Author: markt Date: Wed Nov 18 13:32:25 2009 New Revision: 881771 URL: http://svn.apache.org/viewvc?rev=881771&view=rev Log: Fix CVE-2009-3548 When installing using defaults, don't create an administrative user with a blank password Note: This is already public - it was discussed on the users list. The formal announcement will go out shortly. The patch also includes making the Manager and Host-Manager applications separately selectable with the addition of an administrative user only enabled if one of the manager apps is selected
Modified: tomcat/tc6.0.x/trunk/ (props changed) tomcat/tc6.0.x/trunk/STATUS.txt tomcat/tc6.0.x/trunk/res/tomcat.nsi tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Propchange: tomcat/tc6.0.x/trunk/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Wed Nov 18 13:32:25 2009 @@ -1 +1 @@ -/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,673796,673820,677910,683969,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,713953,714002,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,753039,757335,757774,758365,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763228,763262,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335,769979,770716,770809,770876,772872,77 6921,776924,776935,776945,777464,777466,777576,777625,778379,778523-778524,781528,781779,782145,782791,783316,783696,783724,783756,783762,783766,783863,783934,784453,784602,784614,785381,785688,785768,785859,786468,786487,786490,786496,786667,787627,787770,787985,789389,790405,791041,791184,791194,791224,791243,791326,791328,791789,792740,793372,793757,793882,793981,794082,794673,794822,795043,795152,795210,795457,795466,797168,797425,797596,797607,802727,802940,804462,804544,804734,805153,809131,809603,810916,810977,812125,812137,812432,813001,813013,813866,814180,815972,817442,817822,819339,819361,820110,820132,820874,820954,821397,828196,828201,828210,828225,828759,830378-830379,831106,831774,831785,831828,831850,831860,832218,833121,833545,835036,835336 +/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,673796,673820,677910,683969,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,713953,714002,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,753039,757335,757774,758365,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763228,763262,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335,769979,770716,770809,770876,772872,77 6921,776924,776935,776945,777464,777466,777576,777625,778379,778523-778524,781528,781779,782145,782791,783316,783696,783724,783756,783762,783766,783863,783934,784453,784602,784614,785381,785688,785768,785859,786468,786487,786490,786496,786667,787627,787770,787985,789389,790405,791041,791184,791194,791224,791243,791326,791328,791789,792740,793372,793757,793882,793981,794082,794673,794822,795043,795152,795210,795457,795466,797168,797425,797596,797607,802727,802940,804462,804544,804734,805153,809131,809603,810916,810977,812125,812137,812432,813001,813013,813866,814180,815972,817442,817822,819339,819361,820110,820132,820874,820954,821397,828196,828201,828210,828225,828759,830378-830379,831106,831774,831785,831828,831850,831860,832218,833121,833545,834047,835036,835336 Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=881771&r1=881770&r2=881771&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Nov 18 13:32:25 2009 @@ -358,23 +358,16 @@ +1: kkolinko, markt -1: -* Fix CVE-2009-3548 - Windows installer uses insecure default password - http://svn.apache.org/viewvc?rev=834047&view=rev - +1: markt, mturk, kkolinko - -1: - - Additional patches: - ( +* Further improvements to Windows installer password handling http://svn.apache.org/viewvc?rev=836036&view=rev http://svn.apache.org/viewvc?rev=836045&view=rev http://svn.apache.org/viewvc?rev=836209&view=rev - ) The following patch file is a combination of rev. 834047, 836036, 836045, 836209: http://people.apache.org/~kkolinko/patches/2009-11-14_Installer_password_tc6.patch +1: kkolinko -1: - + +0: markt Combined patch needs to have 834047 removed and 881765 added * Disable TLS renegotiation be default with an option to re-enable it Based on Costin's patch for trunk with Mark's modifications Modified: tomcat/tc6.0.x/trunk/res/tomcat.nsi URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/res/tomcat.nsi?rev=881771&r1=881770&r2=881771&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/res/tomcat.nsi (original) +++ tomcat/tc6.0.x/trunk/res/tomcat.nsi Wed Nov 18 13:32:25 2009 @@ -99,7 +99,9 @@ ; LangString DESC_SecTomcatSource ${LANG_ENGLISH} "Install the Tomcat source code." LangString DESC_SecMenu ${LANG_ENGLISH} "Create