Skip to content
Commits on Source (2)
  • Sylvain Beucler's avatar
    Import Debian changes 8.0.14-1+deb8u15 · 1dc175d5
    Sylvain Beucler authored and Sylvain Beucler's avatar Sylvain Beucler committed 
    tomcat8 (8.0.14-1+deb8u15) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix flacky FTBFS by improving fix for CVE-2017-5647.
  * Refresh the expired SSL certificates used by the tests from
    freshly-renewed upstream Tomcat and adapt the test user DN.
  * Fix CVE-2019-0221:
    The SSI printenv command in Apache Tomcat echoes user provided
    data without escaping and is, therefore, vulnerable to XSS. SSI is
    disabled by default. The printenv command is intended for
    debugging and is unlikely to be present in a production website.
  * Fix CVE-2018-8014:
    The defaults settings for the CORS filter provided in Apache
    Tomcat are insecure and enable 'supportsCredentials' for all
    origins. It is expected that users of the CORS filter will have
    configured it appropriately for their environment rather than
    using it in the default configuration. Therefore, it is expected
    that most users will not be impacted by this issue.
  * Fix CVE-2016-5388:
    Apache Tomcat, when the CGI Servlet is enabled, follows RFC 3875
    section 4.1.18 and therefore does not protect applications from
    the presence of untrusted client data in the HTTP_PROXY
    environment variable, which might allow remote attackers to
    redirect an application's outbound HTTP traffic to an arbitrary
    proxy server via a crafted Proxy header in an HTTP request, aka an
    "httpoxy" issue.  The 'cgi' servlet now has a 'envHttpHeaders'
    parameter to filter environment variables.
    1dc175d5
  • Markus Koschany's avatar
    Merge branch 'jessie' into 'jessie' · 56b840e5
    Markus Koschany authored 
    Import Debian changes 8.0.14-1+deb8u15

See merge request !3
    56b840e5
Expand all Hide whitespace changes
Inline Side-by-side
debian/certificates/localhost-cert.pem
View file @ 56b840e5
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4109 (0x100d)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, CN=ca-test.tomcat.apache.org
Serial Number: 4102 (0x1006)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=MA, L=Wakefield, O=The Apache Software Foundation, OU=Apache Tomcat PMC, CN=Apache Tomcat Test CA
Validity
Not Before: Feb 27 23:25:29 2017 GMT
Not After : Feb 27 23:25:29 2019 GMT
Subject: C=US, CN=localhost
Not Before: Aug 7 20:30:28 2019 GMT
Not After : Aug 6 20:30:28 2021 GMT
Subject: C=US, ST=MA, L=Wakefield, O=The Apache Software Foundation, OU=Apache Tomcat PMC, CN=localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
RSA Public-Key: (2048 bit)
Modulus:
00:ba:d6:b2:32:de:10:53:1f:5d:af:da:d4:3f:64:
b3:22:37:fd:4e:16:a3:f0:d6:9e:6e:d3:ee:47:ec:
15:b4:b3:0d:80:bf:fc:21:96:8b:1d:40:16:6d:89:
35:03:8a:45:8c:c6:6e:2b:66:67:0f:1c:19:cf:62:
d5:e6:08:48:a8:df:10:da:4c:47:79:7c:02:97:54:
f9:a8:e9:59:50:33:cd:a0:72:fd:e1:e7:5e:3a:43:
5c:ff:0c:69:9e:f6:c2:86:71:07:a5:eb:b5:c7:61:
