cpio: Is a directory)
+ * workaround the rpm bug - it cannot update directory to symlink
+ * make /etc/tomcat6/Catalina/ as ghost file
+ * create link in %posttrans
+
+-------------------------------------------------------------------
+Tue Sep 14 13:18:45 UTC 2010 - mvyskocil@suse.cz
+
+- Update to 6.0.29 (bugfix release)
+- fix bnc#625415: Tomcat6 does not have permissions to its own directories
+ * also fix the /etc/tomcat6/Catalina link target
+- revert a setclasspath.sh changes
+- disable user/group verification of tomcat owned files and directories to
+ allow easy change of the tomcat user without rpm --verify complaints
+
+-------------------------------------------------------------------
+Thu Jul 15 09:21:45 UTC 2010 - mvyskocil@suse.cz
+
+- Update to 6.0.28 (bugfix release)
+- fix bnc#565901 - missing catalina.sh again
+ * move catalina.sh to CATALINA_HOME/bin
+ * add jpackage.org compatible CATALINA_HOME/bin/setclasspath.sh
+- add missing logrotate requires
+- install scripts with mode 0755
+
+-------------------------------------------------------------------
+Wed Feb 3 12:39:44 UTC 2010 - mvyskocil@suse.cz
+
+- Update to 6.0.24 (bugfix release). This obsoletes patch
+ * tomcat6-bug47316.patch
+- Merged with tomcat6-6.0.18-10.jpp6.src.rpm
+ * return the jpackage.org license header in spec
+ * polish in spec (use more macros)
+ * add logrotate support
+ * add patch to document webapps in %%{_sysconfdir}/%%{name}/tomcat-users.xml
+ * move %%{_bindir}/d%%{name} to %%{_sbindir}/%%{name} and provide symlink to
+ %%{_sbindir}/d%%{name}
+ * add digest and tool-wrapper scripts
+ * explicitly unset CLASSPATH
+ * explicitly set OPT_JAR_LIST to include ant/ant-trax
+ * build and install sample webapp
+ * use copy instead of move to fix short-circuit install build
+ * version jsp and servlet Provides with their spec versions
+ * make initscript LSB-complaint
+ * add el subpackage
+
+-------------------------------------------------------------------
+Tue Jan 5 14:20:08 UTC 2010 - mvyskocil@suse.cz
+
+- fixed bnc#565901 - missing catalina.sh
+ * added catalina.sh (link from dtomcat6) to improve upstream compatibility
+
+-------------------------------------------------------------------
+Wed Sep 30 08:01:35 UTC 2009 - mvyskocil@suse.cz
+
+- fixed bnc#542634: Tomcat NPE on start
+ applied patch from upstream bugzilla
+ https://issues.apache.org/bugzilla/show_bug.cgi?id=47316#c3
+
+-------------------------------------------------------------------
+Wed Aug 26 13:01:22 UTC 2009 - mvyskocil@suse.cz
+
+- fixed bnc#520532: marked all webapp/ROOT/* files as config(noreplace)
+- marked /etc/ant.d/catalina-ant as config(noreplace)
+
+-------------------------------------------------------------------
+Mon Jun 15 09:09:12 CEST 2009 - mvyskocil@suse.cz
+
+- added a missing -p1 for %patch0
+
+-------------------------------------------------------------------
+Wed Jun 3 10:39:19 CEST 2009 - mvyskocil@suse.cz
+
+- fixed bnc#488061: work directory clean on tomcat stop
+- update to 6.0.20 - the bugfix release:
+ * MemoryUserDatabase is read-only by default
+ * Allow huge request body packets for AJP13
+ * Never return an empty HTTP status reason phrase
+ * Prevent double initialisation of JSPs
+ * A node should ignore its own heartbeat messages
+ * Prettry error messages (instead of stacktrace) if shutdown port is disabled
+
+-------------------------------------------------------------------
+Mon Mar 16 15:57:55 CET 2009 - mvyskocil@suse.cz
