This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch jessie in repository tomcat8.
commit d62e614e2dcc4ccdcf956ae1f4757052ac461563 Author: Emmanuel Bourg <[email protected]> Date: Sat Nov 12 02:12:00 2016 +0100 Fixed CVE-2016-0762: Timing Attack --- debian/changelog | 3 +++ debian/patches/CVE-2016-0762.patch | 28 ++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 32 insertions(+) diff --git a/debian/changelog b/debian/changelog index 516e5cd..c2bef91 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,8 @@ tomcat8 (8.0.14-1+deb8u4) UNRELEASED; urgency=medium + * Fixed CVE-2016-0762: The Realm implementations did not process the supplied + password if the supplied user name did not exist. This made a timing attack + possible to determine valid user names. * Fixed CVE-2016-5018: A malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. diff --git a/debian/patches/CVE-2016-0762.patch b/debian/patches/CVE-2016-0762.patch new file mode 100644 index 0000000..be1ef27 --- /dev/null +++ b/debian/patches/CVE-2016-0762.patch @@ -0,0 +1,28 @@ +Description: Fixes CVE-2016-0762: The Realm implementations did not process + the supplied password if the supplied user name did not exist. This made + a timing attack possible to determine valid user names. +Origin: backport, https://svn.apache.org/r1758502 +--- a/java/org/apache/catalina/realm/MemoryRealm.java ++++ b/java/org/apache/catalina/realm/MemoryRealm.java +@@ -115,6 +115,9 @@ + + boolean validated; + if (principal == null) { ++ // User was not found in the database ++ // Waste a bit of time as not to reveal that the user does not exist. ++ compareCredentials(credentials, getClass().getName()); + validated = false; + } else { + validated = compareCredentials(credentials, principal.getPassword()); +--- a/java/org/apache/catalina/realm/RealmBase.java ++++ b/java/org/apache/catalina/realm/RealmBase.java +@@ -500,6 +500,9 @@ + String serverCredentials) { + + if (serverCredentials == null) { ++ // User was not found ++ // Waste a bit of time as not to reveal that the user does not exist. ++ compareCredentials(userCredentials, getClass().getName()); + return false; + } + diff --git a/debian/patches/series b/debian/patches/series index 790d923..e68070d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -19,6 +19,7 @@ CVE-2015-5346.patch CVE-2015-5351.patch CVE-2016-0706.patch CVE-2016-0714.patch +CVE-2016-0762.patch CVE-2016-0763.patch CVE-2016-3092.patch CVE-2016-5018.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