f9:e9:fe:3f:26:55:2c:f4:04:7c:c0:bd:cd:2b:88:
9c:69:4d:ce:3c:1e:ad:2e:18:96:aa:a0:eb:72:2b:
95:99:47:16:90:b5:59:ed:f1:78:cc:8b:01:33:40:
c4:e9:b0:3f:ec:89:04:13:5c:9b:22:01:cc:25:cf:
40:c1:40:fa:04:a0:b9:b7:f7:d8:73:91:7f:b8:7e:
e9:82:20:1f:e9:9c:89:25:28:b5:fa:6f:b7:4a:88:
28:68:59:d5:30:52:f9:e4:5b:a6:b4:f8:e4:ed:2f:
03:d8:50:61:9a:53:86:1f:ad:aa:0d:5f:f8:52:b5:
27:dd:05:82:25:13:a0:d0:10:3c:dd:c0:70:15:24:
63:89:22:0e:f0:5a:9a:fa:b0:75:56:06:aa:7f:b0:
f7:9b
00:cf:e2:56:a6:67:a6:e8:e7:f3:94:86:6e:f9:06:
46:cf:20:66:b5:cd:b1:c7:d6:50:ea:4d:46:44:ed:
45:65:ea:b6:9b:2e:49:a5:25:c1:8e:36:f6:2c:bc:
8e:09:35:0b:2f:43:70:73:07:47:1d:78:a1:12:e9:
56:5d:ab:84:15:16:0e:38:01:bb:81:87:2d:c4:3b:
dc:2e:4a:e1:d4:66:1b:ce:87:2c:a9:b8:e3:aa:80:
75:79:b1:98:f3:dd:df:66:d0:0d:e1:06:d8:6c:6c:
50:f0:00:80:32:70:55:7b:dd:eb:ae:f2:6a:bf:93:
3d:15:e1:25:f8:75:ce:d8:46:dc:c4:6b:ee:f9:f5:
93:39:ad:90:47:15:4b:fa:ca:5b:fe:ca:1b:29:8a:
74:19:2a:cb:1e:4f:20:d9:74:75:24:a0:06:d1:3a:
ed:9b:88:87:f3:1b:0f:a6:14:67:e9:ed:47:2e:a1:
25:6a:c2:97:04:13:f4:9f:62:38:cd:5a:e7:ad:c2:
64:2c:8f:9c:3d:04:58:12:42:e5:0c:8e:8c:ce:78:
3d:60:38:ce:06:ff:9c:ea:9c:c9:0f:73:90:b2:1a:
4a:16:99:c9:fe:95:88:7b:3c:7f:19:d0:26:27:11:
78:f9:92:5c:b4:f5:d4:cb:b0:84:0c:74:37:3d:87:
1a:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
......@@ -37,43 +37,73 @@ Certificate:
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
0B:37:2F:D6:48:9C:11:2F:28:AE:DC:47:E6:5E:3A:1D:24:12:0F:1A
0D:86:88:1D:07:59:CE:14:B4:89:81:58:C6:0B:FF:4C:CA:25:52:80
X509v3 Authority Key Identifier:
keyid:B0:3B:BC:C9:FA:28:5F:3E:04:1F:9B:6C:C7:8B:68:D8:01:B0:F8:3D
keyid:00:F2:98:4D:21:2C:00:3C:40:9B:84:F4:DE:2A:F0:26:EE:32:0E:9F
Authority Information Access:
OCSP - URI:http://127.0.0.1:8888
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
3b:0a:ad:f2:27:26:d4:db:bc:97:e7:4e:52:8b:6c:08:4d:7b:
e7:66:ec:81:0b:0c:04:f8:b9:92:35:12:c9:b9:ed:d2:5e:b7:
ac:89:67:72:7e:2b:4f:5b:e3:3a:d1:09:fe:e8:cf:33:ac:a5:
84:95:7f:48:4d:af:59:87:0b:4c:6f:6a:bf:6b:07:af:33:13:
19:fd:70:0d:fc:1c:92:04:be:05:b9:96:46:d5:82:a4:f8:3b:
b0:11:2d:f0:19:25:ba:d6:ce:1c:7a:17:76:c6:80:d2:73:a0:
1a:01:48:d6:0b:12:a9:3f:50:66:81:1b:e9:9f:1e:5b:6f:d1:
19:12:14:70:d3:de:4c:ab:d3:83:d6:e5:4f:bb:b3:e5:c6:87:
16:47:f7:59:4d:9d:52:9d:00:f0:24:7a:1e:6e:14:01:0d:07:
0c:b6:f7:4e:c0:40:77:65:fd:ac:c7:aa:73:77:f0:44:b1:30:
ad:65:83:1a:cc:bd:fa:9d:80:29:61:e9:b3:26:e8:3b:55:c7:
12:79:3e:4d:31:f1:21:d0:4e:5f:1f:73:c3:9f:ce:f9:6c:7e:
8e:11:10:8e:f6:60:d2:11:ae:0f:24:6e:10:71:42:05:ed:ea:
4b:41:86:86:84:26:74:ed:46:81:48:34:16:40:e6:df:64:c9:
c2:7d:6b:1b
7d:dc:b1:0f:dd:34:df:26:63:73:02:8a:d6:39:64:73:c3:fc:
40:75:26:b6:9b:42:72:af:c9:63:41:68:d0:78:c7:47:ef:c2:
44:5a:b3:58:95:a3:2c:f3:b1:f4:a3:3d:0b:94:ff:b4:97:6a:
e9:4b:4b:c2:3a:f6:36:43:af:ee:2f:39:3e:f2:5f:2c:a2:b7:
43:3c:13:42:d8:4e:e0:36:bc:23:c5:43:88:46:92:f7:77:14:
67:73:14:5b:43:0e:3d:b5:1a:69:e9:ca:84:08:20:27:9f:23:
4d:60:db:cb:98:4a:b3:3e:71:e6:e8:a1:11:1c:7e:7e:43:fb:
6d:a5:41:c0:7e:3f:84:ed:06:28:dc:aa:80:17:76:ec:8a:e6:
65:45:21:85:13:48:e0:5b:87:c8:2a:1a:0f:37:0f:2a:64:53:
a8:e3:49:04:84:88:fe:8b:a2:3c:cc:41:c7:c0:ad:26:d6:e1:
67:69:9a:50:c7:eb:3d:1c:7f:da:88:08:24:14:6e:a1:ab:3e:
77:3f:88:12:55:98:97:9f:db:ad:09:e2:20:fe:8d:1f:ea:4f:
46:7e:d8:aa:ba:14:bd:a8:c2:6f:1b:47:62:d9:05:ca:c7:30:
7b:1e:95:2e:55:10:1d:b1:e3:44:95:07:25:6e:8c:9d:69:5b:
5c:ad:5f:56:27:e8:60:9f:d2:f4:64:7f:f7:8f:dc:bb:ee:bf:
be:0b:ea:34:9b:37:de:f0:5c:e0:64:c2:52:42:a6:0d:20:7d:
78:34:42:c1:1c:43:a1:98:e8:48:7b:92:49:2b:d9:63:91:6a:
70:02:d0:1b:a5:2a:ee:e5:1b:12:4f:cb:c9:e7:18:ae:66:f5:
04:d9:d2:68:95:c1:31:fe:57:9d:51:f5:fc:ed:43:3b:79:bf:
c3:9d:85:68:d8:98:a5:3c:a2:bb:fb:5b:19:5b:de:f0:7e:c8:
5e:47:ba:5d:8a:5b:44:f1:44:54:64:c0:da:95:a6:f0:bf:a9:
3f:5d:4c:72:97:86:ae:1e:0d:cd:20:4b:85:e0:4e:26:4d:29:
4e:96:43:b0:fd:30:5f:53:24:97:bc:35:d8:31:4b:6c:ea:a7:
f9:64:f9:cb:a0:14:c4:fc:54:78:13:52:b5:06:8f:7a:c2:00:
14:97:18:06:ef:bc:2f:2a:31:fc:11:25:7f:47:e3:3b:54:e7:
46:62:78:ba:52:07:32:41:48:9d:47:bd:1c:f4:eb:49:11:42:
40:9c:36:5a:e0:84:bd:09:44:91:bb:5c:d1:c4:28:6a:68:34:
f9:2c:22:b7:fc:43:bb:c4:96:02:ce:73:43:be:de:02:9c:e1:
d2:2a:4a:76:19:d6:3f:b0
-----BEGIN CERTIFICATE-----
MIIDSTCCAjGgAwIBAgICEA0wDQYJKoZIhvcNAQELBQAwMTELMAkGA1UEBhMCVVMx
IjAgBgNVBAMMGWNhLXRlc3QudG9tY2F0LmFwYWNoZS5vcmcwHhcNMTcwMjI3MjMy
NTI5WhcNMTkwMjI3MjMyNTI5WjAhMQswCQYDVQQGEwJVUzESMBAGA1UEAxMJbG9j
YWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAutayMt4QUx9d
r9rUP2SzIjf9Thaj8NaebtPuR+wVtLMNgL/8IZaLHUAWbYk1A4pFjMZuK2ZnDxwZ
z2LV5ghIqN8Q2kxHeXwCl1T5qOlZUDPNoHL94edeOkNc/wxpnvbChnEHpeu1x2H5
6f4/JlUs9AR8wL3NK4icaU3OPB6tLhiWqqDrciuVmUcWkLVZ7fF4zIsBM0DE6bA/
7IkEE1ybIgHMJc9AwUD6BKC5t/fYc5F/uH7pgiAf6ZyJJSi1+m+3SogoaFnVMFL5
5FumtPjk7S8D2FBhmlOGH62qDV/4UrUn3QWCJROg0BA83cBwFSRjiSIO8Fqa+rB1
Vgaqf7D3mwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVu
U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUCzcv1kicES8ortxH
5l46HSQSDxowHwYDVR0jBBgwFoAUsDu8yfooXz4EH5tsx4to2AGw+D0wDQYJKoZI
hvcNAQELBQADggEBADsKrfInJtTbvJfnTlKLbAhNe+dm7IELDAT4uZI1Esm57dJe
t6yJZ3J+K09b4zrRCf7ozzOspYSVf0hNr1mHC0xvar9rB68zExn9cA38HJIEvgW5
lkbVgqT4O7ARLfAZJbrWzhx6F3bGgNJzoBoBSNYLEqk/UGaBG+mfHltv0RkSFHDT
3kyr04PW5U+7s+XGhxZH91lNnVKdAPAkeh5uFAENBwy2907AQHdl/azHqnN38ESx
MK1lgxrMvfqdgClh6bMm6DtVxxJ5Pk0x8SHQTl8fc8Ofzvlsfo4REI72YNIRrg8k
bhBxQgXt6ktBhoaEJnTtRoFINBZA5t9kycJ9axs=
MIIFZDCCA0ygAwIBAgICEAYwDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJNQTESMBAGA1UEBxMJV2FrZWZpZWxkMScwJQYDVQQKEx5UaGUg
QXBhY2hlIFNvZnR3YXJlIEZvdW5kYXRpb24xGjAYBgNVBAsTEUFwYWNoZSBUb21j
YXQgUE1DMR4wHAYDVQQDExVBcGFjaGUgVG9tY2F0IFRlc3QgQ0EwHhcNMTkwODA3
MjAzMDI4WhcNMjEwODA2MjAzMDI4WjCBhzELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
Ak1BMRIwEAYDVQQHEwlXYWtlZmllbGQxJzAlBgNVBAoTHlRoZSBBcGFjaGUgU29m
dHdhcmUgRm91bmRhdGlvbjEaMBgGA1UECxMRQXBhY2hlIFRvbWNhdCBQTUMxEjAQ
BgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AM/iVqZnpujn85SGbvkGRs8gZrXNscfWUOpNRkTtRWXqtpsuSaUlwY429iy8jgk1
Cy9DcHMHRx14oRLpVl2rhBUWDjgBu4GHLcQ73C5K4dRmG86HLKm446qAdXmxmPPd
32bQDeEG2GxsUPAAgDJwVXvd667yar+TPRXhJfh1zthG3MRr7vn1kzmtkEcVS/rK