+
+- fixed bnc#418664 - Tomcat6 installation has missing bits
+ - added /etc/ant.d/catalina-ant
+- another fix for bnc#471639 - tomcat does not start/work
+ * merged a sysconfig and tomcat6.conf to allow a dtomcat6 start works
+ * also fixs (bnc#471639)
+- fixed bnc#424675 - Access rights to /etc/tomcat6 directory not set right
+ * create a link from /etc/tomcat6/Catalina to /var/cache/tomcat6/Catalina
+- removed a CATALINA_OPTS from stop in dtcomcat6 (bao#42951)
+
+-------------------------------------------------------------------
+Wed Feb 25 14:31:44 CET 2009 - mvyskocil@suse.cz
+
+- fixed bnc#471301: tomcat6 doesn't want to be started when sun java 1.5 is selected
+ - built with -target 1.5
+
+-------------------------------------------------------------------
+Mon Feb 9 16:50:07 CET 2009 - mvyskocil@suse.cz
+
+- Fixed bnc#471639 - tomcat does not start/work
+ - fill up a default JVM in sysconfig
+- changed a default JAVA_HOME from JRE to SDK in config
+
++++ 102 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:12.1:Update/.tomcat6.1181.new/tomcat6.changes
New:
----
README.SUSE.in
apache-tomcat-6.0.33-src.tar.gz
apache-tomcat-CVE-2011-3375.patch
apache-tomcat-CVE-2012-2733.patch
apache-tomcat-CVE-2012-3546.patch
apache-tomcat-CVE-2012-4431.patch
apache-tomcat-CVE-2012-5885-CVE-2012-5886-CVE-2012-5887.patch
apache-tomcat-accept-extra-amp-in-parameters.patch
apache-tomcat-isconfigproblemfatal.patch
apache-tomcat-parameter-processing-performance.patch
apache-tomcat-parameter-processing-regression.patch
apr-1.3.3.tar.bz2
libtcnative-1-0.changes
libtcnative-1-0.spec
tomcat-native-1.1.20-src.tar.gz
tomcat6-6.0-digest.script
tomcat6-6.0-tomcat-users-webapp.patch
tomcat6-6.0-tool-wrapper.script
tomcat6-6.0.bootstrap-MANIFEST.MF.patch
tomcat6-6.0.conf
tomcat6-6.0.init
tomcat6-6.0.jasper.sh
tomcat6-6.0.jspc
tomcat6-6.0.logrotate
tomcat6-6.0.starter
tomcat6-6.0.wrapper
tomcat6-rpmlintrc
tomcat6.changes
tomcat6.spec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libtcnative-1-0.spec ++++++
#
# spec file for package libtcnative-1-0
#
# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
%define section free
%define tomcat_major_version 6
%define tomcat_minor_version 0
%define tomcat_macro_version 24
%define tomcat_version %{tomcat_major_version}.%{tomcat_minor_version}.%{tomcat_macro_version}
%define packdname apache-tomcat-%{tomcat_version}-src
%define libname libtcnative-1
%define major 1
%define minor 3
%define micro 3
Name: libtcnative-1-0
Version: %{major}.%{minor}.%{micro}
Release: 0
Summary: JNI wrappers for Apache Portable Runtime for Tomcat
License: Apache-2.0
Group: Productivity/Networking/Web/Servers
Url: http://tomcat.apache.org/tomcat-6.0-doc/apr.html
Source0: tomcat-native-1.1.20-src.tar.gz
Source1: apr-1.3.3.tar.bz2
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: fdupes
BuildRequires: java-devel
BuildRequires: libapr1-devel
BuildRequires: openssl-devel
BuildRequires: python
%description
Tomcat can use the Apache Portable Runtime to provide superior
scalability, performance, and better integration with native server
technologies. The Apache Portable Runtime is a highly portable library
that is at the heart of Apache HTTP Server 2.x. APR has many uses,
including access to advanced IO functionality (such as sendfile, epoll
and OpenSSL), OS level functionality (random number generation, system
status, etc), and native process handling (shared memory, NT pipes and
Unix sockets).
