subject:"Bug#854551\: Bug#851304\: tomcat8 use 100% cpu time"

Bug#851304: Bug#854551: Bug#851304: tomcat8 use 100% cpu time

2017-02-20 Thread Markus Koschany

On 20.02.2017 17:45, Salvatore Bonaccorso wrote:
[...]
> Sorry for the delay (due to various circumstances). The fix looks sane
> to me. Assuming the fix could have been tested as well, please do
> upload to security-master.
> 

Hi,

no problem. I have just uploaded both packages to security-master.

Cheers,

Markus

signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#851304: Bug#854551: Bug#851304: tomcat8 use 100% cpu time

2017-02-20 Thread Salvatore Bonaccorso

Hi Markus,

On Sat, Feb 18, 2017 at 07:53:33PM +0100, Markus Koschany wrote:
> On 18.02.2017 13:21, Salvatore Bonaccorso wrote:
> [...]
> > No problem. Thanks for noticing, can you let us know as usual when you
> > have a debdiff ready for the regression update?
> > 
> > I tend to see this as regression update for the previous DSA, so no
> > need for a new CVE id. But let me know if someone thinks otherwise and
> > I can followup with MITRE.
> > 
> > Thanks for your coninous work,
> 
> I agree this is a regression update. Please find attached the debdiffs
> for Tomcat 7 and Tomcat 8.

Sorry for the delay (due to various circumstances). The fix looks sane
to me. Assuming the fix could have been tested as well, please do
upload to security-master.

Regards and thanks for your work,
Salvatore

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#854551: Bug#851304: tomcat8 use 100% cpu time

2017-02-18 Thread Markus Koschany

On 18.02.2017 13:21, Salvatore Bonaccorso wrote:
[...]
> No problem. Thanks for noticing, can you let us know as usual when you
> have a debdiff ready for the regression update?
> 
> I tend to see this as regression update for the previous DSA, so no
> need for a new CVE id. But let me know if someone thinks otherwise and
> I can followup with MITRE.
> 
> Thanks for your coninous work,

I agree this is a regression update. Please find attached the debdiffs
for Tomcat 7 and Tomcat 8.

Regards,

Markus

diff -Nru tomcat7-7.0.56/debian/changelog tomcat7-7.0.56/debian/changelog
--- tomcat7-7.0.56/debian/changelog 2017-02-13 10:16:57.0 +0100
+++ tomcat7-7.0.56/debian/changelog 2017-02-18 19:16:13.0 +0100
@@ -1,3 +1,12 @@
+tomcat7 (7.0.56-3+deb8u9) jessie-security; urgency=high
+
+  * Team upload.
+  * Add BZ57544-infinite-loop-part2.patch.
+Fix regression due to an incomplete fix for CVE-2017-6056.
+See #854551 for further information.
+
+ -- Markus Koschany   Sat, 18 Feb 2017 19:16:13 +0100
+
 tomcat7 (7.0.56-3+deb8u8) jessie-security; urgency=high
 
   * Team upload.
diff -Nru tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop-part2.patch 
tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop-part2.patch
--- tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop-part2.patch 
1970-01-01 01:00:00.0 +0100
+++ tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop-part2.patch 
2017-02-18 19:16:13.0 +0100
@@ -0,0 +1,29 @@
+From: Markus Koschany 
+Date: Sat, 18 Feb 2017 19:15:02 +0100
+Subject: BZ57544-infinite-loop-part2
+
+Fix 400 HTTP errors due to an incomplete fix for CVE-2017-6056.
+
+Bug-Debian: https://bugs.debian.org/854551
+Origin: 
https://github.com/apache/tomcat80/commit/534d62075f8c03cc3e77f301e53be53acdefd1c9
+---
+ java/org/apache/coyote/http11/AbstractInputBuffer.java | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/java/org/apache/coyote/http11/AbstractInputBuffer.java 
b/java/org/apache/coyote/http11/AbstractInputBuffer.java
+index a1251d6..ac56de1 100644
+--- a/java/org/apache/coyote/http11/AbstractInputBuffer.java
 b/java/org/apache/coyote/http11/AbstractInputBuffer.java
+@@ -227,9 +227,10 @@ public abstract class AbstractInputBuffer implements 
InputBuffer{
+ // Copy leftover bytes to the beginning of the buffer
+ if (lastValid - pos > 0 && pos > 0) {
+ System.arraycopy(buf, pos, buf, 0, lastValid - pos);
+-lastValid = lastValid - pos;
+-pos = 0;
+ }
++// Always reset pos to zero
++lastValid = lastValid - pos;
++pos = 0;
+ 
+ // Recycle filters
+ for (int i = 0; i <= lastActiveFilter; i++) {
diff -Nru tomcat7-7.0.56/debian/patches/series 
tomcat7-7.0.56/debian/patches/series
--- tomcat7-7.0.56/debian/patches/series2017-02-13 10:16:57.0 
+0100
+++ tomcat7-7.0.56/debian/patches/series2017-02-18 19:16:13.0 
+0100
@@ -39,3 +39,4 @@
 CVE-2016-8735.patch
 CVE-2016-8745.patch
 BZ57544-infinite-loop.patch
+BZ57544-infinite-loop-part2.patch
diff -Nru tomcat8-8.0.14/debian/changelog tomcat8-8.0.14/debian/changelog
--- tomcat8-8.0.14/debian/changelog 2017-02-13 09:34:43.0 +
+++ tomcat8-8.0.14/debian/changelog 2017-02-18 17:44:25.0 +
@@ -1,3 +1,12 @@
+tomcat8 (8.0.14-1+deb8u8) jessie-security; urgency=high
+
+  * Team upload.
+  * Add BZ57544-infinite-loop-part2.patch.
+Fix regression (400 HTTP errors) due to an incomplete fix for
+CVE-2017-6056. See #854551 for further information.
+
+ -- Markus Koschany   Sat, 18 Feb 2017 18:44:25 +0100
+
 tomcat8 (8.0.14-1+deb8u7) jessie-security; urgency=high
 