W/7KGymKdBkqyx5PINl0dSSgBtE67ZuIh/MbD6YUZ+ntRy6hJWrClwQT9J9iOM1a
563CZCyPnD0EWBJC5QyOjM54PWA4zgb/nOqcyQ9zkLIaShaZyf6ViHs8fxnQJicR
ePmSXLT11MuwhAx0Nz2HGgsCAwEAAaOByzCByDAJBgNVHRMEAjAAMCwGCWCGSAGG
+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU
DYaIHQdZzhS0iYFYxgv/TMolUoAwHwYDVR0jBBgwFoAUAPKYTSEsADxAm4T03irw
Ju4yDp8wMQYIKwYBBQUHAQEEJTAjMCEGCCsGAQUFBzABhhVodHRwOi8vMTI3LjAu
MC4xOjg4ODgwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB
CwUAA4ICAQB93LEP3TTfJmNzAorWOWRzw/xAdSa2m0Jyr8ljQWjQeMdH78JEWrNY
laMs87H0oz0LlP+0l2rpS0vCOvY2Q6/uLzk+8l8sordDPBNC2E7gNrwjxUOIRpL3
dxRncxRbQw49tRpp6cqECCAnnyNNYNvLmEqzPnHm6KERHH5+Q/ttpUHAfj+E7QYo
3KqAF3bsiuZlRSGFE0jgW4fIKhoPNw8qZFOo40kEhIj+i6I8zEHHwK0m1uFnaZpQ
x+s9HH/aiAgkFG6hqz53P4gSVZiXn9utCeIg/o0f6k9GftiquhS9qMJvG0di2QXK
xzB7HpUuVRAdseNElQclboydaVtcrV9WJ+hgn9L0ZH/3j9y77r++C+o0mzfe8Fzg
ZMJSQqYNIH14NELBHEOhmOhIe5JJK9ljkWpwAtAbpSru5RsST8vJ5xiuZvUE2dJo
lcEx/ledUfX87UM7eb/DnYVo2JilPKK7+1sZW97wfsheR7pdiltE8URUZMDalabw
v6k/XUxyl4auHg3NIEuF4E4mTSlOlkOw/TBfUySXvDXYMUts6qf5ZPnLoBTE/FR4
E1K1Bo96wgAUlxgG77wvKjH8ESV/R+M7VOdGYni6UgcyQUidR70c9OtJEUJAnDZa
4IS9CUSRu1zRxChqaDT5LCK3/EO7xJYCznNDvt4CnOHSKkp2GdY/sA==
-----END CERTIFICATE-----
debian/certificates/localhost-key.pem 0 → 100644
View file @ 56b840e5
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDP4lamZ6bo5/OU
hm75BkbPIGa1zbHH1lDqTUZE7UVl6rabLkmlJcGONvYsvI4JNQsvQ3BzB0cdeKES
6VZdq4QVFg44AbuBhy3EO9wuSuHUZhvOhyypuOOqgHV5sZjz3d9m0A3hBthsbFDw
AIAycFV73euu8mq/kz0V4SX4dc7YRtzEa+759ZM5rZBHFUv6ylv+yhspinQZKsse
TyDZdHUkoAbROu2biIfzGw+mFGfp7UcuoSVqwpcEE/SfYjjNWuetwmQsj5w9BFgS
QuUMjozOeD1gOM4G/5zqnMkPc5CyGkoWmcn+lYh7PH8Z0CYnEXj5kly09dTLsIQM
dDc9hxoLAgMBAAECggEAXfOqO6yux6ZE9MRJFSzcBbJcGSBsj6dxjGL+NhqR+by5
aKrjx8qnjpGScqeI/epGMsck5CfO4SfqjDR+vvjMSgdcx70otCKW8ZAoM5fONoMr
YAzBh7cy1ZUXArfcK6MD22B+VUwVtfLCJaXkSmdwivnCEaAn1ItD2UaXNZJwuFeF
pT9Veif4MwfRhrVvHeEK+hEsrUePOOZ7bvfvIyd2pKtBuniiaoP9LIE2E/s+G458
xFZUHDxSgumEekZLv1mt03rcNDW9B9kLELaDuVbO4mQBn3edolvmL7N2iZpPIhM/
UDMqs7HfZ70bLcENa26UAZqIenbkueg7UkZgCF5RWQKBgQDxVTizo8vF+f7BhY8o
VSvGEhyRsJsyt9wb5AkVUCSM6Q+fKTimRBoDBQijDVc20uV5HpYIy35THphmXYX8
qIYNQiaGyLwBk6YWJDfqcfCjKBm6P7vtSFWjroRj2c0GjmXBZPk4sGYj16P4Qy00
ZssPsa+ENYgc4mox6szTp5Zp1wKBgQDchLRPaz1tWoLIlIl35a5GLHZwf6GGDeDI
2bxTMhBAohbjW9NSWf7GeZgeigRd7p5s6m2EriEJwsn61W0IWUzPLJ7iTHKOrVxU
tGxHd+SV3KhOkGn1EJ8zFiNIma/nAZraGW9zH/lhq09G8ygf1y3lSCQIABG8pAbK
xHmn3BoS7QKBgQCi0hSHXqNE1v4CItILLCt0XxPXV4feGB3w01Eth/yg9T0M7QrD
Yn8KOoMxPvbwjik0JmajWGfKPIIlzkNvy2Nl3pOPrC7sAWm01orDKkxoR83T0tw/
ouXkoQHBPFkPa1NLv4xFqv2+gOanwOrmx9OIqyD32gYTNs7fDsNSqWbZ0QKBgCup
WsoewZrVQO/V+SH0J/1c8FZ17tVMCiW6dr9COlWRwlZh6AV2LCvAB46EZTjz9go6
oFSU5ZW5K6SufVgZ1ktu2kaUPFpjmNRspMPByVCiz/A+R7xt/hdvWq0VQO7MMozc
XGS+//GGqbuyiU9Em6G6Fug+m0RudanQHQZPXhpBAoGBAIuWHrYCOWJRHDw8WdOE
811QFYHpMbYc0G4/50+O/1qKADWKbqAZpnbIW8NpHrcfggkgJw6E9kmtt8HbBu/3
NuCWK1K/0aLwQQMXqgrwuNYvk1QRXbAx86fbC1XVrY2KwmuCg6snXjJZqsTI91xm
jO0LxqN3mDyK11I9/XuearPH
-----END PRIVATE KEY-----
debian/changelog
View file @ 56b840e5
tomcat8 (8.0.14-1+deb8u15) jessie-security; urgency=high
* Non-maintainer upload by the LTS team.