These features allows making Tomcat a general purpose webserver, will
enable much better integration with other native web technologies, and
overall make Java much more viable as a full fledged webserver platform
rather than simply a backend focused technology.
%package devel
Requires: %{name} = %{version}-%{release}
Requires: glibc-devel
Requires: libapr1-devel
Requires: libopenssl-devel
Summary: JNI wrappers for Apache Portable Runtime for Tomcat
Group: Development/Libraries/C and C++
%description devel
Tomcat can use the Apache Portable Runtime to provide superior
scalability, performance, and better integration with native server
technologies. The Apache Portable Runtime is a highly portable library
that is at the heart of Apache HTTP Server 2.x. APR has many uses,
including access to advanced IO functionality (such as sendfile, epoll
and OpenSSL), OS level functionality (random number generation, system
status, etc), and native process handling (shared memory, NT pipes and
Unix sockets).
These features allows making Tomcat a general purpose webserver, will
enable much better integration with other native web technologies, and
overall make Java much more viable as a full fledged webserver platform
rather than simply a backend focused technology.
%prep
%setup -q -n tomcat-native-1.1.20-src -a 1
pushd jni/native
chmod a+x build/*.sh
mv BUILDING README
popd
%build
pushd jni
# remove pre-built binaries and windows files
find . \( -name "*.bat" -o -name "*.class" -o -name "*.gz" -o \
-name "*.jar" -o -name "*.zip" \) | xargs -t %{__rm} -f
# we don't care about the tarballs and we're going to replace
# tomcat-dbcp.jar with jakarta-commons-{collections,dbcp,pool}-tomcat5.jar
# so just create a dummy file for later removal
touch HACK
pushd native
sh buildconf --with-apr=../../apr-%{version}/
./configure \
--prefix=%{_prefix} \
--libdir=%{_libdir} \
--with-apr=%{_prefix} --with-openssl=%{_prefix}
make
popd
popd
%install
pushd jni/native
make DESTDIR=${RPM_BUILD_ROOT} install
%{__install} -d -m 755 ${RPM_BUILD_ROOT}/%{_includedir}
%{__install} -m 644 include/* ${RPM_BUILD_ROOT}/%{_includedir}
rm ${RPM_BUILD_ROOT}/%{_libdir}/*.la
popd
%clean
rm -rf $RPM_BUILD_ROOT
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files
%defattr(-,root,root)
%{_libdir}/%{libname}.so.*
#bnc#622430 - java expects so files installed
%{_libdir}/%{libname}.so
%doc jni/native/README
%files devel
%defattr(-,root,root)
%{_includedir}/*
%{_libdir}/pkgconfig/*.pc
%changelog
++++++ tomcat6.spec ++++++
++++ 636 lines (skipped)
++++++ README.SUSE.in ++++++
Slowloris DOS attack (CVE-2012-5568)
====================================
Your tomcat installation can be afected by the Slowloris [1] attack, if exposed
through port 80 with default connection timeout settings. This kind of attack
opens a lot of connections and hold them open for a long time by sending a few
packets before the default timeout expires. The default value for tomcat is 60
seconds, which, with usage of threads for handling requests, make it very
vulnerable to this kind of attack.
The default installed tomcat on SUSE system has following timeout settings.
20000 (20s) for port 8080 protocol HTTP/1.1
60000 (60s) for port 8009 protocol AJP/1.3
Ports 8080 and 8009 are usually not exposed to public Internet, so the default
installation is not vulnerable. In case your tomcat is configured to listen on
port standard ports 80 (HTTP) or 443 (HTTPS), it is highly recommended to
change the default timeout settings.