   * Team upload.
diff -Nru tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop-part2.patch 
tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop-part2.patch
--- tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop-part2.patch 
1970-01-01 00:00:00.0 +
+++ tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop-part2.patch 
2017-02-18 17:44:25.0 +
@@ -0,0 +1,29 @@
+From: Markus Koschany 
+Date: Sat, 18 Feb 2017 18:39:09 +0100
+Subject: BZ57544-infinite-loop-part2
+
+Fix 400 HTTP errors due to an incomplete fix for CVE-2017-6056.
+
+Bug-Debian: https://bugs.debian.org/854551
+Origin: 
https://github.com/apache/tomcat80/commit/534d62075f8c03cc3e77f301e53be53acdefd1c9
+---
+ java/org/apache/coyote/http11/AbstractInputBuffer.java | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/java/org/apache/coyote/http11/AbstractInputBuffer.java 
b/java/org/apache/coyote/http11/AbstractInputBuffer.java
+index 2aef369..1fbeb27 100644
+--- a/java/org/apache/coyote/http11/AbstractInputBuffer.java
 b/java/org/apache/coyote/http11/AbstractInputBuffer.java
+@@ -237,9 +237,10 @@ public abstract class AbstractInputBuffer implements 
InputBuffer{
+ // Copy leftover bytes to the beginning of the buffer
+ if (lastValid -

Bug#854551: Bug#851304: tomcat8 use 100% cpu time

2017-02-17 Thread Salvatore Bonaccorso

Hi Markus, hi Emmanuel,

On Mon, Feb 13, 2017 at 10:48:20AM +0100, Markus Koschany wrote:
> On 13.02.2017 08:34, Moritz Mühlenhoff wrote:
> > On Sun, Feb 12, 2017 at 09:38:31PM +0100, Markus Koschany wrote:
> >> Hi,
> >>
> >> a bug was reported against tomcat8 and tomcat7 in Jessie and it seems
> >> the issue is related to our latest security updates. We would like to
> >> address this regression as soon as possible because this one can be
> >> triggered remotely and cause a denial-of-service.
> >>
> >> I have attached the debdiffs for tomcat8 and tomcat7 to this email. I
> >> will update the changelogs later.
> > 
> > Thanks, please upload.
> 
> Thanks. Uploaded.

Btw, I requested a CVE for this issue and it got assigned
CVE-2017-6056.

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#854551: Bug#851304: tomcat8 use 100% cpu time

2017-02-13 Thread Markus Koschany

On 13.02.2017 08:34, Moritz Mühlenhoff wrote:
> On Sun, Feb 12, 2017 at 09:38:31PM +0100, Markus Koschany wrote:
>> Hi,
>>
>> a bug was reported against tomcat8 and tomcat7 in Jessie and it seems
>> the issue is related to our latest security updates. We would like to
>> address this regression as soon as possible because this one can be
>> triggered remotely and cause a denial-of-service.
>>
>> I have attached the debdiffs for tomcat8 and tomcat7 to this email. I
>> will update the changelogs later.
> 
> Thanks, please upload.

Thanks. Uploaded.




signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#854551: Bug#851304: tomcat8 use 100% cpu time

2017-02-12 Thread Moritz Mühlenhoff

On Sun, Feb 12, 2017 at 09:38:31PM +0100, Markus Koschany wrote:
> Hi,
> 
> a bug was reported against tomcat8 and tomcat7 in Jessie and it seems
> the issue is related to our latest security updates. We would like to
> address this regression as soon as possible because this one can be
> triggered remotely and cause a denial-of-service.
> 
> I have attached the debdiffs for tomcat8 and tomcat7 to this email. I
> will update the changelogs later.

Thanks, please upload.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#851304: Bug#854551: Bug#851304: tomcat8 use 100% cpu time

Bug#851304: Bug#854551: Bug#851304: tomcat8 use 100% cpu time

Bug#854551: Bug#851304: tomcat8 use 100% cpu time

Bug#854551: Bug#851304: tomcat8 use 100% cpu time

Bug#854551: Bug#851304: tomcat8 use 100% cpu time

Bug#854551: Bug#851304: tomcat8 use 100% cpu time

6 matches

Site Navigation

Mail list logo

Footer information