* Fix flacky FTBFS by improving fix for CVE-2017-5647.
* Refresh the expired SSL certificates used by the tests from
freshly-renewed upstream Tomcat and adapt the test user DN.
* Fix CVE-2019-0221:
The SSI printenv command in Apache Tomcat echoes user provided
data without escaping and is, therefore, vulnerable to XSS. SSI is
disabled by default. The printenv command is intended for
debugging and is unlikely to be present in a production website.
* Fix CVE-2018-8014:
The defaults settings for the CORS filter provided in Apache
Tomcat are insecure and enable 'supportsCredentials' for all
origins. It is expected that users of the CORS filter will have
configured it appropriately for their environment rather than
using it in the default configuration. Therefore, it is expected
that most users will not be impacted by this issue.
* Fix CVE-2016-5388:
Apache Tomcat, when the CGI Servlet is enabled, follows RFC 3875
section 4.1.18 and therefore does not protect applications from
the presence of untrusted client data in the HTTP_PROXY
environment variable, which might allow remote attackers to
redirect an application's outbound HTTP traffic to an arbitrary
proxy server via a crafted Proxy header in an HTTP request, aka an
"httpoxy" issue. The 'cgi' servlet now has a 'envHttpHeaders'
parameter to filter environment variables.
-- Sylvain Beucler <beuc@debian.org> Tue, 13 Aug 2019 16:22:22 +0200
tomcat8 (8.0.14-1+deb8u14) jessie-security; urgency=high
* Non-maintainer upload by the LTS team.
......
debian/patches/0021-client-certificate-dn.patch 0 → 100644
View file @ 56b840e5
From: Sylvain Beucler <beuc@debian.org>
Date: Wed Aug 7 21:47:13 CEST 2019
Subject: Update client certificate CN
Forwarded: no
Last-Update: 2019-08-07
See also:
debian/rules
debian/certificates/
debian/source/include-binaries
Index: tomcat8-8.0.14/test/org/apache/tomcat/util/net/TesterSupport.java
===================================================================
--- tomcat8-8.0.14.orig/test/org/apache/tomcat/util/net/TesterSupport.java
+++ tomcat8-8.0.14/test/org/apache/tomcat/util/net/TesterSupport.java
@@ -163,8 +163,8 @@ public final class TesterSupport {
// Configure the Realm
TesterMapRealm realm = new TesterMapRealm();
- realm.addUser("CN=user1, C=US", "not used");
- realm.addUserRole("CN=user1, C=US", ROLE);
+ realm.addUser("CN=user1, OU=Apache Tomcat PMC, O=The Apache Software Foundation, L=Wakefield, ST=MA, C=US", "not used");
+ realm.addUserRole("CN=user1, OU=Apache Tomcat PMC, O=The Apache Software Foundation, L=Wakefield, ST=MA, C=US", ROLE);
ctx.setRealm(realm);
// Configure the authenticator
debian/patches/CVE-2016-5388.patch 0 → 100644
View file @ 56b840e5
From: Mark Thomas <markt@apache.org>
Date: Fri, 19 Aug 2016 16:57:16 +0000
Subject: Add a new initialisation parameter, envHttpHeaders, to the
CGI Servlet to mitigate httpoxy (CVE-2016-5388) by default and to
provide a mechanism that can be used to mitigate any future, similar
issues.
Origin: http://svn.apache.org/1756941
Last-Update: 2019-08-13
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Index: tomcat8-8.0.14/webapps/docs/cgi-howto.xml
===================================================================
--- tomcat8-8.0.14.orig/webapps/docs/cgi-howto.xml
+++ tomcat8-8.0.14/webapps/docs/cgi-howto.xml
@@ -86,6 +86,12 @@ if your script is itself executable (e.g
<li><strong>executable-arg-1</strong>, <strong>executable-arg-2</strong>,
and so on - additional arguments for the executable. These precede the
CGI script name. By default there are no additional arguments.</li>
+<li><strong>envHttpHeaders</strong> - A regular expression used to select the
+HTTP headers passed to the CGI process as environment variables. Note that
+headers are converted to upper case before matching and that the entire header
+name must match the pattern. Default is
+<code>ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT</code>
+</li>
<li><strong>parameterEncoding</strong> - Name of the parameter encoding
to be used with the CGI servlet. Default is
<code>System.getProperty("file.encoding","UTF-8")</code>.</li>
Index: tomcat8-8.0.14/java/org/apache/catalina/servlets/CGIServlet.java
===================================================================
--- tomcat8-8.0.14.orig/java/org/apache/catalina/servlets/CGIServlet.java
+++ tomcat8-8.0.14/java/org/apache/catalina/servlets/CGIServlet.java
@@ -36,6 +36,7 @@ import java.util.List;
import java.util.Locale;
import java.util.StringTokenizer;
import java.util.Vector;
+import java.util.regex.Pattern;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletConfig;
@@ -268,6 +269,16 @@ public final class CGIServlet extends Ht
*/
private long stderrTimeout = 2000;
+ /**
+ * The regular expression used to select HTTP headers to be passed to the
+ * CGI process as environment variables. The name of the environment
+ * variable will be the name of the HTTP header converter to upper case,
+ * prefixed with <code>HTTP_</code> and with all <code>-</code> characters
+ * converted to <code>_</code>.