For details about connectionTimeout/keepAliveTimeout consult the online documentation [2],
or /srv/tomcat/webapps/docs/config/http.html from @@NAME@@-doc-webbapps
[1] http://en.wikipedia.org/wiki/Slowloris
[2] http://tomcat.apache.org/tomcat-@@MAJOR@@.@@MINOR@@-doc/config/http.html
Your SUSE team
++++++ apache-tomcat-CVE-2011-3375.patch ++++++
Index: apache-tomcat-6.0.33-src/java/org/apache/coyote/http11/Http11Processor.java
===================================================================
--- apache-tomcat-6.0.33-src.orig/java/org/apache/coyote/http11/Http11Processor.java 2011-08-16 14:26:14.000000000 +0200
+++ apache-tomcat-6.0.33-src/java/org/apache/coyote/http11/Http11Processor.java 2012-02-06 13:56:30.852513375 +0100
@@ -893,7 +893,7 @@
log.error(sm.getString("http11processor.request.finish"), t);
// 500 - Internal Server Error
response.setStatus(500);
- adapter.log(request, response, 0);
+ // No access logging since after service method
error = true;
}
try {
@@ -1201,7 +1201,6 @@
" Unsupported HTTP version \""+protocolMB+"\"");
}
response.setStatus(505);
- adapter.log(request, response, 0);
}
MessageBytes methodMB = request.method();
@@ -1299,7 +1298,6 @@
error = true;
// 501 - Unimplemented
response.setStatus(501);
- adapter.log(request, response, 0);
}
startPos = commaPos + 1;
commaPos = transferEncodingValue.indexOf(',', startPos);
@@ -1315,7 +1313,6 @@
" Unsupported transfer encoding \""+encodingName+"\"");
}
response.setStatus(501);
- adapter.log(request, response, 0);
}
}
@@ -1338,7 +1335,6 @@
" host header missing");
}
response.setStatus(400);
- adapter.log(request, response, 0);
}
parseHost(valueMB);
@@ -1352,6 +1348,9 @@
contentDelimitation = true;
}
+ if (error) {
+ adapter.log(request, response, 0);
+ }
}
@@ -1418,7 +1417,6 @@
error = true;
// 400 - Bad request
response.setStatus(400);
- adapter.log(request, response, 0);
break;
}
port = port + (charValue * mult);
Index: apache-tomcat-6.0.33-src/java/org/apache/coyote/http11/Http11AprProcessor.java
===================================================================
--- apache-tomcat-6.0.33-src.orig/java/org/apache/coyote/http11/Http11AprProcessor.java 2011-08-16 14:26:14.000000000 +0200
+++ apache-tomcat-6.0.33-src/java/org/apache/coyote/http11/Http11AprProcessor.java 2012-02-06 13:56:30.853513409 +0100
@@ -972,8 +972,9 @@
} catch (Throwable t) {
log.error(sm.getString("http11processor.request.finish"), t);
// 500 - Internal Server Error
+ // Can't add a 500 to the access log since that has already been
+ // written in the Adapter.service method.
response.setStatus(500);
- adapter.log(request, response, 0);
error = true;
}
try {
@@ -1327,7 +1328,6 @@
error = true;
// Send 505; Unsupported HTTP version
response.setStatus(505);
- adapter.log(request, response, 0);
}
MessageBytes methodMB = request.method();
@@ -1425,7 +1425,6 @@
error = true;
// 501 - Unimplemented
response.setStatus(501);
- adapter.log(request, response, 0);
}
startPos = commaPos + 1;
commaPos = transferEncodingValue.indexOf(',', startPos);
@@ -1437,7 +1436,6 @@
error = true;
// 501 - Unimplemented
response.setStatus(501);
- adapter.log(request, response, 0);
}
}
@@ -1456,7 +1454,6 @@
error = true;
// 400 - Bad request
response.setStatus(400);
- adapter.log(request, response, 0);
}
parseHost(valueMB);
@@ -1476,7 +1473,10 @@
}
// Advertise comet support through a request attribute
request.setAttribute("org.apache.tomcat.comet.support", Boolean.TRUE);
-
+
+ if (error) {
+ adapter.log(request, response, 0);
+ }
}
@@ -1539,7 +1539,6 @@
error = true;
// 400 - Bad request
response.setStatus(400);
- adapter.log(request, response, 0);
break;
}
port = port + (charValue * mult);
Index: apache-tomcat-6.0.33-src/java/org/apache/coyote/http11/Http11NioProcessor.java
===================================================================
--- apache-tomcat-6.0.33-src.orig/java/org/apache/coyote/http11/Http11NioProcessor.java 2011-08-16 14:26:14.000000000 +0200
+++ apache-tomcat-6.0.33-src/java/org/apache/coyote/http11/Http11NioProcessor.java 2012-02-06 13:56:30.854513442 +0100
@@ -986,8 +986,9 @@
} catch (Throwable t) {
log.error(sm.getString("http11processor.request.finish"), t);
// 500 - Internal Server Error
+ // Can't add a 500 to the access log since that has already been
+ // written in the Adapter.service method.
