Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package tomcat for openSUSE:Factory checked
in at 2022-02-22 21:18:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
and /work/SRC/openSUSE:Factory/.tomcat.new.1958 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tomcat"
Tue Feb 22 21:18:24 2022 rev:81 rq:956682 version:9.0.43
Changes:
--------
--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes 2022-01-14
23:14:32.422682064 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat.new.1958/tomcat.changes 2022-02-22
21:19:03.918295867 +0100
@@ -1,0 +2,8 @@
+Fri Jan 28 14:01:40 UTC 2022 - Michele Bussolotto <michele.bussolo...@suse.com>
+
+- Fixed CVEs:
+ * CVE-2022-23181: Make calculation of session storage location more robust
(bsc#1195255)
+- Added patches:
+ * tomcat-9.0-CVE-2022-23181.patch
+
+-------------------------------------------------------------------
New:
----
tomcat-9.0-CVE-2022-23181.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tomcat.spec ++++++
--- /var/tmp/diff_new_pack.V3k3Jj/_old 2022-02-22 21:19:04.834296036 +0100
+++ /var/tmp/diff_new_pack.V3k3Jj/_new 2022-02-22 21:19:04.834296036 +0100
@@ -1,7 +1,7 @@
#
# spec file for package tomcat
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
# Copyright (c) 2000-2009, JPackage Project
#
# All modifications and additions to the file contributed by third parties
@@ -87,6 +87,7 @@
Patch8: tomcat-9.0-CVE-2021-33037.patch
Patch9: tomcat-9.0-CVE-2021-30640.patch
Patch10: tomcat-9.0-NPE-JNDIRealm.patch
+Patch11: tomcat-9.0-CVE-2022-23181.patch
BuildRequires: ant >= 1.8.1
BuildRequires: ant-antlr
@@ -265,6 +266,7 @@
%patch8 -p1
%patch9 -p1
%patch10 -p1
+%patch11 -p1
# remove date from docs
sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl
++++++ tomcat-9.0-CVE-2022-23181.patch ++++++
>From 1385c624b4a1e994426e810075c850edc38a700e Mon Sep 17 00:00:00 2001
From: Mark Thomas <ma...@apache.org>
Date: Wed, 12 Jan 2022 11:11:29 +0000
Subject: [PATCH] Make calculation of session storage location more robust
---
java/org/apache/catalina/session/FileStore.java | 5 +++--
webapps/docs/changelog.xml | 4 ++++
2 files changed, 7 insertions(+), 2 deletions(-)
Index: apache-tomcat-9.0.43-src/java/org/apache/catalina/session/FileStore.java
===================================================================
---
apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/session/FileStore.java
+++ apache-tomcat-9.0.43-src/java/org/apache/catalina/session/FileStore.java
@@ -349,13 +349,14 @@ public final class FileStore extends Sto
String filename = id + FILE_EXT;
File file = new File(storageDir, filename);
+ File canonicalFile = file.getCanonicalFile();
// Check the file is within the storage directory
- if
(!file.getCanonicalFile().toPath().startsWith(storageDir.getCanonicalFile().toPath()))
{
+ if
(!canonicalFile.toPath().startsWith(storageDir.getCanonicalFile().toPath())) {
log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
return null;
}
- return file;
+ return canonicalFile;
}
}
Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
@@ -118,6 +118,10 @@
Expand coverage of unit tests for JNDIRealm using the UnboundID LDAP
SDK
for Java. (markt)
</scode>
+ <fix>
+ Make the calculation of the session storage location more robust when
+ using file based persistent storage. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