+ */
+ private Pattern envHttpHeadersPattern = Pattern.compile(
+ "ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT");
+
/** object used to ensure multiple threads don't try to expand same file */
private static final Object expandFileLock = new Object();
@@ -331,6 +342,10 @@ public final class CGIServlet extends Ht
"stderrTimeout"));
}
+ if (getServletConfig().getInitParameter("envHttpHeaders") != null) {
+ envHttpHeadersPattern =
+ Pattern.compile(getServletConfig().getInitParameter("envHttpHeaders"));
+ }
}
@@ -1073,12 +1088,8 @@ public final class CGIServlet extends Ht
//REMIND: rewrite multiple headers as if received as single
//REMIND: change character set
//REMIND: I forgot what the previous REMIND means
- if ("AUTHORIZATION".equalsIgnoreCase(header) ||
- "PROXY_AUTHORIZATION".equalsIgnoreCase(header)) {
- //NOOP per CGI specification section 11.2
- } else {
- envp.put("HTTP_" + header.replace('-', '_'),
- req.getHeader(header));
+ if (envHttpHeadersPattern.matcher(header).matches()) {
+ envp.put("HTTP_" + header.replace('-', '_'), req.getHeader(header));
}
}
debian/patches/CVE-2017-5647.patch
View file @ 56b840e5
This diff is collapsed.
debian/patches/CVE-2018-8014.patch 0 → 100644
View file @ 56b840e5
From: Mark Thomas <markt@apache.org>
Date: Wed, 16 May 2018 14:54:51 +0000
Subject: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=62343
Make CORS filter defaults more secure.
This is the fix for CVE-2018-8014.
Bug-Debian: https://bugs.debian.org/898935
Origin: http://svn.apache.org/1831729
Last-Update: 2019-08-13
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Index: tomcat8-8.0.14/test/org/apache/catalina/filters/TestCorsFilter.java
===================================================================
--- tomcat8-8.0.14.orig/test/org/apache/catalina/filters/TestCorsFilter.java
+++ tomcat8-8.0.14/test/org/apache/catalina/filters/TestCorsFilter.java
@@ -51,8 +51,7 @@ public class TestCorsFilter {
corsFilter.doFilter(request, response, filterChain);
Assert.assertTrue(response.getHeader(
- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals(
- "https://www.apache.org"));
+ CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals("*"));
Assert.assertTrue(((Boolean) request.getAttribute(
CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue());
Assert.assertTrue(request.getAttribute(
@@ -84,8 +83,7 @@ public class TestCorsFilter {
corsFilter.doFilter(request, response, filterChain);
Assert.assertTrue(response.getHeader(
- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals(
- "https://www.apache.org"));
+ CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals("*"));
Assert.assertTrue(((Boolean) request.getAttribute(
CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue());
Assert.assertTrue(request.getAttribute(
@@ -116,8 +114,7 @@ public class TestCorsFilter {
corsFilter.doFilter(request, response, filterChain);
Assert.assertTrue(response.getHeader(
- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals(
- "https://www.apache.org"));
+ CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals("*"));
Assert.assertTrue(((Boolean) request.getAttribute(
CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue());
Assert.assertTrue(request.getAttribute(
@@ -162,41 +159,15 @@ public class TestCorsFilter {
}
/**
- * Tests the prsence of the origin (and not '*') in the response, when
- * supports credentials is enabled alongwith any origin, '*'.
+ * Tests the that supports credentials may not be enabled with any origin,
+ * '*'.
*
- * @throws IOException
* @throws ServletException
*/
- @Test
- public void testDoFilterSimpleAnyOriginAndSupportsCredentials()
- throws IOException, ServletException {
- TesterHttpServletRequest request = new TesterHttpServletRequest();
- request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN,
- TesterFilterConfigs.HTTPS_WWW_APACHE_ORG);
- request.setMethod("GET");
- TesterHttpServletResponse response = new TesterHttpServletResponse();
-
+ @Test(expected=ServletException.class)
+ public void testDoFilterSimpleAnyOriginAndSupportsCredentials() throws ServletException {
CorsFilter corsFilter = new CorsFilter();
- corsFilter.init(TesterFilterConfigs
- .getFilterConfigAnyOriginAndSupportsCredentials());
- corsFilter.doFilter(request, response, filterChain);
-
- Assert.assertTrue(response.getHeader(
- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals(
- TesterFilterConfigs.HTTPS_WWW_APACHE_ORG));
- Assert.assertTrue(response.getHeader(
- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS)
- .equals(
- "true"));
- Assert.assertTrue(((Boolean) request.getAttribute(
- CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue());
- Assert.assertTrue(request.getAttribute(
- CorsFilter.HTTP_REQUEST_ATTRIBUTE_ORIGIN).equals(
- TesterFilterConfigs.HTTPS_WWW_APACHE_ORG));
- Assert.assertTrue(request.getAttribute(
- CorsFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE).equals(
- CorsFilter.CORSRequestType.SIMPLE.name().toLowerCase()));
+ corsFilter.init(TesterFilterConfigs.getFilterConfigAnyOriginAndSupportsCredentials());
}
/**
@@ -257,8 +228,7 @@ public class TestCorsFilter {
corsFilter.doFilter(request, response, filterChain);
Assert.assertTrue(response.getHeader(
- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals(
- "https://www.apache.org"));
+ CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals("*"));
Assert.assertTrue(response.getHeader(
CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS)
.equals(TesterFilterConfigs.EXPOSED_HEADERS));
@@ -575,9 +545,8 @@ public class TestCorsFilter {
corsFilter.init(null);
corsFilter.doFilter(request, response, filterChain);
- Assert.assertTrue(response.getHeader(
- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals(
- "https://www.apache.org"));
+ Assert.assertNull(response.getHeader(
+ CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN));
Assert.assertTrue(((Boolean) request.getAttribute(
CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue());
Assert.assertTrue(request.getAttribute(
@@ -1251,7 +1220,7 @@ public class TestCorsFilter {
Assert.assertTrue(corsFilter.getAllowedOrigins().size() == 0);
Assert.assertTrue(corsFilter.isAnyOriginAllowed());
Assert.assertTrue(corsFilter.getExposedHeaders().size() == 0);
- Assert.assertTrue(corsFilter.isSupportsCredentials());
+ Assert.assertFalse(corsFilter.isSupportsCredentials());
Assert.assertTrue(corsFilter.getPreflightMaxAge() == 1800);
}
@@ -1287,9 +1256,9 @@ public class TestCorsFilter {
Assert.assertTrue(corsFilter.getAllowedHttpHeaders().size() == 6);
Assert.assertTrue(corsFilter.getAllowedHttpMethods().size() == 4);
Assert.assertTrue(corsFilter.getAllowedOrigins().size() == 0);
- Assert.assertTrue(corsFilter.isAnyOriginAllowed());
+ Assert.assertFalse(corsFilter.isAnyOriginAllowed());
Assert.assertTrue(corsFilter.getExposedHeaders().size() == 0);
- Assert.assertTrue(corsFilter.isSupportsCredentials());
+ Assert.assertFalse(corsFilter.isSupportsCredentials());
Assert.assertTrue(corsFilter.getPreflightMaxAge() == 1800);
}
@@ -1393,8 +1362,7 @@ public class TestCorsFilter {
corsFilter.doFilter(request, response, filterChain);
Assert.assertTrue(response.getHeader(
- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals(
- "https://www.apache.org"));
+ CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN).equals("*"));
Assert.assertNull(request
.getAttribute(CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST));
Assert.assertNull(request
Index: tomcat8-8.0.14/test/org/apache/catalina/filters/TesterFilterConfigs.java
===================================================================
--- tomcat8-8.0.14.orig/test/org/apache/catalina/filters/TesterFilterConfigs.java
+++ tomcat8-8.0.14/test/org/apache/catalina/filters/TesterFilterConfigs.java
@@ -34,12 +34,13 @@ public class TesterFilterConfigs {
public static final TesterServletContext mockServletContext =
new TesterServletContext();
+ // Default config for the test is to allow any origin
public static FilterConfig getDefaultFilterConfig() {
final String allowedHttpHeaders =
CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS;
final String allowedHttpMethods =
CorsFilter.DEFAULT_ALLOWED_HTTP_METHODS;
- final String allowedOrigins = CorsFilter.DEFAULT_ALLOWED_ORIGINS;
+ final String allowedOrigins = ANY_ORIGIN;
final String exposedHeaders = CorsFilter.DEFAULT_EXPOSED_HEADERS;
final String supportCredentials =
CorsFilter.DEFAULT_SUPPORTS_CREDENTIALS;
@@ -57,7 +58,7 @@ public class TesterFilterConfigs {
CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS;
final String allowedHttpMethods =
CorsFilter.DEFAULT_ALLOWED_HTTP_METHODS + ",PUT";
- final String allowedOrigins = CorsFilter.DEFAULT_ALLOWED_ORIGINS;
+ final String allowedOrigins = ANY_ORIGIN;
final String exposedHeaders = CorsFilter.DEFAULT_EXPOSED_HEADERS;
final String supportCredentials = "true";
final String preflightMaxAge =
@@ -75,7 +76,7 @@ public class TesterFilterConfigs {
CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS;
final String allowedHttpMethods =
CorsFilter.DEFAULT_ALLOWED_HTTP_METHODS + ",PUT";
- final String allowedOrigins = CorsFilter.DEFAULT_ALLOWED_ORIGINS;
+ final String allowedOrigins = ANY_ORIGIN;
final String exposedHeaders = CorsFilter.DEFAULT_EXPOSED_HEADERS;
final String supportCredentials = "false";
final String preflightMaxAge =
@@ -111,7 +112,7 @@ public class TesterFilterConfigs {
CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS;
final String allowedHttpMethods =
CorsFilter.DEFAULT_ALLOWED_HTTP_METHODS;
- final String allowedOrigins = CorsFilter.DEFAULT_ALLOWED_ORIGINS;
+ final String allowedOrigins = ANY_ORIGIN;
final String exposedHeaders = EXPOSED_HEADERS;
final String supportCredentials =
CorsFilter.DEFAULT_SUPPORTS_CREDENTIALS;
@@ -220,7 +221,7 @@ public class TesterFilterConfigs {
CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS;
final String allowedHttpMethods =
CorsFilter.DEFAULT_ALLOWED_HTTP_METHODS;
- final String allowedOrigins = CorsFilter.DEFAULT_ALLOWED_ORIGINS;
+ final String allowedOrigins = ANY_ORIGIN;
final String exposedHeaders = CorsFilter.DEFAULT_EXPOSED_HEADERS;
final String supportCredentials =
CorsFilter.DEFAULT_SUPPORTS_CREDENTIALS;
Index: tomcat8-8.0.14/java/org/apache/catalina/filters/CorsFilter.java
===================================================================
--- tomcat8-8.0.14.orig/java/org/apache/catalina/filters/CorsFilter.java
+++ tomcat8-8.0.14/java/org/apache/catalina/filters/CorsFilter.java
@@ -261,17 +261,14 @@ public final class CorsFilter implements
// Section 6.1.3
// Add a single Access-Control-Allow-Origin header.
- if (anyOriginAllowed && !supportsCredentials) {
- // If resource doesn't support credentials and if any origin is
- // allowed
- // to make CORS request, return header with '*'.
+ if (anyOriginAllowed) {
+ // If any origin is allowed, return header with '*'.
response.addHeader(
CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
"*");
} else {
- // If the resource supports credentials add a single
- // Access-Control-Allow-Origin header, with the value of the Origin
- // header as value.
+ // Add a single Access-Control-Allow-Origin header, with the value
+ // of the Origin header as value.
response.addHeader(
CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
origin);
@@ -754,6 +751,10 @@ public final class CorsFilter implements
.parseBoolean(supportsCredentials);
}
+ if (this.supportsCredentials && this.anyOriginAllowed) {
+ throw new ServletException(sm.getString("corsFilter.invalidSupportsCredentials"));
+ }
+
if (preflightMaxAge != null) {
try {
if (!preflightMaxAge.isEmpty()) {
@@ -1091,7 +1092,7 @@ public final class CorsFilter implements
/**
* By default, all origins are allowed to make requests.
*/
- public static final String DEFAULT_ALLOWED_ORIGINS = "*";
+ public static final String DEFAULT_ALLOWED_ORIGINS = "";
/**
* By default, following methods are supported: GET, POST, HEAD and OPTIONS.
@@ -1107,7 +1108,7 @@ public final class CorsFilter implements
/**
* By default, support credentials is turned on.
*/
- public static final String DEFAULT_SUPPORTS_CREDENTIALS = "true";
+ public static final String DEFAULT_SUPPORTS_CREDENTIALS = "false";
/**
* By default, following headers are supported:
Index: tomcat8-8.0.14/java/org/apache/catalina/filters/LocalStrings.properties
===================================================================
--- tomcat8-8.0.14.orig/java/org/apache/catalina/filters/LocalStrings.properties
+++ tomcat8-8.0.14/java/org/apache/catalina/filters/LocalStrings.properties
@@ -14,6 +14,8 @@
# limitations under the License.
addDefaultCharset.unsupportedCharset=Specified character set [{0}] is not supported
+
+corsFilter.invalidSupportsCredentials=It is not allowed to configure supportsCredentials=[true] when allowedOrigins=[*]
corsFilter.invalidPreflightMaxAge=Unable to parse preflightMaxAge
corsFilter.nullRequest=HttpServletRequest object is null
corsFilter.nullRequestType=CORSRequestType object is null
debian/patches/CVE-2019-0221.patch 0 → 100644
View file @ 56b840e5
From: Mark Thomas <markt@apache.org>
Date: Mon, 11 Mar 2019 11:33:03 +0000
Subject: [PATCH] Escape debug output to aid readability
Origin: https://github.com/apache/tomcat/commit/4fcdf70
Bug-Debian: https://bugs.debian.org/929895
Last-Update: 2019-08-13
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Index: tomcat8-8.0.14/java/org/apache/catalina/ssi/SSIPrintenv.java
===================================================================
--- tomcat8-8.0.14.orig/java/org/apache/catalina/ssi/SSIPrintenv.java
+++ tomcat8-8.0.14/java/org/apache/catalina/ssi/SSIPrintenv.java
@@ -44,7 +44,7 @@ public class SSIPrintenv implements SSIC
while (iter.hasNext()) {
String variableName = iter.next();
String variableValue = ssiMediator
- .getVariableValue(variableName);
+ .getVariableValue(variableName, "entity");
//This shouldn't happen, since all the variable names must
// have values
if (variableValue == null) {
debian/patches/series
View file @ 56b840e5
......@@ -45,3 +45,7 @@ CVE-2018-1305_2_of_2.patch
CVE-2018-1336.patch
CVE-2018-8034.patch
CVE-2018-11784.patch
0021-client-certificate-dn.patch
CVE-2019-0221.patch
CVE-2018-8014.patch
CVE-2016-5388.patch
debian/rules
View file @ 56b840e5
......@@ -80,9 +80,11 @@ clean:
rm -f build-stamp modules/jdbc-pool/output/resources/MANIFEST.MF
rm -f debian/tomcat8.postrm
mv -f test/org/apache/tomcat/util/net/localhost-cert.pem~ test/org/apache/tomcat/util/net/localhost-cert.pem 2>/dev/null || true
mv -f test/org/apache/tomcat/util/net/localhost-key.pem~ test/org/apache/tomcat/util/net/localhost-key.pem 2>/dev/null || true
mv -f test/org/apache/tomcat/util/net/localhost-copy1.jks~ test/org/apache/tomcat/util/net/localhost-copy1.jks 2>/dev/null || true
mv -f test/org/apache/tomcat/util/net/localhost.jks~ test/org/apache/tomcat/util/net/localhost.jks 2>/dev/null || true
mv -f test/org/apache/tomcat/util/net/user1.jks~ test/org/apache/tomcat/util/net/user1.jks 2>/dev/null || true
mv -f test/org/apache/tomcat/util/net/ca.jks~ test/org/apache/tomcat/util/net/ca.jks 2>/dev/null || true
dh_clean
mh_clean
......
debian/source/include-binaries
View file @ 56b840e5
debian/certificates/localhost.jks
debian/certificates/user1.jks
debian/certificates/localhost-copy1.jks
debian/certificates/ca.jks