Markus Koschany pushed to branch buster at Debian Java Maintainers / tomcat9
Commits: d654582d by Markus Koschany at 2021-09-25T22:17:00+02:00 Fix CVE-2021-41079 - - - - - 3cb22204 by Markus Koschany at 2021-09-25T22:18:05+02:00 Update changelog - - - - - 3 changed files: - debian/changelog - + debian/patches/CVE-2021-41079.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,19 @@ +tomcat9 (9.0.31-1~deb10u6) buster-security; urgency=high + + * Team upload. + * CVE-2021-30640: Fix NullPointerException. + If no userRoleAttribute is specified in the user's Realm configuration its + default value will be null. This will cause a NPE in the methods + doFilterEscaping and doAttributeValueEscaping. This is upstream bug + https://bz.apache.org/bugzilla/show_bug.cgi?id=65308 + * Fix CVE-2021-41079: + Apache Tomcat did not properly validate incoming TLS packets. When Tomcat + was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially + crafted packet could be used to trigger an infinite loop resulting in a + denial of service. + + -- Markus Koschany <[email protected]> Sat, 25 Sep 2021 22:17:13 +0200 + tomcat9 (9.0.31-1~deb10u5) buster-security; urgency=high * Team upload. ===================================== debian/patches/CVE-2021-41079.patch ===================================== @@ -0,0 +1,55 @@ +From: Markus Koschany <[email protected]> +Date: Sat, 25 Sep 2021 22:14:23 +0200 +Subject: CVE-2021-41079 + +Origin: https://github.com/apache/tomcat/commit/d4b340fa8feaf55831f9a59350578f7b6ca048b8 +--- + java/org/apache/tomcat/util/net/openssl/LocalStrings.properties | 1 + + java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java | 6 ++++-- + webapps/docs/changelog.xml | 4 ++++ + 3 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties +index 2b5e31f..c757295 100644 +--- a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties ++++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties +@@ -17,6 +17,7 @@ engine.ciphersFailure=Failed getting cipher list + engine.emptyCipherSuite=Empty cipher suite + engine.engineClosed=Engine is closed + engine.failedCipherSuite=Failed to enable cipher suite [{0}] ++engine.failedToReadAvailableBytes=There are plain text bytes available to read but no bytes were read + engine.inboundClose=Inbound closed before receiving peer's close_notify + engine.invalidBufferArray=offset: [{0}], length: [{1}] (expected: offset <= offset + length <= srcs.length [{2}]) + engine.noSSLContext=No SSL context +diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java +index ede30a8..22f412c 100644 +--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java ++++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java +@@ -586,8 +586,10 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn + throw new SSLException(e); + } + +- if (bytesRead == 0) { +- break; ++ if (bytesRead <= 0) { ++ // This should not be possible. pendingApp is positive ++ // therefore the read should have read at least one byte. ++ throw new IllegalStateException(sm.getString("engine.failedToReadAvailableBytes")); + } + + bytesProduced += bytesRead; +diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml +index 436c92b..9c45802 100644 +--- a/webapps/docs/changelog.xml ++++ b/webapps/docs/changelog.xml +@@ -226,6 +226,10 @@ + <bug>64043</bug>: Ensure that session ID changes are replicated during + form-authentication. (kfujino) + </fix> ++ <fix> ++ Make handling of OpenSSL read errors more robust when plain text data is ++ reported to be available to read. (markt) ++ </fix> + </changelog> + </subsection> + <subsection name="Web applications"> ===================================== debian/patches/series ===================================== @@ -23,3 +23,4 @@ CVE-2021-25122.patch CVE-2021-25329.patch CVE-2021-30640.patch CVE-2021-33037.patch +CVE-2021-41079.patch View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/compare/c6ee4323957e6171451affc7c2927d168677bb3f...3cb22204fbe0a69f1466ecf43dc3a8563660f094 -- View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/compare/c6ee4323957e6171451affc7c2927d168677bb3f...3cb22204fbe0a69f1466ecf43dc3a8563660f094 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits
