debian/changelog

+tomcat8 (8.5.14-1+deb9u3) stretch-security; urgency=high
+
+  [ Emmanuel Bourg ]
+  * Fixed CVE-2018-1304: Security constraints mapped to context root are
+    ignored. The URL pattern of "" (the empty string) which exactly maps to the
+    context root was not correctly handled when used as part of a security
+    constraint definition. This caused the constraint to be ignored. It was,
+    therefore, possible for unauthorised users to gain access to web
+    application resources that should have been protected. Only security
+    constraints with a URL pattern of the empty string were affected.
+  * Fixed CVE-2018-1305: Security constraint annotations applied too late.
+    Security constraints defined by annotations of Servlets were only applied
+    once a Servlet had been loaded. Because security constraints defined in
+    this way apply to the URL pattern and any URLs below that point, it was
+    possible - depending on the order Servlets were loaded - for some security
+    constraints not to be applied. This could have exposed resources to users
+    who were not authorised to access them.
+  * Changed the Class-Path manifest entry of tomcat8-jasper.jar to use
+    the specification jars from libtomcat8-java instead of libservlet3.1-java
+    (Closes: #867247)
+
+  [ Markus Koschany ]
+  * Fix CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder
+    with supplementary characters can lead to an infinite loop in the decoder
+    causing a Denial of Service.
+  * Fix CVE-2018-8034: The host name verification when using TLS with the
+    WebSocket client was missing. It is now enabled by default.
+  * Fix CVE-2018-8037: If an async request was completed by the application at
+    the same time as the container triggered the async timeout, a race condition
+    existed that could result in a user seeing a response intended for a
+    different user. An additional issue was present in the NIO and NIO2
+    connectors that did not correctly track the closure of the connection when an
+    async request was completed by the application and timed out by the container
+    at the same time. This could also result in a user seeing a response intended
+    for another user.
+
+ -- Markus Koschany <apo@debian.org>  Fri, 24 Aug 2018 21:44:12 +0200
+
 tomcat8 (8.5.14-1+deb9u2) stretch-security; urgency=high
 
   * Team upload.

