Hello community,
here is the log from the commit of package tomcat6 for openSUSE:11.4
checked in at Mon Aug 15 18:21:02 CEST 2011.
--------
--- old-versions/11.4/all/tomcat6/tomcat6.changes 2011-02-11 09:31:05.000000000 +0100
+++ 11.4/tomcat6/tomcat6.changes 2011-08-15 13:30:48.000000000 +0200
@@ -1,0 +2,10 @@
+Mon Aug 15 11:30:34 UTC 2011 - mvyskocil@suse.cz
+
+- fix bnc#706404 - VUL-0: tomcat user password information leak (CVE-2011-2204)
+ * http://svn.apache.org/viewvc?view=revision&revision=1140071
+- fix bnc#706382 - VUL-0: tomcat information leak and DoS (CVE-2011-2526)
+ * http://svn.apache.org/viewvc?view=revision&revision=1146703
+- fix bnc#702289 - suse manager pam ldap authentication fails
+ * source CATALINA_HOME/bin/setenv.sh if exists
+
+-------------------------------------------------------------------
Package does not exist at destination yet. Using Fallback old-versions/11.4/all/tomcat6
Destination is old-versions/11.4/UPDATES/all/tomcat6
calling whatdependson for 11.4-i586
New:
----
apache-tomcat-CVE-2011-2204.patch
apache-tomcat-CVE-2011-2526.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libtcnative-1-0.spec ++++++
--- /var/tmp/diff_new_pack.3qY0yW/_old 2011-08-15 18:20:46.000000000 +0200
+++ /var/tmp/diff_new_pack.3qY0yW/_new 2011-08-15 18:20:46.000000000 +0200
@@ -29,7 +29,7 @@
Name: libtcnative-1-0
Version: %{major}.%{minor}.%{micro}
-Release: 11
+Release: 11.<RELEASE2>
Summary: JNI wrappers for Apache Portable Runtime for Tomcat
Group: Productivity/Networking/Web/Servers
License: Apache Software License ..
++++++ tomcat6.spec ++++++
--- /var/tmp/diff_new_pack.3qY0yW/_old 2011-08-15 18:20:46.000000000 +0200
+++ /var/tmp/diff_new_pack.3qY0yW/_new 2011-08-15 18:20:46.000000000 +0200
@@ -41,7 +41,7 @@
Name: tomcat6
Version: %{major_version}.%{minor_version}.%{micro_version}
-Release: 1
+Release: 7.<RELEASE8>
Summary: Apache Servlet/JSP Engine, RI for Servlet 2.5/JSP 2.1 API
Group: Productivity/Networking/Web/Servers
License: Apache Software License ..
@@ -64,6 +64,10 @@
Patch0: %{name}-%{major_version}.%{minor_version}.bootstrap-MANIFEST.MF.patch
#PATCH-FIX-UPSTREAM: from jpackage.org package
Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch
+#PATCH-FIX-UPSTREAM: http://svn.apache.org/viewvc?view=revision&revision=1140071
+Patch2: apache-tomcat-CVE-2011-2204.patch
+#PATCH-FIX-UPSTREAM: http://svn.apache.org/viewvc?view=revision&revision=1146703
+Patch3: apache-tomcat-CVE-2011-2526.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
BuildRequires: ant
@@ -220,6 +224,8 @@
-name "*.jar" -o -name "*.war" -o -name "*.zip" \) | xargs -t %{__rm}
%patch0 -p1
%patch1 -p0
+%patch2 -p1 -b .CVE-2011-2204
+%patch3 -p1 -b .CVE-2011-2526
%build
export CLASSPATH=
++++++ apache-tomcat-CVE-2011-2204.patch ++++++
Index: apache-tomcat-6.0.32-src/java/org/apache/catalina/users/MemoryUser.java
===================================================================
--- apache-tomcat-6.0.32-src/java/org/apache/catalina/users/MemoryUser.java (revision 1140070)
+++ apache-tomcat-6.0.32-src/java/org/apache/catalina/users/MemoryUser.java (revision 1140071)
@@ -246,7 +246,7 @@
* <code>username</code> or </code>name</code> for the username
* property.</p>
*/
- public String toString() {
+ public String toXml() {
StringBuffer sb = new StringBuffer(" 0) {
+ sb.append(", groups=\"");
+ int n = 0;
+ Iterator<Group> values = groups.iterator();
+ while (values.hasNext()) {
+ if (n > 0) {
+ sb.append(',');
+ }
+ n++;
+ sb.append(RequestUtil.filter(values.next().getGroupname()));
+ }
+ sb.append("\"");
+ }
+ }
+ synchronized (roles) {
+ if (roles.size() > 0) {
+ sb.append(", roles=\"");
+ int n = 0;
+ Iterator<Role> values = roles.iterator();
+ while (values.hasNext()) {
+ if (n > 0) {
+ sb.append(',');
+ }
+ n++;
+ sb.append(RequestUtil.filter(values.next().getRolename()));
+ }
+ sb.append("\"");
+ }
+ }
+ return (sb.toString());
+ }
+
+
}
Index: apache-tomcat-6.0.32-src/java/org/apache/catalina/users/MemoryUserDatabase.java
===================================================================
--- apache-tomcat-6.0.32-src/java/org/apache/catalina/users/MemoryUserDatabase.java (revision 1140070)
+++ apache-tomcat-6.0.32-src/java/org/apache/catalina/users/MemoryUserDatabase.java (revision 1140071)
@@ -549,7 +549,7 @@
values = getUsers();
while (values.hasNext()) {
writer.print(" ");
- writer.println(values.next());
+ writer.println(((MemoryUser) values.next()).toXml());
}
// Print the file epilog
Index: apache-tomcat-6.0.32-src/java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java
===================================================================
--- apache-tomcat-6.0.32-src/java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java (revision 1140070)
+++ apache-tomcat-6.0.32-src/java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java (revision 1140071)
@@ -180,7 +180,7 @@
MBeanUtils.createMBean(group);
} catch (Exception e) {
IllegalArgumentException iae = new IllegalArgumentException
- ("Exception creating group " + group + " MBean");
+ ("Exception creating group [" + groupname + "] MBean");
iae.initCause(e);
throw iae;
}
@@ -203,7 +203,7 @@
MBeanUtils.createMBean(role);
} catch (Exception e) {
IllegalArgumentException iae = new IllegalArgumentException
- ("Exception creating role " + role + " MBean");
+ ("Exception creating role [" + rolename + "] MBean");
iae.initCause(e);
throw iae;
}
@@ -228,7 +228,7 @@
MBeanUtils.createMBean(user);
} catch (Exception e) {
IllegalArgumentException iae = new IllegalArgumentException
- ("Exception creating user " + user + " MBean");
+ ("Exception creating user [" + username + "] MBean");
iae.initCause(e);
throw iae;
}
@@ -256,7 +256,7 @@
return (oname.toString());
} catch (MalformedObjectNameException e) {
IllegalArgumentException iae = new IllegalArgumentException
- ("Cannot create object name for group " + group);
+ ("Cannot create object name for group [" + groupname + "]");
iae.initCause(e);
throw iae;
}
@@ -283,7 +283,7 @@
return (oname.toString());
} catch (MalformedObjectNameException e) {
IllegalArgumentException iae = new IllegalArgumentException
- ("Cannot create object name for role " + role);
+ ("Cannot create object name for role [" + rolename + "]");
iae.initCause(e);
throw iae;
}
@@ -310,7 +310,7 @@
return (oname.toString());
} catch (MalformedObjectNameException e) {
IllegalArgumentException iae = new IllegalArgumentException
- ("Cannot create object name for user " + user);
+ ("Cannot create object name for user [" + username + "]");
iae.initCause(e);
throw iae;
}
@@ -335,7 +335,7 @@
database.removeGroup(group);
} catch (Exception e) {
IllegalArgumentException iae = new IllegalArgumentException
- ("Exception destroying group " + group + " MBean");
+ ("Exception destroying group [" + groupname + "] MBean");
iae.initCause(e);
throw iae;
}
@@ -360,7 +360,7 @@
database.removeRole(role);
} catch (Exception e) {
IllegalArgumentException iae = new IllegalArgumentException
- ("Exception destroying role " + role + " MBean");
+ ("Exception destroying role [" + rolename + "] MBean");
iae.initCause(e);
throw iae;
}
@@ -385,7 +385,7 @@
database.removeUser(user);
} catch (Exception e) {
IllegalArgumentException iae = new IllegalArgumentException
- ("Exception destroying user " + user + " MBean");
