~ubuntu-branches/ubuntu/natty/tomcat6/natty-proposed

Viewing changes to debian/patches/0017-CVE-2011-3190.patch

Committer: Package Import Robot
Author(s): Marc Deslauriers
Date: 2011-09-26 11:27:14 UTC
Revision ID: package-import@ubuntu.com-20110926112714-ngfuvuxfnr5oe2x8

Tags: 6.0.28-10ubuntu2.2

* SECURITY UPDATE: information disclosure via log file
  - debian/patches/0015-CVE-2011-2204.patch: fix logging in
    java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
    java/org/apache/catalina/users/MemoryUserDatabase.java,
    java/org/apache/catalina/users/MemoryUser.java.
  - CVE-2011-2204
* SECURITY UPDATE: file restriction bypass or denial of service via
  untrusted web application.
  - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
    java/org/apache/catalina/connector/LocalStrings.properties,
    java/org/apache/catalina/connector/Request.java,
    java/org/apache/catalina/servlets/DefaultServlet.java,
    java/org/apache/coyote/http11/Http11AprProcessor.java,
    java/org/apache/coyote/http11/LocalStrings.properties,
    java/org/apache/tomcat/util/net/AprEndpoint.java,
    java/org/apache/tomcat/util/net/NioEndpoint.java.
  - CVE-2011-2526
* SECURITY UPDATE: AJP request spoofing and authentication bypass
  (LP: #843701)
  - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
    bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
    java/org/apache/coyote/ajp/AjpProcessor.java.
  - CVE-2011-3190
* SECURITY UPDATE: HTTP DIGEST authentication weaknesses
  - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
    java/org/apache/catalina/authenticator/DigestAuthenticator.java,
    java/org/apache/catalina/authenticator/LocalStrings.properties,
    java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
    java/org/apache/catalina/realm/RealmBase.java,
    webapps/docs/config/valve.xml.
  - CVE-2011-1184

files added:
.pc/0015-CVE-2011-2204.patch

.pc/0015-CVE-2011-2204.patch/java

.pc/0015-CVE-2011-2204.patch/java/org

.pc/0015-CVE-2011-2204.patch/java/org/apache

.pc/0015-CVE-2011-2204.patch/java/org/apache/catalina

.pc/0015-CVE-2011-2204.patch/java/org/apache/catalina/mbeans

.pc/0015-CVE-2011-2204.patch/java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java

.pc/0015-CVE-2011-2204.patch/java/org/apache/catalina/users

.pc/0015-CVE-2011-2204.patch/java/org/apache/catalina/users/MemoryUser.java

.pc/0015-CVE-2011-2204.patch/java/org/apache/catalina/users/MemoryUserDatabase.java

.pc/0016-CVE-2011-2526.patch

.pc/0016-CVE-2011-2526.patch/java

.pc/0016-CVE-2011-2526.patch/java/org

.pc/0016-CVE-2011-2526.patch/java/org/apache

.pc/0016-CVE-2011-2526.patch/java/org/apache/catalina

.pc/0016-CVE-2011-2526.patch/java/org/apache/catalina/connector

.pc/0016-CVE-2011-2526.patch/java/org/apache/catalina/connector/LocalStrings.properties

.pc/0016-CVE-2011-2526.patch/java/org/apache/catalina/connector/Request.java

.pc/0016-CVE-2011-2526.patch/java/org/apache/catalina/servlets

.pc/0016-CVE-2011-2526.patch/java/org/apache/catalina/servlets/DefaultServlet.java

.pc/0016-CVE-2011-2526.patch/java/org/apache/coyote

.pc/0016-CVE-2011-2526.patch/java/org/apache/coyote/http11

.pc/0016-CVE-2011-2526.patch/java/org/apache/coyote/http11/Http11AprProcessor.java

.pc/0016-CVE-2011-2526.patch/java/org/apache/coyote/http11/LocalStrings.properties