debian/libtomcat8-java.manifest

@@ -19,7 +19,7 @@ usr/share/java/tomcat8-jasper.jar:
  Export-Package: org.apache.jasper;version="8.0.0";uses:="javax.servlet,javax.servlet.jsp.tagext,org.apache.jasper.compiler,org.apache.jasper.servlet,org.apache.tools.ant",org.apache.jasper.compiler;version="8.0.0";uses:="javax.el,javax.servlet,javax.servlet.jsp.tagext,javax.xml.parsers,org.apache.jasper,org.apache.jasper.compiler.tagplugin,org.apache.jasper.servlet,org.apache.jasper.util,org.apache.jasper.xmlparser,org.apache.juli.logging,org.apache.tomcat,org.apache.tools.ant,org.eclipse.jdt.internal.compiler,org.eclipse.jdt.internal.compiler.env,org.xml.sax,org.xml.sax.ext,org.xml.sax.helpers",org.apache.jasper.compiler.tagplugin;version="8.0.0",org.apache.jasper.el;version="8.0.0";uses:="javax.el,javax.servlet.jsp.el",org.apache.jasper.resources;version="8.0.0",org.apache.jasper.runtime;version="8.0.0";uses:="javax.el,javax.servlet,javax.servlet.http,javax.servlet.jsp,javax.servlet.jsp.el,javax.servlet.jsp.tagext,org.apache.jasper,org.apache.jasper.el,org.apache.tomcat",org.apache.jasper.security;version="8.0.0",org.apache.jasper.servlet;version="8.0.0";uses:="javax.servlet,javax.servlet.descriptor,javax.servlet.http,javax.servlet.jsp.tagext,org.apache.jasper,org.apache.jasper.compiler,org.apache.jasper.util,org.apache.tomcat",org.apache.jasper.tagplugins.jstl;version="8.0.0";uses:="javax.servlet,javax.servlet.http,javax.servlet.jsp",org.apache.jasper.tagplugins.jstl.core;version="8.0.0";uses:="org.apache.jasper.compiler.tagplugin",org.apache.jasper.util;version="8.0.0";uses:="org.xml.sax,org.xml.sax.helpers",org.apache.jasper.xmlparser;version="8.0.0";uses:="org.apache.jasper,org.apache.jasper.compiler,org.w3c.dom,org.xml.sax"
  Import-Package: javax.el;version="[1.0.0, 3.1.0)",javax.servlet;version="[2.6.0, 4.0.0)",javax.servlet.descriptor;version="[2.6.0, 4.0.0)",javax.servlet.http;version="[2.6.0, 4.0.0)",javax.servlet.jsp;version="[2.2.0, 3.0.0)",javax.servlet.jsp.el;version="[2.2.0, 3.0.0)",javax.servlet.jsp.resources;version="[2.2.0, 3.0.0)",javax.servlet.jsp.tagext;version="[2.2.0, 3.0.0)",javax.servlet.resources;version="[2.6.0, 4.0.0)",javax.xml.parsers;version="0",org.apache.el;version="[8.0.0, 8.0.0]",org.apache.el.lang;version="[8.0.0, 8.0.0]",org.apache.juli.logging;version="[8.0.0, 8.0.0]",org.apache.tomcat;version="[8.0.0, 8.0.0]",org.apache.tomcat.util.scan;version="[8.0.0, 8.0.0]",org.apache.tools.ant;version="[1.7.0, 2.0.0)";resolution:="optional",org.apache.tools.ant.taskdefs;version="[1.7.0, 2.0.0)";resolution:="optional",org.apache.tools.ant.types;version="[1.7.0, 2.0.0)";resolution:="optional",org.apache.tools.ant.util;version="[1.7.0, 2.0.0)";resolution:="optional",org.eclipse.jdt.core.compiler;version="0",org.eclipse.jdt.internal.compiler;version="0",org.eclipse.jdt.internal.compiler.classfmt;version="0",org.eclipse.jdt.internal.compiler.env;version="0",org.eclipse.jdt.internal.compiler.impl;version="0",org.eclipse.jdt.internal.compiler.problem;version="0",org.w3c.dom;version="0",org.xml.sax;version="0",org.xml.sax.ext;version="0",org.xml.sax.helpers;version="0"
  Unversioned-Imports: javax.xml.parsers.*,org.w3c.dom.*,org.xml.sax.*
- Class-Path: ecj.jar el-api-3.0.jar servlet-api-3.1.jar jsp-api-2.3.jar
+ Class-Path: ecj.jar tomcat8-el-api.jar tomcat8-servlet-api.jar tomcat8-jsp-api.jar
 
 usr/share/java/tomcat8-juli.jar:
  Bundle-ManifestVersion: 2

debian/patches/CVE-2018-1304.patch

+Description: CVE-2018-1304: The URL pattern of "" (the empty string) which
+ exactly maps to the context root was not correctly handled when used as part
+ of a security constraint definition. This caused the constraint to be ignored.
+ It was, therefore, possible for unauthorised users to gain access to web
+ application resources that should have been protected. Only security
+ constraints with a URL pattern of the empty string were affected.
+Origin: backport, http://svn.apache.org/r1823307
+--- a/java/org/apache/catalina/realm/RealmBase.java
++++ b/java/org/apache/catalina/realm/RealmBase.java
+@@ -550,9 +550,9 @@
+
+         // Check each defined security constraint
+         String uri = request.getRequestPathMB().toString();
+-        // Bug47080 - in rare cases this may be null
++        // Bug47080 - in rare cases this may be null or ""
+         // Mapper treats as '/' do the same to prevent NPE
+-        if (uri == null) {
++        if (uri == null || uri.length() == 0) {
+             uri = "/";
+         }
+
+@@ -584,7 +584,8 @@
+                 }
+
+                 for(int k=0; k < patterns.length; k++) {
+-                    if(uri.equals(patterns[k])) {
++                    // Exact match including special case for the context root.
++                    if(uri.equals(patterns[k]) || patterns[k].length() == 0 && uri.equals("/")) {
+                         found = true;
+                         if(collection[j].findMethod(method)) {
+                             if(results == null) {