+ ("Exception destroying user [" + username + "] MBean");
iae.initCause(e);
throw iae;
}
++++++ apache-tomcat-CVE-2011-2526.patch ++++++
Index: apache-tomcat-6.0.32-src/java/org/apache/coyote/http11/LocalStrings.properties
===================================================================
--- apache-tomcat-6.0.32-src.orig/java/org/apache/coyote/http11/LocalStrings.properties 2011-02-02 20:07:32.000000000 +0100
+++ apache-tomcat-6.0.32-src/java/org/apache/coyote/http11/LocalStrings.properties 2011-07-25 14:31:03.470335065 +0200
@@ -56,6 +56,7 @@
http11processor.socket.info=Exception getting socket information
http11processor.socket.ssl=Exception getting SSL attributes
http11processor.socket.timeout=Error setting socket timeout
+http11processor.sendfile.error=Error sending data using sendfile. May be caused by invalid request attributes for start/end points
#
# InternalInputBuffer
Index: apache-tomcat-6.0.32-src/java/org/apache/coyote/http11/Http11AprProcessor.java
===================================================================
--- apache-tomcat-6.0.32-src.orig/java/org/apache/coyote/http11/Http11AprProcessor.java 2011-02-02 20:07:32.000000000 +0100
+++ apache-tomcat-6.0.32-src/java/org/apache/coyote/http11/Http11AprProcessor.java 2011-07-25 14:31:03.471335100 +0200
@@ -910,7 +910,18 @@
sendfileData.socket = socket;
sendfileData.keepAlive = keepAlive;
if (!endpoint.getSendfile().add(sendfileData)) {
- openSocket = true;
+ if (sendfileData.socket == 0) {
+ // Didn't send all the data but the socket is no longer
+ // set. Something went wrong. Close the connection.
+ // Too late to set status code.
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString(
+ "http11processor.sendfile.error"));
+ }
+ error = true;
+ } else {
+ openSocket = true;
+ }
break;
}
}
Index: apache-tomcat-6.0.32-src/java/org/apache/tomcat/util/net/AprEndpoint.java
===================================================================
--- apache-tomcat-6.0.32-src.orig/java/org/apache/tomcat/util/net/AprEndpoint.java 2011-02-02 20:07:33.000000000 +0100
+++ apache-tomcat-6.0.32-src/java/org/apache/tomcat/util/net/AprEndpoint.java 2011-07-25 14:31:36.972496803 +0200
@@ -1812,7 +1812,9 @@
data.pos, data.end - data.pos, 0);
if (nw < 0) {
if (!(-nw == Status.EAGAIN)) {
- destroySocket(data.socket);
+ Pool.destroy(data.fdpool);
+ // No need to close socket, this will be done by
+ // calling code since data.socket == 0
data.socket = 0;
return false;
} else {
Index: apache-tomcat-6.0.32-src/java/org/apache/tomcat/util/net/NioEndpoint.java
===================================================================
--- apache-tomcat-6.0.32-src.orig/java/org/apache/tomcat/util/net/NioEndpoint.java 2011-02-02 20:07:33.000000000 +0100
+++ apache-tomcat-6.0.32-src/java/org/apache/tomcat/util/net/NioEndpoint.java 2011-07-25 14:31:03.474335203 +0200
@@ -1734,6 +1734,13 @@
sd.pos += written;
sd.length -= written;
attachment.access();
+ } else {
+ // Unusual not to be able to transfer any bytes
+ // Check the length was set correctly
+ if (sd.fchannel.size() <= sd.pos) {
+ throw new IOException("Sendfile configured to " +
+ "send more data than was available");
+ }
}
}
if ( sd.length <= 0 && sc.getOutboundRemaining()<=0) {
@@ -1758,6 +1765,7 @@
log.debug("Send file connection is being closed");
}
cancelledKey(sk,SocketStatus.STOP,false);
+ return false;
}
} else if ( attachment.interestOps() == 0 && reg ) {
if (log.isDebugEnabled()) {
Index: apache-tomcat-6.0.32-src/java/org/apache/catalina/servlets/DefaultServlet.java
===================================================================