.pc/0016-CVE-2011-2526.patch/java/org/apache/tomcat

.pc/0016-CVE-2011-2526.patch/java/org/apache/tomcat/util

.pc/0016-CVE-2011-2526.patch/java/org/apache/tomcat/util/net

.pc/0016-CVE-2011-2526.patch/java/org/apache/tomcat/util/net/AprEndpoint.java

.pc/0016-CVE-2011-2526.patch/java/org/apache/tomcat/util/net/NioEndpoint.java

.pc/0017-CVE-2011-3190.patch

.pc/0017-CVE-2011-3190.patch/java

.pc/0017-CVE-2011-3190.patch/java/org

.pc/0017-CVE-2011-3190.patch/java/org/apache

.pc/0017-CVE-2011-3190.patch/java/org/apache/coyote

.pc/0017-CVE-2011-3190.patch/java/org/apache/coyote/ajp

.pc/0017-CVE-2011-3190.patch/java/org/apache/coyote/ajp/AjpAprProcessor.java

.pc/0017-CVE-2011-3190.patch/java/org/apache/coyote/ajp/AjpProcessor.java

.pc/0018-CVE-2011-1184.patch

.pc/0018-CVE-2011-1184.patch/java

.pc/0018-CVE-2011-1184.patch/java/org

.pc/0018-CVE-2011-1184.patch/java/org/apache

.pc/0018-CVE-2011-1184.patch/java/org/apache/catalina

.pc/0018-CVE-2011-1184.patch/java/org/apache/catalina/authenticator

.pc/0018-CVE-2011-1184.patch/java/org/apache/catalina/authenticator/DigestAuthenticator.java

.pc/0018-CVE-2011-1184.patch/java/org/apache/catalina/authenticator/LocalStrings.properties

.pc/0018-CVE-2011-1184.patch/java/org/apache/catalina/authenticator/mbeans-descriptors.xml

.pc/0018-CVE-2011-1184.patch/java/org/apache/catalina/realm

.pc/0018-CVE-2011-1184.patch/java/org/apache/catalina/realm/RealmBase.java

.pc/0018-CVE-2011-1184.patch/webapps

.pc/0018-CVE-2011-1184.patch/webapps/docs

.pc/0018-CVE-2011-1184.patch/webapps/docs/config

.pc/0018-CVE-2011-1184.patch/webapps/docs/config/valve.xml

debian/patches/0015-CVE-2011-2204.patch

debian/patches/0016-CVE-2011-2526.patch

debian/patches/0017-CVE-2011-3190.patch

debian/patches/0018-CVE-2011-1184.patch

files modified:
.pc/applied-patches

debian/changelog

debian/patches/series

java/org/apache/catalina/authenticator/DigestAuthenticator.java

java/org/apache/catalina/authenticator/LocalStrings.properties

java/org/apache/catalina/authenticator/mbeans-descriptors.xml

java/org/apache/catalina/connector/LocalStrings.properties

java/org/apache/catalina/connector/Request.java

java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java

java/org/apache/catalina/realm/RealmBase.java

java/org/apache/catalina/servlets/DefaultServlet.java

java/org/apache/catalina/users/MemoryUser.java

java/org/apache/catalina/users/MemoryUserDatabase.java

java/org/apache/coyote/ajp/AjpAprProcessor.java

java/org/apache/coyote/ajp/AjpProcessor.java

java/org/apache/coyote/http11/Http11AprProcessor.java

java/org/apache/coyote/http11/LocalStrings.properties

java/org/apache/tomcat/util/net/AprEndpoint.java

java/org/apache/tomcat/util/net/NioEndpoint.java

webapps/docs/config/valve.xml

Show diffs side-by-side

added added

removed removed

debian/patches/0017-CVE-2011-3190.patch

Description: fix AJP request spoofing and authentication bypass

Origin: upstream, http://svn.apache.org/viewvc?rev=1162959&view=rev

Bug-Ubuntu: https://bugs.launchpad.net/bugs/843701

Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=50189

Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=51698

Index: tomcat6-6.0.28/java/org/apache/coyote/ajp/AjpAprProcessor.java

===================================================================

--- tomcat6-6.0.28.orig/java/org/apache/coyote/ajp/AjpAprProcessor.java 2011-09-20 10:33:13.541588195 -0400

+++ tomcat6-6.0.28/java/org/apache/coyote/ajp/AjpAprProcessor.java 2011-09-20 10:33:38.251588001 -0400

@@ -390,11 +390,13 @@

}

continue;

} else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {

- // Usually the servlet didn't read the previous request body

- if(log.isDebugEnabled()) {

- log.debug("Unexpected message: "+type);

+ // Unexpected packet type. Unread body packets should have

+ // been swallowed in finish().

+ if (log.isDebugEnabled()) {

+ log.debug("Unexpected message: " + type);

}

- continue;

+ error = true;

+ break;

}

keptAlive = true;

@@ -1026,6 +1028,11 @@

finished = true;

+ // Swallow the unread body packet if present

+ if (first && request.getContentLengthLong() > 0) {

+ receive();

+ }

// Add the end message

if (outputBuffer.position() + endMessageArray.length > outputBuffer.capacity()) {

flush();

Index: tomcat6-6.0.28/java/org/apache/coyote/ajp/AjpProcessor.java