debian/patches/CVE-2018-1305.patch

+Description: CVE-2018-1305: Process all ServletSecurity annotations at web
+ application start rather than at servlet load time to ensure constraints
+ are applied consistently.
+Origin: backport, https://svn.apache.org/r1823314
+                  https://svn.apache.org/r1824358
+--- a/java/org/apache/catalina/Wrapper.java
++++ b/java/org/apache/catalina/Wrapper.java
+@@ -368,21 +368,23 @@
+     public void setEnabled(boolean enabled);
+
+     /**
+-     * Set the flag that indicates
+-     * {@link javax.servlet.annotation.ServletSecurity} annotations must be
+-     * scanned when the Servlet is first used.
++     * This method is no longer used. All implementations should be NO-OPs.
+      *
+-     * @param b The new value of the flag
++     * @param b Unused.
++     *
++     * @deprecated This will be removed in Tomcat 9.
+      */
++    @Deprecated
+     public void setServletSecurityAnnotationScanRequired(boolean b);
+
+     /**
+-     * Scan for (if necessary) and process (if found) the
+-     * {@link javax.servlet.annotation.ServletSecurity} annotations for the
+-     * Servlet associated with this wrapper.
++     * This method is no longer used. All implementations should be NO-OPs.
++     *
++     * @throws ServletException Never thrown
+      *
+-     * @throws ServletException if an annotation scanning error occurs
++     * @deprecated This will be removed in Tomcat 9.
+      */
++    @Deprecated
+     public void servletSecurityAnnotationScan() throws ServletException;
+
+     /**
+--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
++++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+@@ -52,7 +52,6 @@
+ import org.apache.catalina.Session;
+ import org.apache.catalina.TomcatPrincipal;
+ import org.apache.catalina.Valve;
+-import org.apache.catalina.Wrapper;
+ import org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl;
+ import org.apache.catalina.authenticator.jaspic.MessageInfoImpl;
+ import org.apache.catalina.connector.Request;
+@@ -455,13 +454,6 @@
+
+         boolean authRequired = isContinuationRequired(request);
+
+-        // The Servlet may specify security constraints through annotations.
+-        // Ensure that they have been processed before constraints are checked
+-        Wrapper wrapper = request.getMappingData().wrapper;
+-        if (wrapper != null) {
+-            wrapper.servletSecurityAnnotationScan();
+-        }
+-
+         Realm realm = this.context.getRealm();
+         // Is this request URI subject to a security constraint?
+         SecurityConstraint[] constraints = realm.findSecurityConstraints(request, this.context);
+--- a/java/org/apache/catalina/core/ApplicationContext.java
++++ b/java/org/apache/catalina/core/ApplicationContext.java
+@@ -50,8 +50,10 @@
+ import javax.servlet.ServletRegistration.Dynamic;
+ import javax.servlet.ServletRequestAttributeListener;
+ import javax.servlet.ServletRequestListener;
++import javax.servlet.ServletSecurityElement;
+ import javax.servlet.SessionCookieConfig;
+ import javax.servlet.SessionTrackingMode;
++import javax.servlet.annotation.ServletSecurity;
+ import javax.servlet.descriptor.JspConfigDescriptor;
+ import javax.servlet.http.HttpSessionAttributeListener;
+ import javax.servlet.http.HttpSessionIdListener;
+@@ -68,6 +70,7 @@
+ import org.apache.catalina.connector.Connector;
+ import org.apache.catalina.mapper.MappingData;
+ import org.apache.catalina.servlet4preview.http.ServletMapping;
++import org.apache.catalina.util.Introspection;
+ import org.apache.catalina.util.ServerInfo;
+ import org.apache.catalina.util.URLEncoder;
+ import org.apache.tomcat.util.ExceptionUtils;
+@@ -918,11 +921,19 @@
+             }
+         }
+
++        ServletSecurity annotation = null;
+         if (servlet == null) {
+             wrapper.setServletClass(servletClass);
++            Class<?> clazz = Introspection.loadClass(context, servletClass);
++            if (clazz != null) {
++                annotation = clazz.getAnnotation(ServletSecurity.class);
++            }
+         } else {
+             wrapper.setServletClass(servlet.getClass().getName());
+             wrapper.setServlet(servlet);
++            if (context.wasCreatedDynamicServlet(servlet)) {
++                annotation = servlet.getClass().getAnnotation(ServletSecurity.class);
++            }
+         }
+
+         if (initParams != null) {
+@@ -931,7 +942,12 @@
+             }
+         }
+
+-        return context.dynamicServletAdded(wrapper);
++        ServletRegistration.Dynamic registration =