--- apache-tomcat-6.0.32-src.orig/java/org/apache/catalina/servlets/DefaultServlet.java 2011-02-02 20:07:32.000000000 +0100
+++ apache-tomcat-6.0.32-src/java/org/apache/catalina/servlets/DefaultServlet.java 2011-07-25 14:31:03.475335237 +0200
@@ -1619,7 +1619,6 @@
request.setAttribute("org.apache.tomcat.sendfile.start", new Long(range.start));
request.setAttribute("org.apache.tomcat.sendfile.end", new Long(range.end + 1));
}
- request.setAttribute("org.apache.tomcat.sendfile.token", this);
return true;
} else {
return false;
Index: apache-tomcat-6.0.32-src/java/org/apache/catalina/connector/LocalStrings.properties
===================================================================
--- apache-tomcat-6.0.32-src.orig/java/org/apache/catalina/connector/LocalStrings.properties 2011-02-02 20:07:31.000000000 +0100
+++ apache-tomcat-6.0.32-src/java/org/apache/catalina/connector/LocalStrings.properties 2011-07-25 14:32:01.120334174 +0200
@@ -62,6 +62,7 @@
coyoteRequest.postTooLarge=Parameters were not parsed because the size of the posted data was too big. Use the maxPostSize attribute of the connector to resolve this if the application should accept large POSTs.
coyoteRequest.chunkedPostTooLarge=Parameters were not parsed because the size of the posted data was too big. Because this request was a chunked request, it could not be processed further. Use the maxPostSize attribute of the connector to resolve this if the application should accept large POSTs.
coyoteRequest.sessionEndAccessFail=Exception triggered ending access to session while recycling request
+coyoteRequest.sendfileNotCanonical=Unable to determine canonical name of file [{0}] specified for use with sendfile
requestFacade.nullRequest=The request object has been recycled and is no longer associated with this facade
Index: apache-tomcat-6.0.32-src/java/org/apache/catalina/connector/Request.java
===================================================================
--- apache-tomcat-6.0.32-src.orig/java/org/apache/catalina/connector/Request.java 2011-02-02 20:07:31.000000000 +0100
+++ apache-tomcat-6.0.32-src/java/org/apache/catalina/connector/Request.java 2011-07-25 14:31:03.477335307 +0200
@@ -19,6 +19,7 @@
package org.apache.catalina.connector;
+import java.io.File;
import java.io.InputStream;
import java.io.IOException;
import java.io.BufferedReader;
@@ -1455,6 +1456,26 @@
return;
}
+ // Do the security check before any updates are made
+ if (Globals.IS_SECURITY_ENABLED &&
+ name.equals("org.apache.tomcat.sendfile.filename")) {
+ // Use the canonical file name to avoid any possible symlink and
+ // relative path issues
+ String canonicalPath;
+ try {
+ canonicalPath = new File(value.toString()).getCanonicalPath();
+ } catch (IOException e) {
+ throw new SecurityException(sm.getString(
+ "coyoteRequest.sendfileNotCanonical", value), e);
+ }
+ // Sendfile is performed in Tomcat's security context so need to
+ // check if the web app is permitted to access the file while still
+ // in the web app's security context
+ System.getSecurityManager().checkRead(canonicalPath);
+ // Update the value so the canonical path is used
+ value = canonicalPath;
+ }
+
oldValue = attributes.put(name, value);
if (oldValue != null) {
replaced = true;
++++++ tomcat6-6.0-digest.script ++++++
--- /var/tmp/diff_new_pack.3qY0yW/_old 2011-08-15 18:20:46.000000000 +0200
+++ /var/tmp/diff_new_pack.3qY0yW/_new 2011-08-15 18:20:46.000000000 +0200
@@ -20,6 +20,10 @@
. $TOMCAT_CFG
fi
+if [ -r "$CATALINA_HOME"/bin/setenv.sh ]; then
+ . "$CATALINA_HOME"/bin/setenv.sh
+fi
+
set_javacmd
# CLASSPATH munging
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org