response.setStatus(500);
- adapter.log(request, response, 0);
error = true;
}
try {
@@ -1322,7 +1323,6 @@
error = true;
// Send 505; Unsupported HTTP version
response.setStatus(505);
- adapter.log(request, response, 0);
}
MessageBytes methodMB = request.method();
@@ -1420,7 +1420,6 @@
error = true;
// 501 - Unimplemented
response.setStatus(501);
- adapter.log(request, response, 0);
}
startPos = commaPos + 1;
commaPos = transferEncodingValue.indexOf(',', startPos);
@@ -1432,7 +1431,6 @@
error = true;
// 501 - Unimplemented
response.setStatus(501);
- adapter.log(request, response, 0);
}
}
@@ -1451,7 +1449,6 @@
error = true;
// 400 - Bad request
response.setStatus(400);
- adapter.log(request, response, 0);
}
parseHost(valueMB);
@@ -1473,6 +1470,9 @@
// Advertise comet timeout support
request.setAttribute("org.apache.tomcat.comet.timeout.support", Boolean.TRUE);
+ if (error) {
+ adapter.log(request, response, 0);
+ }
}
@@ -1535,7 +1535,6 @@
error = true;
// 400 - Bad request
response.setStatus(400);
- adapter.log(request, response, 0);
break;
}
port = port + (charValue * mult);
Index: apache-tomcat-6.0.33-src/java/org/apache/coyote/ajp/AjpProcessor.java
===================================================================
--- apache-tomcat-6.0.33-src.orig/java/org/apache/coyote/ajp/AjpProcessor.java 2011-08-16 14:26:14.000000000 +0200
+++ apache-tomcat-6.0.33-src/java/org/apache/coyote/ajp/AjpProcessor.java 2012-02-06 13:56:30.854513442 +0100
@@ -443,15 +443,17 @@
}
// Setting up filters, and parse some request headers
- rp.setStage(org.apache.coyote.Constants.STAGE_PREPARE);
- try {
- prepareRequest();
- } catch (Throwable t) {
- log.debug(sm.getString("ajpprocessor.request.prepare"), t);
- // 400 - Internal Server Error
- response.setStatus(400);
- adapter.log(request, response, 0);
- error = true;
+ if (!error) {
+ rp.setStage(org.apache.coyote.Constants.STAGE_PREPARE);
+ try {
+ prepareRequest();
+ } catch (Throwable t) {
+ log.debug(sm.getString("ajpprocessor.request.prepare"), t);
+ // 400 - Internal Server Error
+ response.setStatus(400);
+ adapter.log(request, response, 0);
+ error = true;
+ }
}
// Process the request in the adapter
@@ -842,7 +844,6 @@
secret = true;
if (!tmpMB.equals(requiredSecret)) {
response.setStatus(403);
- adapter.log(request, response, 0);
error = true;
}
}
@@ -859,7 +860,6 @@
// Check if secret was submitted if required
if ((requiredSecret != null) && !secret) {
response.setStatus(403);
- adapter.log(request, response, 0);
error = true;
}
@@ -893,6 +893,9 @@
MessageBytes valueMB = request.getMimeHeaders().getValue("host");
parseHost(valueMB);
+ if (error) {
+ adapter.log(request, response, 0);
+ }
}
@@ -908,7 +911,6 @@
request.serverName().duplicate(request.localName());
} catch (IOException e) {
response.setStatus(400);
- adapter.log(request, response, 0);
error = true;
}
return;
@@ -960,7 +962,6 @@
error = true;
// 400 - Bad request
response.setStatus(400);
- adapter.log(request, response, 0);
break;
}
port = port + (charValue * mult);
Index: apache-tomcat-6.0.33-src/java/org/apache/coyote/ajp/AjpAprProcessor.java
===================================================================
--- apache-tomcat-6.0.33-src.orig/java/org/apache/coyote/ajp/AjpAprProcessor.java 2011-08-16 14:26:14.000000000 +0200