++                new ApplicationServletRegistration(wrapper, context);
++        if (annotation != null) {
++            registration.setServletSecurity(new ServletSecurityElement(annotation));
++        }
++        return registration;
+     }
+
+
+--- a/java/org/apache/catalina/core/ApplicationServletRegistration.java
++++ b/java/org/apache/catalina/core/ApplicationServletRegistration.java
+@@ -45,6 +45,7 @@
+
+     private final Wrapper wrapper;
+     private final Context context;
++    private ServletSecurityElement constraint;
+
+     public ApplicationServletRegistration(Wrapper wrapper,
+             Context context) {
+@@ -159,6 +160,7 @@
+                     getName(), context.getName()));
+         }
+
++        this.constraint = constraint;
+         return context.addServletSecurity(this, constraint);
+     }
+
+@@ -193,6 +195,11 @@
+             context.addServletMappingDecoded(
+                     UDecoder.URLDecode(urlPattern, "UTF-8"), wrapper.getName());
+         }
++
++        if (constraint != null) {
++            context.addServletSecurity(this, constraint);
++        }
++
+         return Collections.emptySet();
+     }
+
+--- a/java/org/apache/catalina/core/StandardContext.java
++++ b/java/org/apache/catalina/core/StandardContext.java
+@@ -4443,28 +4443,36 @@
+     }
+
+     /**
+-     * Hook to register that we need to scan for security annotations.
+-     * @param wrapper   The wrapper for the Servlet that was added
+-     * @return the associated registration
++     * Create a servlet registration.
++     *
++     * @param wrapper The wrapper for which the registration should be created.
++     *
++     * @return An appropriate registration
++     *
++     * @deprecated This will be removed in Tomcat 9. The registration should be
++     *             created directly.
+      */
++    @Deprecated
+     public ServletRegistration.Dynamic dynamicServletAdded(Wrapper wrapper) {
+-        Servlet s = wrapper.getServlet();
+-        if (s != null && createdServlets.contains(s)) {
+-            // Mark the wrapper to indicate annotations need to be scanned
+-            wrapper.setServletSecurityAnnotationScanRequired(true);
+-        }
+         return new ApplicationServletRegistration(wrapper, this);
+     }
+
+     /**
+-     * Hook to track which registrations need annotation scanning
+-     * @param servlet the Servlet to add
++     * Hook to track which Servlets were created via
++     * {@link ServletContext#createServlet(Class)}.
++     *
++     * @param servlet the created Servlet
+      */
+     public void dynamicServletCreated(Servlet servlet) {
+         createdServlets.add(servlet);
+     }
+
+
++    public boolean wasCreatedDynamicServlet(Servlet servlet) {
++        return createdServlets.contains(servlet);
++    }
++
++
+     /**
+      * A helper class to manage the filter mappings in a Context.
+      */
+@@ -5741,8 +5749,6 @@
+                         newSecurityConstraints) {
+                     addConstraint(securityConstraint);
+                 }
+-
+-                checkConstraintsForUncoveredMethods(newSecurityConstraints);
+             }
+         }
+
+--- a/java/org/apache/catalina/core/StandardWrapper.java
++++ b/java/org/apache/catalina/core/StandardWrapper.java
+@@ -42,11 +42,9 @@
+ import javax.servlet.ServletConfig;
+ import javax.servlet.ServletContext;
+ import javax.servlet.ServletException;
+-import javax.servlet.ServletSecurityElement;
+ import javax.servlet.SingleThreadModel;
+ import javax.servlet.UnavailableException;
+ import javax.servlet.annotation.MultipartConfig;
+-import javax.servlet.annotation.ServletSecurity;
+
+ import org.apache.catalina.Container;
+ import org.apache.catalina.ContainerServlet;
+@@ -256,8 +254,6 @@
+      */
+     protected boolean enabled = true;
+
+-    protected volatile boolean servletSecurityAnnotationScanRequired = false;
+-
+     private boolean overridable = false;
+
+     /**
+@@ -619,7 +615,7 @@
+      */
+     @Override
+     public void setServletSecurityAnnotationScanRequired(boolean b) {
+-        this.servletSecurityAnnotationScanRequired = b;
++        // NO-OP
+     }
+
+     // --------------------------------------------------------- Public Methods
+@@ -1078,8 +1074,6 @@
+                 }
+             }
+
+-            processServletSecurityAnnotation(servlet.getClass());
+-
+             // Special handling for ContainerServlet instances
+             if ((servlet instanceof ContainerServlet) &&
+                     (isContainerProvidedServlet(servletClass) ||
+@@ -1122,40 +1116,9 @@
