commit tomcat for openSUSE:Factory

root Wed, 14 Oct 2020 06:41:36 -0700

Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2020-10-14 15:40:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and      /work/SRC/openSUSE:Factory/.tomcat.new.3486 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "tomcat"

Wed Oct 14 15:40:15 2020 rev:72 rq:841719 version:9.0.36

Changes:
--------
--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes    2020-08-29 
20:34:12.337259586 +0200
+++ /work/SRC/openSUSE:Factory/.tomcat.new.3486/tomcat.changes  2020-10-14 
15:41:03.382401462 +0200
@@ -1,0 +2,9 @@
+Tue Oct 13 11:23:32 UTC 2020 - Matei Albu <ma...@suse.com>
+
+- Fix CVE-2020-13943 (bsc#1177582)
+- Added patch: 
+  * tomcat-9.0-CVE-2020-13943.patch
+- Change /usr/lib/tomcat to /usr/libexec/tomcat in startup
+  scripts (bsc#1177601)
+
+-------------------------------------------------------------------

New:
----
  tomcat-9.0-CVE-2020-13943.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ tomcat.spec ++++++
--- /var/tmp/diff_new_pack.xsJgIu/_old  2020-10-14 15:41:04.946402008 +0200
+++ /var/tmp/diff_new_pack.xsJgIu/_new  2020-10-14 15:41:04.946402008 +0200
@@ -83,6 +83,7 @@
 Patch5:         tomcat-9.0.31-java8compat.patch
 # PATCH-FIX-OPENSUSE: set ajp connector secreteRequired to false by default to 
avoid tomcat not starting
 Patch6:         tomcat-9.0.31-secretRequired-default.patch
+Patch7:         tomcat-9.0-CVE-2020-13943.patch
 
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@@ -262,6 +263,7 @@
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
 
 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl


++++++ tomcat-9.0-CVE-2020-13943.patch ++++++
>From 55911430df13f8c9998fbdee1f9716994d2db59b Mon Sep 17 00:00:00 2001
From: Mark Thomas <ma...@apache.org>
Date: Thu, 23 Jul 2020 17:43:45 +0100
Subject: [PATCH] Move check for current streams to end of header parsing.

---
 java/org/apache/coyote/http2/Http2Parser.java |  2 +-
 .../coyote/http2/Http2UpgradeHandler.java     | 24 ++++++++++---------
 .../coyote/http2/TestHttp2Section_5_1.java    | 20 ++++++++++------
 3 files changed, 27 insertions(+), 19 deletions(-)

Index: apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/Http2Parser.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/http2/Http2Parser.java
+++ apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/Http2Parser.java
@@ -738,7 +738,7 @@ class Http2Parser {
         HeaderEmitter headersStart(int streamId, boolean headersEndStream)
                 throws Http2Exception, IOException;
         void headersContinue(int payloadSize, boolean endOfHeaders);
-        void headersEnd(int streamId) throws ConnectionException;
+        void headersEnd(int streamId) throws Http2Exception;
 
         // Priority frames (also headers)
         void reprioritise(int streamId, int parentStreamId, boolean exclusive, 
int weight)
Index: 
apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/Http2UpgradeHandler.java
===================================================================
--- 
apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/http2/Http2UpgradeHandler.java
+++ 
apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/Http2UpgradeHandler.java
@@ -1451,16 +1451,6 @@ class Http2UpgradeHandler extends Abstra
             stream.checkState(FrameType.HEADERS);
             stream.receivedStartOfHeaders(headersEndStream);
             closeIdleStreams(streamId);
-            if (localSettings.getMaxConcurrentStreams() < 
activeRemoteStreamCount.incrementAndGet()) {
-                
setConnectionTimeoutForStreamCount(activeRemoteStreamCount.decrementAndGet());
-                // Ignoring maxConcurrentStreams increases the overhead count
-                increaseOverheadCount();
-                throw new 
StreamException(sm.getString("upgradeHandler.tooManyRemoteStreams",
-                        
Long.toString(localSettings.getMaxConcurrentStreams())),
-                        Http2Error.REFUSED_STREAM, streamId);
-            }
-            // Valid new stream reduces the overhead count
-            reduceOverheadCount();
             return stream;
         } else {
             if (log.isDebugEnabled()) {
@@ -1528,12 +1518,24 @@ class Http2UpgradeHandler extends Abstra
 
 
     @Override
-    public void headersEnd(int streamId) throws ConnectionException {
+    public void headersEnd(int streamId) throws Http2Exception {
         Stream stream = getStream(streamId, 
connectionState.get().isNewStreamAllowed());
         if (stream != null) {
             setMaxProcessedStream(streamId);
             if (stream.isActive()) {
                 if (stream.receivedEndOfHeaders()) {
+
+                    if (localSettings.getMaxConcurrentStreams() < 
activeRemoteStreamCount.incrementAndGet()) {
+                        
setConnectionTimeoutForStreamCount(activeRemoteStreamCount.decrementAndGet());
+                        // Ignoring maxConcurrentStreams increases the 
overhead count
+                        increaseOverheadCount();
+                        throw new 
StreamException(sm.getString("upgradeHandler.tooManyRemoteStreams",
+                                
Long.toString(localSettings.getMaxConcurrentStreams())),
+                                Http2Error.REFUSED_STREAM, streamId);
+                    }
+                    // Valid new stream reduces the overhead count
+                    reduceOverheadCount();
+
                     processStreamOnContainerThread(stream);
                 }
             }
Index: 
apache-tomcat-9.0.36-src/test/org/apache/coyote/http2/TestHttp2Section_5_1.java
===================================================================
--- 
apache-tomcat-9.0.36-src.orig/test/org/apache/coyote/http2/TestHttp2Section_5_1.java
+++ 
apache-tomcat-9.0.36-src/test/org/apache/coyote/http2/TestHttp2Section_5_1.java
@@ -222,11 +222,11 @@ public class TestHttp2Section_5_1 extend
         // Expecting
         // 1 * headers
         // 56k-1 of body (7 * ~8k)
-        // 1 * error (could be in any order)
-        for (int i = 0; i < 8; i++) {
+        // 1 * error
+        // for a total of 9 frames (could be in any order)
+        for (int i = 0; i < 9; i++) {
             parser.readFrame(true);
         }
-        parser.readFrame(true);
 