+++ apache-tomcat-6.0.33-src/java/org/apache/coyote/ajp/AjpAprProcessor.java 2012-02-06 13:56:30.855513476 +0100
@@ -426,15 +426,17 @@
}
// Setting up filters, and parse some request headers
- rp.setStage(org.apache.coyote.Constants.STAGE_PREPARE);
- try {
- prepareRequest();
- } catch (Throwable t) {
- log.debug(sm.getString("ajpprocessor.request.prepare"), t);
- // 400 - Internal Server Error
- response.setStatus(400);
- adapter.log(request, response, 0);
- error = true;
+ if (!error) {
+ rp.setStage(org.apache.coyote.Constants.STAGE_PREPARE);
+ try {
+ prepareRequest();
+ } catch (Throwable t) {
+ log.debug(sm.getString("ajpprocessor.request.prepare"), t);
+ // 400 - Internal Server Error
+ response.setStatus(400);
+ adapter.log(request, response, 0);
+ error = true;
+ }
}
// Process the request in the adapter
@@ -837,7 +839,6 @@
secret = true;
if (!tmpMB.equals(requiredSecret)) {
response.setStatus(403);
- adapter.log(request, response, 0);
error = true;
}
}
@@ -854,7 +855,6 @@
// Check if secret was submitted if required
if ((requiredSecret != null) && !secret) {
response.setStatus(403);
- adapter.log(request, response, 0);
error = true;
}
@@ -888,6 +888,9 @@
MessageBytes valueMB = request.getMimeHeaders().getValue("host");
parseHost(valueMB);
+ if (error) {
+ adapter.log(request, response, 0);
+ }
}
@@ -903,7 +906,6 @@
request.serverName().duplicate(request.localName());
} catch (IOException e) {
response.setStatus(400);
- adapter.log(request, response, 0);
error = true;
}
return;
@@ -955,7 +957,6 @@
error = true;
// 400 - Bad request
response.setStatus(400);
- adapter.log(request, response, 0);
break;
}
port = port + (charValue * mult);
Index: apache-tomcat-6.0.33-src/java/org/apache/catalina/connector/CoyoteAdapter.java
===================================================================
--- apache-tomcat-6.0.33-src.orig/java/org/apache/catalina/connector/CoyoteAdapter.java 2011-08-16 14:26:14.000000000 +0200
+++ apache-tomcat-6.0.33-src/java/org/apache/catalina/connector/CoyoteAdapter.java 2012-02-06 13:56:30.855513476 +0100
@@ -24,6 +24,7 @@
import org.apache.catalina.CometEvent;
import org.apache.catalina.Context;
import org.apache.catalina.Globals;
+import org.apache.catalina.Host;
import org.apache.catalina.Wrapper;
import org.apache.catalina.util.StringManager;
import org.apache.catalina.util.ServerInfo;
@@ -32,6 +33,7 @@
import org.apache.coyote.Adapter;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.ExceptionUtils;
import org.apache.tomcat.util.buf.B2CConverter;
import org.apache.tomcat.util.buf.ByteChunk;
import org.apache.tomcat.util.buf.CharChunk;
@@ -342,10 +344,8 @@
Request request = (Request) req.getNote(ADAPTER_NOTES);
Response response = (Response) res.getNote(ADAPTER_NOTES);
- boolean create = false;
if (request == null) {
- create = true;
// Create objects
request = connector.createRequest();
request.setCoyoteRequest(req);
@@ -365,10 +365,29 @@
(connector.getURIEncoding());
}
- connector.getService().getContainer().logAccess(
- request, response, time, true);
-
- if (create) {
+ try {
+ // Log at the lowest level available. logAccess() will be
+ // automatically called on parent containers.