+      */
+     @Override
+     public void servletSecurityAnnotationScan() throws ServletException {
+-        if (getServlet() == null) {
+-            Class<?> clazz = null;
+-            try {
+-                clazz = ((Context) getParent()).getLoader().getClassLoader().loadClass(
+-                        getServletClass());
+-                processServletSecurityAnnotation(clazz);
+-            } catch (ClassNotFoundException e) {
+-                // Safe to ignore. No class means no annotations to process
+-            }
+-        } else {
+-            if (servletSecurityAnnotationScanRequired) {
+-                processServletSecurityAnnotation(getServlet().getClass());
+-            }
+-        }
++        // NO-OP
+     }
+
+-    private void processServletSecurityAnnotation(Class<?> clazz) {
+-        // Calling this twice isn't harmful so no syncs
+-        servletSecurityAnnotationScanRequired = false;
+-
+-        Context ctxt = (Context) getParent();
+-
+-        if (ctxt.getIgnoreAnnotations()) {
+-            return;
+-        }
+-
+-        ServletSecurity secAnnotation =
+-            clazz.getAnnotation(ServletSecurity.class);
+-        if (secAnnotation != null) {
+-            ctxt.addServletSecurity(
+-                    new ApplicationServletRegistration(this, ctxt),
+-                    new ServletSecurityElement(secAnnotation));
+-        }
+-    }
+
+     private synchronized void initServlet(Servlet servlet)
+             throws ServletException {
+--- a/java/org/apache/catalina/startup/ContextConfig.java
++++ b/java/org/apache/catalina/startup/ContextConfig.java
+@@ -343,19 +343,10 @@
+
+         LoginConfig loginConfig = context.getLoginConfig();
+
+-        SecurityConstraint constraints[] = context.findConstraints();
+-        if (context.getIgnoreAnnotations() &&
+-                (constraints == null || constraints.length ==0) &&
+-                !context.getPreemptiveAuthentication())  {
+-            return;
+-        } else {
+-            if (loginConfig == null) {
+-                // Not metadata-complete or security constraints present, need
+-                // an authenticator to support @ServletSecurity annotations
+-                // and/or constraints
+-                loginConfig = DUMMY_LOGIN_CONFIG;
+-                context.setLoginConfig(loginConfig);
+-            }
++        if (loginConfig == null) {
++            // Need an authenticator to support HttpServletRequest.login()
++            loginConfig = DUMMY_LOGIN_CONFIG;
++            context.setLoginConfig(loginConfig);
+         }
+
+         // Has an authenticator been configured already?
+--- a/java/org/apache/catalina/startup/Tomcat.java
++++ b/java/org/apache/catalina/startup/Tomcat.java
+@@ -944,6 +944,9 @@
+                 Context context = (Context) event.getLifecycle();
+                 if (event.getType().equals(Lifecycle.CONFIGURE_START_EVENT)) {
+                     context.setConfigured(true);
++
++                    // Process annotations
++                    WebAnnotationSet.loadApplicationAnnotations(context);
+                 }
+                 // LoginConfig is required to process @ServletSecurity
+                 // annotations
+--- a/java/org/apache/catalina/startup/WebAnnotationSet.java
++++ b/java/org/apache/catalina/startup/WebAnnotationSet.java
+@@ -23,10 +23,13 @@
+ import javax.annotation.Resources;
+ import javax.annotation.security.DeclareRoles;
+ import javax.annotation.security.RunAs;
++import javax.servlet.ServletSecurityElement;
++import javax.servlet.annotation.ServletSecurity;
+
+ import org.apache.catalina.Container;
+ import org.apache.catalina.Context;
+ import org.apache.catalina.Wrapper;
++import org.apache.catalina.core.ApplicationServletRegistration;
+ import org.apache.catalina.util.Introspection;
+ import org.apache.tomcat.util.descriptor.web.ContextEnvironment;
+ import org.apache.tomcat.util.descriptor.web.ContextResource;
+@@ -144,6 +147,14 @@
+                 if (annotation != null) {
+                     wrapper.setRunAs(annotation.value());
+                 }
++
++                // Process ServletSecurity annotation
++                ServletSecurity servletSecurity = classClass.getAnnotation(ServletSecurity.class);
++                if (servletSecurity != null) {
++                    context.addServletSecurity(
++                            new ApplicationServletRegistration(wrapper, context),
++                            new ServletSecurityElement(servletSecurity));
++                }
+             }
+         }
+

debian/patches/CVE-2018-1336.patch

+From: Markus Koschany <apo@debian.org>
+Date: Fri, 24 Aug 2018 21:13:11 +0200
+Subject: CVE-2018-1336
+
+Origin: https://svn.apache.org/r1830374
+---
+ java/org/apache/tomcat/util/buf/Utf8Decoder.java | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/java/org/apache/tomcat/util/buf/Utf8Decoder.java b/java/org/apache/tomcat/util/buf/Utf8Decoder.java
+index 13d6543..ca819c4 100644
+--- a/java/org/apache/tomcat/util/buf/Utf8Decoder.java
++++ b/java/org/apache/tomcat/util/buf/Utf8Decoder.java
+@@ -278,6 +278,11 @@ public class Utf8Decoder extends CharsetDecoder {
+                 outRemaining--;
+             } else {
+                 if (outRemaining < 2) {
++                    // Encoded with 4 bytes. inIndex currently points
++                    // to the final byte. Move it back to first byte.
++                    inIndex -= 3;
++                    in.position(inIndex - in.arrayOffset());
++                    out.position(outIndex - out.arrayOffset());
+                     return CoderResult.OVERFLOW;
+                 }
+                 cArr[outIndex++] = (char) ((jchar >> 0xA) + 0xD7C0);