a Start Menu program group for Tomcat." LangString DESC_SecDocs ${LANG_ENGLISH} "Install the Tomcat documentation bundle. This include documentation on the servlet container and its configuration options, on the Jasper JSP page compiler, as well as on the native webserver connectors." - LangString DESC_SecExamples ${LANG_ENGLISH} "Installs some examples web applications." + LangString DESC_SecManager ${LANG_ENGLISH} "Install the Tomcat Manager administrative web application." + LangString DESC_SecHostManager ${LANG_ENGLISH} "Install the Tomcat Host Manager administrative web application." + LangString DESC_SecExamples ${LANG_ENGLISH} "Install the Servlet and JSP example web applications." LangString DESC_SecAdmin ${LANG_ENGLISH} "Installs the administration web application."; ; LangString DESC_SecWebapps ${LANG_ENGLISH} "Installs other utility web applications (WebDAV, balancer, etc)." @@ -152,10 +154,6 @@ File conf\*.* SetOutPath $INSTDIR\webapps\ROOT File /r webapps\ROOT\*.* - SetOutPath $INSTDIR\webapps\host-manager - File /r webapps\host-manager\*.* - SetOutPath $INSTDIR\webapps\manager - File /r webapps\manager\*.* Call configure Call findJavaPath @@ -309,6 +307,26 @@ SectionEnd +Section "Manager" SecManager + + SectionIn 1 3 + + SetOverwrite on + SetOutPath $INSTDIR\webapps\manager + File /r webapps\manager\*.* + +SectionEnd + +Section "Host Manager" SecHostManager + + SectionIn 3 + + SetOverwrite on + SetOutPath $INSTDIR\webapps\host-manager + File /r webapps\host-manager\*.* + +SectionEnd + Section "Examples" SecExamples SectionIn 3 @@ -386,7 +404,38 @@ Function SetConfiguration !insertmacro MUI_HEADER_TEXT "$(TEXT_CONF_TITLE)" "$(TEXT_CONF_SUBTITLE)" + + SectionGetFlags ${SecManager} $0 + IntOp $0 $0 & ${SF_SELECTED} + IntCmp $0 0 0 Enable Enable + SectionGetFlags ${SecHostManager} $0 + IntOp $0 $0 & ${SF_SELECTED} + IntCmp $0 0 Disable 0 0 + +Enable: + ; Enable the user and password controls if the manager or host-manager app is + ; being installed + !insertmacro MUI_INSTALLOPTIONS_READ $0 "config.ini" "Field 5" "HWND" + !insertmacro MUI_INSTALLOPTIONS_WRITE "config.ini" "Field 5" "Flags" "" + EnableWindow $0 1 + !insertmacro MUI_INSTALLOPTIONS_READ $0 "config.ini" "Field 7" "HWND" + !insertmacro MUI_INSTALLOPTIONS_WRITE "config.ini" "Field 7" "Flags" "" + EnableWindow $0 1 + Goto Display + +Disable: + ; Disable the user and password controls if neither the manager nor + ; host-manager app is being installed + !insertmacro MUI_INSTALLOPTIONS_READ $0 "config.ini" "Field 5" "HWND" + !insertmacro MUI_INSTALLOPTIONS_WRITE "config.ini" "Field 5" "Flags" "DISABLED" + EnableWindow $0 0 + !insertmacro MUI_INSTALLOPTIONS_READ $0 "config.ini" "Field 7" "HWND" + !insertmacro MUI_INSTALLOPTIONS_WRITE "config.ini" "Field 7" "Flags" "DISABLED" + EnableWindow $0 0 + +Display: !insertmacro MUI_INSTALLOPTIONS_DISPLAY "config.ini" + FunctionEnd Function Void @@ -404,6 +453,8 @@ ; !insertmacro MUI_DESCRIPTION_TEXT ${SecCompat} $(DESC_SecCompat) !insertmacro MUI_DESCRIPTION_TEXT ${SecMenu} $(DESC_SecMenu) !insertmacro MUI_DESCRIPTION_TEXT ${SecDocs} $(DESC_SecDocs) + !insertmacro MUI_DESCRIPTION_TEXT ${SecManager} $(DESC_SecManager) + !insertmacro MUI_DESCRIPTION_TEXT ${SecHostManager} $(DESC_SecHostManager) !insertmacro MUI_DESCRIPTION_TEXT ${SecExamples} $(DESC_SecExamples) ; !insertmacro MUI_DESCRIPTION_TEXT ${SecAdmin} $(DESC_SecAdmin) ; !insertmacro MUI_DESCRIPTION_TEXT ${SecWebapps} $(DESC_SecWebapps) @@ -614,11 +665,13 @@ Call xmlEscape Pop $R2 + StrCmp $R1 "" +4 0 ; Blank user - do not add anything to tomcat-users.xml + StrCmp $R2 "" +3 0 ; Blank password - do not add anything to tomcat-users.xml StrCpy $R5 '<user name="$R1" password="$R2" roles="admin,manager" />' - + DetailPrint 'Admin user added: "$R1"' + Silent: DetailPrint 'HTTP/1.1 Connector configured on port "$R0"' - DetailPrint 'Admin user added: "$R1"' SetOutPath $TEMP File /r confinstall Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=881771&r1=881770&r2=881771&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Wed Nov 18 13:32:25 2009 @@ -534,6 +534,13 @@ ${catalina.base}/lib/*.jar to the start of the common loader class path. (markt) </add> + <fix> + Correct CVE-2009-3548. When installed via the Windows installer and + using defaults, don't create an administrative user with a blank + password. Additionally, the administrative user is only created of the + manager or host-manager web applications are selected for installation. + (markt) + </fix> </changelog> </subsection> </section> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org