+ boolean logged = false;
+ if (request.mappingData != null) {
+ if (request.mappingData.context != null) {
+ logged = true;
+ ((Context) request.mappingData.context).logAccess(
+ request, response, time, true);
+ } else if (request.mappingData.host != null) {
+ logged = true;
+ ((Host) request.mappingData.host).logAccess(
+ request, response, time, true);
+ }
+ }
+ if (!logged) {
+ connector.getService().getContainer().logAccess(
+ request, response, time, true);
+ }
+ } catch (Throwable t) {
+ ExceptionUtils.handleThrowable(t);
+ log.warn(sm.getString("coyoteAdapter.accesslogFail"), t);
+ } finally {
request.recycle();
response.recycle();
}
Index: apache-tomcat-6.0.33-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-6.0.33-src.orig/webapps/docs/changelog.xml 2012-02-06 13:56:30.837512868 +0100
+++ apache-tomcat-6.0.33-src/webapps/docs/changelog.xml 2012-02-06 13:56:30.857513544 +0100
@@ -606,6 +606,12 @@
application's class loader such as the Jasper class loader.
Patch provided by Sylvain Laurent. (kkolinko)
</add>
+ <fix>
+ <bug>51872</bug>: Ensure that the access log always uses the correct
+ value for the remote IP address associated with the request and that
+ requests with multiple errors do not result in multiple entries in
+ the access log. (markt)
+ </fix>
<add>
<bug>48973</bug>: Avoid creating a SESSIONS.ser file when stopping an
application if there's no session. Patch provided by Marc Guillemot.
++++++ apache-tomcat-CVE-2012-2733.patch ++++++
Index: apache-tomcat-6.0.18-src/java/org/apache/coyote/http11/InternalNioInputBuffer.java
===================================================================
--- apache-tomcat-6.0.18-src/java/org/apache/coyote/http11/InternalNioInputBuffer.java.orig 2012-11-23 13:42:23.374817672 +0100
+++ apache-tomcat-6.0.18-src/java/org/apache/coyote/http11/InternalNioInputBuffer.java 2012-11-23 13:44:46.632831595 +0100
@@ -663,10 +663,6 @@
do {
status = parseHeader();
- } while ( status == HeaderParseStatus.HAVE_MORE_HEADERS );
- if (status == HeaderParseStatus.DONE) {
- parsingHeader = false;
- end = pos;
// Checking that
// (1) Headers plus request line size does not exceed its limit
// (2) There are enough bytes to avoid expanding the buffer when
@@ -675,11 +671,15 @@
// limitation to enforce the meaning of headerBufferSize
// From the way how buf is allocated and how blank lines are being
// read, it should be enough to check (1) only.
- if (end - skipBlankLinesBytes > headerBufferSize
- || buf.length - end < socketReadBufferSize) {
+ if (pos - skipBlankLinesBytes > headerBufferSize
+ || buf.length - pos < socketReadBufferSize) {
throw new IllegalArgumentException(
sm.getString("iib.requestheadertoolarge.error"));
}
+ } while ( status == HeaderParseStatus.HAVE_MORE_HEADERS );
+ if (status == HeaderParseStatus.DONE) {
+ parsingHeader = false;
+ end = pos;
return true;
} else {
return false;
++++++ apache-tomcat-CVE-2012-3546.patch ++++++
Index: apache-tomcat-6.0.18-src/java/org/apache/catalina/realm/RealmBase.java
===================================================================
--- apache-tomcat-6.0.18-src/java/org/apache/catalina/realm/RealmBase.java (revision 1381034)
+++ apache-tomcat-6.0.18-src/java/org/apache/catalina/realm/RealmBase.java (revision 1381035)
@@ -45,7 +45,6 @@
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.core.ContainerBase;
-import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.deploy.SecurityConstraint;
import org.apache.catalina.deploy.SecurityCollection;
import org.apache.catalina.util.HexUtils;
@@ -766,31 +765,6 @@
if (constraints == null || constraints.length == 0)
return (true);
- // Specifically allow access to the form login and form error pages
- // and the "j_security_check" action
- LoginConfig config = context.getLoginConfig();
- if ((config != null) &&
- (Constants.FORM_METHOD.equals(config.getAuthMethod()))) {
- String requestURI = request.getRequestPathMB().toString();
- String loginPage = config.getLoginPage();
- if (loginPage.equals(requestURI)) {
- if (log.isDebugEnabled())
- log.debug(" Allow access to login page " + loginPage);
- return (true);
- }
- String errorPage = config.getErrorPage();
- if (errorPage.equals(requestURI)) {
- if (log.isDebugEnabled())
- log.debug(" Allow access to error page " + errorPage);
- return (true);
- }
- if (requestURI.endsWith(Constants.FORM_ACTION)) {
- if (log.isDebugEnabled())
- log.debug(" Allow access to username/password submission");
- return (true);
- }
- }
-
// Which user principal have we already authenticated?
Principal principal = request.getPrincipal();
boolean status = false;
++++++ apache-tomcat-CVE-2012-4431.patch ++++++
Index: apache-tomcat-6.0.18-src/java/org/apache/catalina/filters/CsrfPreventionFilter.java
===================================================================
--- apache-tomcat-6.0.18-src/java/org/apache/catalina/filters/CsrfPreventionFilter.java (revision 1394455)
+++ apache-tomcat-6.0.18-src/java/org/apache/catalina/filters/CsrfPreventionFilter.java (revision 1394456)
@@ -34,6 +34,7 @@
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
+import javax.servlet.http.HttpSession;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
@@ -154,16 +155,19 @@
}
}
+ HttpSession session = req.getSession(false);
+
@SuppressWarnings("unchecked")
- LruCache<String> nonceCache =
- (LruCache<String>) req.getSession(true).getAttribute(
- Constants.CSRF_NONCE_SESSION_ATTR_NAME);
-
+ LruCache<String> nonceCache = (session == null) ? null
+ : (LruCache<String>) session.getAttribute(
+ Constants.CSRF_NONCE_SESSION_ATTR_NAME);
+
if (!skipNonceCheck) {
String previousNonce =
req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM);
- if (nonceCache != null && !nonceCache.contains(previousNonce)) {
+ if (nonceCache == null || previousNonce == null ||
+ !nonceCache.contains(previousNonce)) {
res.sendError(HttpServletResponse.SC_FORBIDDEN);
return;
}
@@ -174,6 +174,9 @@
if (nonceCache == null) {
nonceCache = new LruCache<String>(nonceCacheSize);
+ if (session == null) {
+ session = req.getSession(true);
+ }
req.getSession().setAttribute(
Constants.CSRF_NONCE_SESSION_ATTR_NAME, nonceCache);
}
++++++ apache-tomcat-CVE-2012-5885-CVE-2012-5886-CVE-2012-5887.patch ++++++
Index: apache-tomcat-6.0.18-src/java/org/apache/catalina/authenticator/DigestAuthenticator.java
===================================================================
--- apache-tomcat-6.0.18-src/java/org/apache/catalina/authenticator/DigestAuthenticator.java.orig 2012-12-03 15:52:59.286311757 +0100
+++ apache-tomcat-6.0.18-src/java/org/apache/catalina/authenticator/DigestAuthenticator.java 2012-12-03 15:56:10.753095694 +0100
@@ -27,9 +27,9 @@
import java.util.Map;
import java.util.StringTokenizer;
+import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-
import org.apache.catalina.LifecycleException;
import org.apache.catalina.Realm;
import org.apache.catalina.connector.Request;
@@ -80,6 +80,7 @@
public DigestAuthenticator() {
super();
+ setCache(false);
try {
if (md5Helper == null)
md5Helper = MessageDigest.getInstance("MD5");
@@ -100,16 +101,16 @@
/**
- * List of client nonce values currently being tracked
+ * List of server nonce values currently being tracked
*/
- protected Map