debian/patches/CVE-2018-8034.patch

+From: Markus Koschany <apo@debian.org>
+Date: Fri, 24 Aug 2018 21:25:57 +0200
+Subject: CVE-2018-8034
+
+Origin: https://svn.apache.org/r1833758
+---
+ .../apache/tomcat/websocket/WsWebSocketContainer.java | 18 ++++++++++++++----
+ webapps/docs/web-socket-howto.xml                     | 19 +++++++++++++++----
+ 2 files changed, 29 insertions(+), 8 deletions(-)
+
+diff --git a/java/org/apache/tomcat/websocket/WsWebSocketContainer.java b/java/org/apache/tomcat/websocket/WsWebSocketContainer.java
+index 846cd4f..a1d8403 100644
+--- a/java/org/apache/tomcat/websocket/WsWebSocketContainer.java
++++ b/java/org/apache/tomcat/websocket/WsWebSocketContainer.java
+@@ -52,6 +52,7 @@ import java.util.concurrent.TimeoutException;
+ import javax.net.ssl.SSLContext;
+ import javax.net.ssl.SSLEngine;
+ import javax.net.ssl.SSLException;
++import javax.net.ssl.SSLParameters;
+ import javax.net.ssl.TrustManagerFactory;
+ import javax.websocket.ClientEndpoint;
+ import javax.websocket.ClientEndpointConfig;
+@@ -277,6 +278,8 @@ public class WsWebSocketContainer implements WebSocketContainer, BackgroundProce
+                     "wsWebSocketContainer.asynchronousSocketChannelFail"), ioe);
+         }
+ 
++        Map<String,Object> userProperties = clientEndpointConfiguration.getUserProperties();
++
+         // Get the connection timeout
+         long timeout = Constants.IO_TIMEOUT_MS_DEFAULT;
+         String timeoutValue = (String) clientEndpointConfiguration.getUserProperties().get(
+@@ -323,8 +326,7 @@ public class WsWebSocketContainer implements WebSocketContainer, BackgroundProce
+             // Regardless of whether a non-secure wrapper was created for a
+             // proxy CONNECT, need to use TLS from this point on so wrap the
+             // original AsynchronousSocketChannel
+-            SSLEngine sslEngine = createSSLEngine(
+-                    clientEndpointConfiguration.getUserProperties());
++            SSLEngine sslEngine = createSSLEngine(userProperties, host, port);
+             channel = new AsyncChannelWrapperSecure(socketChannel, sslEngine);
+         } else if (channel == null) {
+             // Only need to wrap as this point if it wasn't wrapped to process a
+@@ -750,7 +752,7 @@ public class WsWebSocketContainer implements WebSocketContainer, BackgroundProce
+     }
+ 
+ 
+-    private SSLEngine createSSLEngine(Map<String,Object> userProperties)
++    private SSLEngine createSSLEngine(Map<String,Object> userProperties, String host, int port)
+             throws DeploymentException {
+ 
+         try {
+@@ -788,7 +790,7 @@ public class WsWebSocketContainer implements WebSocketContainer, BackgroundProce
+                 }
+             }
+ 
+-            SSLEngine engine = sslContext.createSSLEngine();
++            SSLEngine engine = sslContext.createSSLEngine(host, port);
+ 
+             String sslProtocolsValue =
+                     (String) userProperties.get(Constants.SSL_PROTOCOLS_PROPERTY);
+@@ -798,6 +800,14 @@ public class WsWebSocketContainer implements WebSocketContainer, BackgroundProce
+ 
+             engine.setUseClientMode(true);
+ 
++            // Enable host verification
++            // Start with current settings (returns a copy)
++            SSLParameters sslParams = engine.getSSLParameters();
++            // Use HTTPS since WebSocket starts over HTTP(S)
++            sslParams.setEndpointIdentificationAlgorithm("HTTPS");
++            // Write the parameters back
++            engine.setSSLParameters(sslParams);
++
+             return engine;
+         } catch (Exception e) {
+             throw new DeploymentException(sm.getString(
+diff --git a/webapps/docs/web-socket-howto.xml b/webapps/docs/web-socket-howto.xml
+index 938d36c..85d5b64 100644
+--- a/webapps/docs/web-socket-howto.xml
++++ b/webapps/docs/web-socket-howto.xml
+@@ -110,10 +110,21 @@
+      <li><code>org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD</code></li>
+    </ul>
+    <p>The default truststore password is <code>changeit</code>.</p>
+-   <p>If the <code>org.apache.tomcat.websocket.SSL_CONTEXT</code> property is
+-      set then the <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE</code> and
+-      <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD</code> properties
+-      will be ignored.</p>
++<p>If the <code>org.apache.tomcat.websocket.SSL_CONTEXT</code> property is
++   set then the <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE</code> and
++   <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD</code> properties
++   will be ignored.</p>
++
++<p>For secure server end points, host name verification is enabled by default.
++   To bypass this verification (not recommended), it is necessary to provide a
++   custom <code>SSLContext</code> via the
++   <code>org.apache.tomcat.websocket.SSL_CONTEXT</code> user property. The
++   custom <code>SSLContext</code> must be configured with a custom
++   <code>TrustManager</code> that extends
++   <code>javax.net.ssl.X509ExtendedTrustManager</code>. The desired verification
++   (or lack of verification) can then be controlled by appropriate
++   implementations of the individual abstract methods.</p>
++
+ </section>
+ 
+ </body>