         Assert.assertTrue(output.getTrace(),
                 output.getTrace().contains("5-RST-[" +
@@ -238,14 +238,20 @@ public class TestHttp2Section_5_1 extend
 
         // Release the remaining body
         sendWindowUpdate(0, (1 << 31) - 2);
-        // Allow for the 8k still in the stream window
+        // Allow for the ~8k still in the stream window
         sendWindowUpdate(3, (1 << 31) - 8193);
 
-        // 192k of body (24 * 8k)
-        // 1 * error (could be in any order)
-        for (int i = 0; i < 24; i++) {
+        // Read until the end of stream 3
+        while (!output.getTrace().contains("3-EndOfStream")) {
             parser.readFrame(true);
         }
+        output.clearTrace();
+
+        // Confirm another request can be sent once concurrency falls back 
below limit
+        sendSimpleGetRequest(7);
+        parser.readFrame(true);
+        parser.readFrame(true);
+        Assert.assertEquals(getSimpleResponseTrace(7), output.getTrace());
     }
 
 
++++++ tomcat-9.0-jsvc.service ++++++
--- /var/tmp/diff_new_pack.xsJgIu/_old  2020-10-14 15:41:05.014402032 +0200
+++ /var/tmp/diff_new_pack.xsJgIu/_new  2020-10-14 15:41:05.014402032 +0200
@@ -14,8 +14,8 @@
 Type=simple
 EnvironmentFile=/etc/tomcat/tomcat.conf
 Environment="NAME=" "USE_JSVC=true"
-ExecStart=/usr/lib/tomcat/server start
-ExecStop=/usr/lib/tomcat/server stop
+ExecStart=/usr/libexec/tomcat/server start
+ExecStop=/usr/libexec/tomcat/server stop
 
 [Install]
 WantedBy=multi-user.target

++++++ tomcat-9.0.service ++++++
--- /var/tmp/diff_new_pack.xsJgIu/_old  2020-10-14 15:41:05.106402064 +0200
+++ /var/tmp/diff_new_pack.xsJgIu/_new  2020-10-14 15:41:05.106402064 +0200
@@ -14,8 +14,8 @@
 EnvironmentFile=/etc/tomcat/tomcat.conf
 Environment="NAME="
 EnvironmentFile=-/etc/sysconfig/tomcat
-ExecStart=/usr/lib/tomcat/server start
-ExecStop=/usr/lib/tomcat/server stop
+ExecStart=/usr/libexec/tomcat/server start
+ExecStop=/usr/libexec/tomcat/server stop
 SuccessExitStatus=143
 User=tomcat
 Group=tomcat


++++++ tomcat-9.0.wrapper ++++++
--- /var/tmp/diff_new_pack.xsJgIu/_old  2020-10-14 15:41:05.130402073 +0200
+++ /var/tmp/diff_new_pack.xsJgIu/_new  2020-10-14 15:41:05.130402073 +0200
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 if [ "$1" = "version" ]; then
-  . /usr/lib/tomcat/preamble
+  . /usr/libexec/tomcat/preamble
   exec ${JAVACMD} -classpath ${CATALINA_HOME}/lib/catalina.jar \
     org.apache.catalina.util.ServerInfo
 fi

++++++ tomcat-named.service ++++++
--- /var/tmp/diff_new_pack.xsJgIu/_old  2020-10-14 15:41:05.166402085 +0200
+++ /var/tmp/diff_new_pack.xsJgIu/_new  2020-10-14 15:41:05.166402085 +0200
@@ -15,8 +15,8 @@
 EnvironmentFile=/etc/tomcat/tomcat.conf
 Environment="NAME=%I"
 EnvironmentFile=-/etc/sysconfig/tomcat@%I
-ExecStart=/usr/lib/tomcat/server start
-ExecStop=/usr/lib/tomcat/server stop
+ExecStart=/usr/libexec/tomcat/server start
+ExecStop=/usr/libexec/tomcat/server stop
 SuccessExitStatus=143
 User=tomcat
 Group=tomcat

++++++ tomcat-preamble ++++++
--- /var/tmp/diff_new_pack.xsJgIu/_old  2020-10-14 15:41:05.186402092 +0200
+++ /var/tmp/diff_new_pack.xsJgIu/_new  2020-10-14 15:41:05.186402092 +0200
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-. /usr/lib/tomcat/functions
+. /usr/libexec/tomcat/functions
 
 # Get the tomcat config (use this for environment specific settings)
 

++++++ tomcat-server ++++++
--- /var/tmp/diff_new_pack.xsJgIu/_old  2020-10-14 15:41:05.218402104 +0200
+++ /var/tmp/diff_new_pack.xsJgIu/_new  2020-10-14 15:41:05.222402105 +0200
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-. /usr/lib/tomcat/preamble
+. /usr/libexec/tomcat/preamble
 
 MAIN_CLASS=org.apache.catalina.startup.Bootstrap

commit tomcat for openSUSE:Factory

Reply via email to