debian/patches/CVE-2018-8037.patch

+From: Markus Koschany <apo@debian.org>
+Date: Fri, 24 Aug 2018 21:37:54 +0200
+Subject: CVE-2018-8037
+
+Origin: https://svn.apache.org/r1833907
+---
+ java/org/apache/tomcat/util/net/Nio2Endpoint.java | 3 ++-
+ java/org/apache/tomcat/util/net/NioEndpoint.java  | 5 ++++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/java/org/apache/tomcat/util/net/Nio2Endpoint.java b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
+index a8231bf..1052434 100644
+--- a/java/org/apache/tomcat/util/net/Nio2Endpoint.java
++++ b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
+@@ -497,6 +497,7 @@ public class Nio2Endpoint extends AbstractJsseEndpoint<Nio2Channel> {
+         private final Semaphore writePending = new Semaphore(1);
+         private boolean writeInterest = false; // Guarded by writeCompletionHandler
+         private boolean writeNotify = false;
++        private volatile boolean closed = false;
+ 
+         private CompletionHandler<Integer, SocketWrapperBase<Nio2Channel>> awaitBytesHandler
+                 = new CompletionHandler<Integer, SocketWrapperBase<Nio2Channel>>() {
+@@ -922,7 +923,7 @@ public class Nio2Endpoint extends AbstractJsseEndpoint<Nio2Channel> {
+ 
+         @Override
+         public boolean isClosed() {
+-            return !getSocket().isOpen();
++            return closed || !getSocket().isOpen();
+         }
+ 
+ 
+diff --git a/java/org/apache/tomcat/util/net/NioEndpoint.java b/java/org/apache/tomcat/util/net/NioEndpoint.java
+index b6d9bed..9f16a00 100644
+--- a/java/org/apache/tomcat/util/net/NioEndpoint.java
++++ b/java/org/apache/tomcat/util/net/NioEndpoint.java
+@@ -577,6 +577,7 @@ public class NioEndpoint extends AbstractJsseEndpoint<NioChannel> {
+                         // since it won't have been counted down when the socket
+                         // closed.
+                         socket.socketWrapper.getEndpoint().countDownConnection();
++                        ((NioSocketWrapper) socket.socketWrapper).closed = true;
+                     } else {
+                         final NioSocketWrapper socketWrapper = (NioSocketWrapper) key.attachment();
+                         if (socketWrapper != null) {
+@@ -754,6 +755,7 @@ public class NioEndpoint extends AbstractJsseEndpoint<NioChannel> {
+                 }
+                 if (ka != null) {
+                     countDownConnection();
++                    ka.closed = true;
+                 }
+             } catch (Throwable e) {
+                 ExceptionUtils.handleThrowable(e);
+@@ -1069,6 +1071,7 @@ public class NioEndpoint extends AbstractJsseEndpoint<NioChannel> {
+         private volatile SendfileData sendfileData = null;
+         private volatile long lastRead = System.currentTimeMillis();
+         private volatile long lastWrite = lastRead;
++        private volatile boolean closed = false;
+ 
+         public NioSocketWrapper(NioChannel channel, NioEndpoint endpoint) {
+             super(channel, endpoint);
+@@ -1204,7 +1207,7 @@ public class NioEndpoint extends AbstractJsseEndpoint<NioChannel> {
+ 
+         @Override
+         public boolean isClosed() {
+-            return !getSocket().isOpen();
++            return closed || !getSocket().isOpen();
+         }
+ 
+ 

debian/patches/series

@@ -11,3 +11,8 @@
 CVE-2017-5664.patch
 CVE-2017-7674.patch
 CVE-2017-7675.patch
+CVE-2018-1304.patch
+CVE-2018-1305.patch
+CVE-2018-1336.patch
+CVE-2018-8034.patch
+CVE-2018-8037.patch